Presentation on theme: "Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300"— Presentation transcript:
Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300 firstname.lastname@example.org
Issues Computer forensics is becoming more mainstream Computer users are learning more effective methods to cover their tracks Programmers are writing tools to defeat specific commercial computer forensics products Computer forensics examiners are slaves to their tool(s)
Agenda Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc. Tools and methods designed specifically to fool computer forensics programs.
Simple “Shift+Delete” to bypass Recycle Bin Recycle Bin – configured to delete immediately defrag
OS/Application Supplied Empty Temporary Internet Files folder when browser is closed.
Clear Page File Configured? Check following registry key: Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: CurrentControlSet\Control\Session Manager\Memory Management Name: ClearPageFileAtShutdown Type: REG_DWORD Value: 1 Slows down shutdown process
OS/Application Supplied CIPHER - “Displays or alters the encryption of directories [files] on NTFS partitions” CIPHER /W:directory (XP)
Alternate Data Streams The NTFS File System provides the ability to have additional data streams associated with a file. (Provides support for Apple’s HFS – Hierarchical File System)
Alternate Data Stream Demo – thanks to Harlan Carvey At the command prompt: C:\mkdir ads C:\cd ads C:\echo “This is a standard text file.” >textfile.txt C:\echo “The password is weasel.” >textfile.txt:pword.txt. To read alternate data stream: C:\notepad textfile.txt:pword.txt.
Redaction tool http://tinyurl.com/dgokp (Word 2003) “Overview Redaction is the careful editing of a document to remove confidential information. The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”
File Splitting 1toX - http://www.logipole.com/indexe.html Gsplit http://www.gdgsoft.com/gsplit/ Some tools can split files, password protect and encrypt pieces. Split file and store pieces in different locations…
Wiping Tools Gazillions of them Eraser (comes with DBAN) Sdelete – www.sysinternals.com Evidence Eliminator BC Wipe Cyberscrub Etc. Do they perform as promised? PGP does it really wipe slack space? Are they used frequently?
Removing Residual Data Tools exist to remove residual data But do not use them in response to litigation See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.” Anderson v. Crossroads Capital Partners
Encryption Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs ) EFS OTFE – Encrypted partitions www.truecrypt.org USB Thumb Drives – new ones include encrypted partitions Encrypted file stored on an encrypted partition… Locknote - http://locknote.steganos.com/
Steganography Includes encryption Free tools Complex method of hiding data But easy to do… Can you detect it? “Duplicate Colors?” Wetstone Technologies Steganograhy Analysis and Research Center stegdetect
Document Lifecycle Management Controlling documents even when they are “out of your control” Expiration dates Encryption
Document lifecycle Management “Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format that allows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files (settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”. http://www.net-it.com/nin.htm
Use a MAC Entry level programs such as WinHex and ProDiscover Basic do not handle the HFS+ file system. Most computer forensics training programs do not address MAC’s. Most computer forensics examiners “fear” conducting an examination of MAC’s – they just don’t understand them.
Good News/Bad News First the Bad News Using a combination of these tools on a regular basis can defeat a computer forensics examination Now the Good News Very few users know about “all” of these tools and methods Not all tools perform as promised
Last thoughts Determining whether these tools have been used can be just as important as finding evidence. Finding these tools can counter the “I’m not sophisticated enough” argument. Found in illegal movie and music distribution cases.
MAC OS X – the shape of things to come FileVault – Encrypted Home Folder Secure Virtual Memory