Scribd
Upload
42 views49 pages

Anti Forensics

Uploaded by

David Ofosu-Hamilton
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
42 views49 pages

Anti Forensics

Uploaded by

David Ofosu-Hamilton
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 49

Anti-forensics: What the bad

guys are doing…

John Mallery
Managing Consultant
816 221-6300
[email protected]
Issues

• Computer forensics is becoming more


mainstream
• Computer users are learning more
effective methods to cover their tracks
• Programmers are writing tools to defeat
specific commercial computer forensics
products
• Computer forensics examiners are slaves
to their tool(s)
Agenda

• Configuration settings – methods used to


cover tracks using “supplied” tools and
configuration settings
• Third party tools – wiping, properties
changers, registry cleaners,
steganography/encryption, etc.
• Tools and methods designed specifically
to fool computer forensics programs.
Simple

• “Shift+Delete” to
bypass Recycle Bin
• Recycle Bin –
configured to delete
immediately
• defrag
OS/Application Supplied

Empty Temporary Internet


Files folder when browser
is closed.
OS/Application Supplied

Shutdown: Clear virtual memory pagefile Enabled


XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies |
Security Options | Shutdown: Clear virtual memory Page File | Select Enabled
Clear Page File

Configured? Check following registry key:


Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session
Manager\Memory Management
Name: ClearPageFileAtShutdown
Type: REG_DWORD
Value: 1

Slows down shutdown process


OS/Application Supplied
CIPHER - “Displays or alters the encryption of directories
[files] on NTFS partitions”

CIPHER /W:directory

(XP)
Alternate Data Streams

• The NTFS File System provides the ability


to have additional data streams
associated with a file. (Provides support
for Apple’s HFS – Hierarchical File
System)
Alternate Data Stream

• Demo – thanks to Harlan Carvey


• At the command prompt:
• C:\mkdir ads
• C:\cd ads
• C:\echo “This is a standard text file.” >textfile.txt
• C:\echo “The password is weasel.”
>textfile.txt:pword.txt.
• To read alternate data stream:
C:\notepad textfile.txt:pword.txt.
OS/Application Supplied

Disk Cleanup
OS/Application Supplied
ON LINE DOC CREATION & STORAGE
OS/Application Supplied

• Word (Excel)
– Hidden font
– White on White
– Small font
• Plug ins
– Remove hidden data tool
– Redaction tool
– Payne scrambling tool
Hidden Font

Hidden font
Redaction tool
“Overview
Redaction is the careful editing of a document to remove
confidential information.

The Microsoft Office Word 2003 Redaction Add-in makes


it easy for you to mark sections of a document for redaction.
You can then redact the document so that the sections you
specified are blacked out. You can either print the redacted
document or use it electronically. In the redacted version of
the document, the redacted text is replaced with a black bar
and cannot be converted back to text or retrieved.”

http://tinyurl.com/dgokp
(Word 2003)
Remove Hidden Data(metadata)

http://tinyurl.com/5bams
Remove Hidden Data
Scramble Assistant

For Word
&
Excel

http://www.payneconsulting.com/products/scramword_free/
Advantages of OS Supplied Tools

• Appear less “nefarious” than commercial


tools (Evidence Eliminator).
• Free
Third Party Tools

Fun for the Whole Family


Registry Cleaner
Merge Streams/Glue

• Hides Excel file within a Word Document (vice versa)


• .doc – see Word file
• .xls – see Excel file
• Won’t fool forensics examiner – may confuse them
• Word – “Recover Text from any file”
Merge Streams/Glue
Merge Streams/Glue

• Demo
• http://www.ntkernel.com/w&p.php?id=23
File Properties Changer

www.segobit.com
File Splitting

• 1toX -
http://www.logipole.com/indexe.html
• Gsplit
http://www.gdgsoft.com/gsplit/
• Some tools can split files, password
protect and encrypt pieces.
• Split file and store pieces in different
locations…
Wiping Tools

• Gazillions of them
• Eraser (comes with DBAN)
• Sdelete – www.sysinternals.com
• Evidence Eliminator
• BC Wipe
• Cyberscrub
• Etc.
• Do they perform as promised? PGP does it
really wipe slack space?
• Are they used frequently?
Removing Residual Data
• Tools exist to remove residual data
• But do not use them in response to litigation
• See - Kucala Enterprises, Ltd. v. Auto Wax Co.,
Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003
- "Any reasonable person can deduce, if not
from the name of the product itself, then by
reading the website, that Evidence Eliminator
is a product used to circumvent discovery.”
• Anderson v. Crossroads Capital Partners
Software
HKEY_CURRENT_USER\Software\
[Manufacturer Name]\[Tool]
Encryption

• Cryptext – free and easy to use, a shell


extension (http://tinyurl.com/do2qs )
• EFS
• OTFE – Encrypted partitions
www.truecrypt.org
• USB Thumb Drives – new ones include
encrypted partitions
• Encrypted file stored on an encrypted partition…
• Locknote - http://locknote.steganos.com/
Steganography

• Includes encryption
• Free tools
• Complex method of hiding data
• But easy to do…
• Can you detect it?
• “Duplicate Colors?”
• Wetstone Technologies
• Steganograhy Analysis and Research Center
• stegdetect
stools

DEMO
Metasploit Project

• Timestomp – modifies MAC times so EnCase


can’t read them.

http://www.metasploit.com/projects/antiforensics/
Timestomp
Timestomp
Timestomp
Document Lifecycle Management

• Controlling documents even when they


are “out of your control”
• Expiration dates
• Encryption
Document lifecycle Management

“Net-It® Now is a free print driver that renders


your files to CSF (content secure format), a
compressed encrypted format that
allows you to add Visual Rights™, including
password protection, an expiration date, and
feature restrictions, to your files
(settings). Files are viewable with the free
Brava! Reader (views TIFF, PDF and CSF
files)”.
http://www.net-it.com/nin.htm
Example
Use a MAC

• Entry level programs such as WinHex and


ProDiscover Basic do not handle the
HFS+ file system.
• Most computer forensics training
programs do not address MAC’s.
• Most computer forensics examiners
“fear” conducting an examination of
MAC’s – they just don’t understand them.
HPA

• Store Data in the Host Protected Area


Good News/Bad News

• First the Bad News


• Using a combination of these tools on a
regular basis can defeat a computer
forensics examination
• Now the Good News
• Very few users know about “all” of these
tools and methods
• Not all tools perform as promised
Last thoughts

• Determining whether these tools have


been used can be just as important as
finding evidence.
• Finding these tools can counter the “I’m
not sophisticated enough” argument.
• Found in illegal movie and music
distribution cases.
MAC OS X – the shape of things
to come
FileVault –
Encrypted Home Folder

Secure Virtual Memory


MAC OSX – the shape of things to
come
Mac OS X - Safari
IE7
Questions/Comments

John Mallery
Managing Consultant
BKD, LLP
816 221-6300
[email protected]

You might also like