Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300

Similar presentations

Presentation on theme: "Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300"— Presentation transcript:

1 Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300

2 Issues Computer forensics is becoming more mainstream Computer users are learning more effective methods to cover their tracks Programmers are writing tools to defeat specific commercial computer forensics products Computer forensics examiners are slaves to their tool(s)

3 Agenda Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc. Tools and methods designed specifically to fool computer forensics programs.

4 Simple “Shift+Delete” to bypass Recycle Bin Recycle Bin – configured to delete immediately defrag

5 OS/Application Supplied Empty Temporary Internet Files folder when browser is closed.

6 OS/Application Supplied Shutdown: Clear virtual memory pagefile Enabled XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies | Security Options | Shutdown: Clear virtual memory Page File | Select Enabled

7 Clear Page File Configured? Check following registry key: Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: CurrentControlSet\Control\Session Manager\Memory Management Name: ClearPageFileAtShutdown Type: REG_DWORD Value: 1 Slows down shutdown process

8 OS/Application Supplied CIPHER - “Displays or alters the encryption of directories [files] on NTFS partitions” CIPHER /W:directory (XP)

9 Alternate Data Streams The NTFS File System provides the ability to have additional data streams associated with a file. (Provides support for Apple’s HFS – Hierarchical File System)

10 Alternate Data Stream Demo – thanks to Harlan Carvey At the command prompt: C:\mkdir ads C:\cd ads C:\echo “This is a standard text file.” >textfile.txt C:\echo “The password is weasel.” >textfile.txt:pword.txt. To read alternate data stream: C:\notepad textfile.txt:pword.txt.

11 OS/Application Supplied Disk Cleanup

12 OS/Application Supplied


14 OS/Application Supplied Word (Excel) –Hidden font –White on White –Small font Plug ins –Remove hidden data tool –Redaction tool –Payne scrambling tool

15 Hidden Font Hidden font

16 Redaction tool (Word 2003) “Overview Redaction is the careful editing of a document to remove confidential information. The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”

17 Remove Hidden Data(metadata)

18 Remove Hidden Data

19 Scramble Assistant For Word & Excel

20 Advantages of OS Supplied Tools Appear less “nefarious” than commercial tools (Evidence Eliminator). Free

21 Third Party Tools Fun for the Whole Family

22 Registry Cleaner

23 Merge Streams/Glue Hides Excel file within a Word Document (vice versa).doc – see Word file.xls – see Excel file Won’t fool forensics examiner – may confuse them Word – “Recover Text from any file”

24 Merge Streams/Glue

25 Demo

26 File Properties Changer

27 File Splitting 1toX - Gsplit Some tools can split files, password protect and encrypt pieces. Split file and store pieces in different locations…

28 Wiping Tools Gazillions of them Eraser (comes with DBAN) Sdelete – Evidence Eliminator BC Wipe Cyberscrub Etc. Do they perform as promised? PGP does it really wipe slack space? Are they used frequently?

29 Removing Residual Data Tools exist to remove residual data But do not use them in response to litigation See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.” Anderson v. Crossroads Capital Partners

30 Software HKEY_CURRENT_USER\Software\ [Manufacturer Name]\[Tool]

31 Encryption Cryptext – free and easy to use, a shell extension ( ) EFS OTFE – Encrypted partitions USB Thumb Drives – new ones include encrypted partitions Encrypted file stored on an encrypted partition… Locknote -

32 Steganography Includes encryption Free tools Complex method of hiding data But easy to do… Can you detect it? “Duplicate Colors?” Wetstone Technologies Steganograhy Analysis and Research Center stegdetect

33 stools DEMO

34 Metasploit Project Timestomp – modifies MAC times so EnCase can’t read them.

35 Timestomp



38 Document Lifecycle Management Controlling documents even when they are “out of your control” Expiration dates Encryption

39 Document lifecycle Management “Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format that allows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files (settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”.

40 Example

41 Use a MAC Entry level programs such as WinHex and ProDiscover Basic do not handle the HFS+ file system. Most computer forensics training programs do not address MAC’s. Most computer forensics examiners “fear” conducting an examination of MAC’s – they just don’t understand them.

42 HPA Store Data in the Host Protected Area

43 Good News/Bad News First the Bad News Using a combination of these tools on a regular basis can defeat a computer forensics examination Now the Good News Very few users know about “all” of these tools and methods Not all tools perform as promised

44 Last thoughts Determining whether these tools have been used can be just as important as finding evidence. Finding these tools can counter the “I’m not sophisticated enough” argument. Found in illegal movie and music distribution cases.

45 MAC OS X – the shape of things to come FileVault – Encrypted Home Folder Secure Virtual Memory

46 MAC OSX – the shape of things to come

47 Mac OS X - Safari

48 IE7

49 Questions/Comments John Mallery Managing Consultant BKD, LLP 816 221-6300

Download ppt "Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300"

Similar presentations

Ads by Google