Presentation on theme: "Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant 816 221-6300"— Presentation transcript:
Anti-forensics: What the bad guys are doing… John Mallery Managing Consultant
Issues Computer forensics is becoming more mainstream Computer users are learning more effective methods to cover their tracks Programmers are writing tools to defeat specific commercial computer forensics products Computer forensics examiners are slaves to their tool(s)
Agenda Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc. Tools and methods designed specifically to fool computer forensics programs.
Simple “Shift+Delete” to bypass Recycle Bin Recycle Bin – configured to delete immediately defrag
OS/Application Supplied Empty Temporary Internet Files folder when browser is closed.
Clear Page File Configured? Check following registry key: Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: CurrentControlSet\Control\Session Manager\Memory Management Name: ClearPageFileAtShutdown Type: REG_DWORD Value: 1 Slows down shutdown process
OS/Application Supplied CIPHER - “Displays or alters the encryption of directories [files] on NTFS partitions” CIPHER /W:directory (XP)
Alternate Data Streams The NTFS File System provides the ability to have additional data streams associated with a file. (Provides support for Apple’s HFS – Hierarchical File System)
Alternate Data Stream Demo – thanks to Harlan Carvey At the command prompt: C:\mkdir ads C:\cd ads C:\echo “This is a standard text file.” >textfile.txt C:\echo “The password is weasel.” >textfile.txt:pword.txt. To read alternate data stream: C:\notepad textfile.txt:pword.txt.
OS/Application Supplied Disk Cleanup
ON LINE DOC CREATION & STORAGE
OS/Application Supplied Word (Excel) –Hidden font –White on White –Small font Plug ins –Remove hidden data tool –Redaction tool –Payne scrambling tool
Hidden Font Hidden font
Redaction tool (Word 2003) “Overview Redaction is the careful editing of a document to remove confidential information. The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”
Remove Hidden Data(metadata)
Remove Hidden Data
Scramble Assistant For Word & Excel
Advantages of OS Supplied Tools Appear less “nefarious” than commercial tools (Evidence Eliminator). Free
Third Party Tools Fun for the Whole Family
Merge Streams/Glue Hides Excel file within a Word Document (vice versa).doc – see Word file.xls – see Excel file Won’t fool forensics examiner – may confuse them Word – “Recover Text from any file”
File Properties Changer
File Splitting 1toX - Gsplit Some tools can split files, password protect and encrypt pieces. Split file and store pieces in different locations…
Wiping Tools Gazillions of them Eraser (comes with DBAN) Sdelete – Evidence Eliminator BC Wipe Cyberscrub Etc. Do they perform as promised? PGP does it really wipe slack space? Are they used frequently?
Removing Residual Data Tools exist to remove residual data But do not use them in response to litigation See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL (N.D.Ill.), May 27, "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.” Anderson v. Crossroads Capital Partners
Encryption Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs ) EFS OTFE – Encrypted partitions USB Thumb Drives – new ones include encrypted partitions Encrypted file stored on an encrypted partition… Locknote -
Steganography Includes encryption Free tools Complex method of hiding data But easy to do… Can you detect it? “Duplicate Colors?” Wetstone Technologies Steganograhy Analysis and Research Center stegdetect
Metasploit Project Timestomp – modifies MAC times so EnCase can’t read them.
Document Lifecycle Management Controlling documents even when they are “out of your control” Expiration dates Encryption
Document lifecycle Management “Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format that allows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files (settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”.
Use a MAC Entry level programs such as WinHex and ProDiscover Basic do not handle the HFS+ file system. Most computer forensics training programs do not address MAC’s. Most computer forensics examiners “fear” conducting an examination of MAC’s – they just don’t understand them.
HPA Store Data in the Host Protected Area
Good News/Bad News First the Bad News Using a combination of these tools on a regular basis can defeat a computer forensics examination Now the Good News Very few users know about “all” of these tools and methods Not all tools perform as promised
Last thoughts Determining whether these tools have been used can be just as important as finding evidence. Finding these tools can counter the “I’m not sophisticated enough” argument. Found in illegal movie and music distribution cases.
MAC OS X – the shape of things to come FileVault – Encrypted Home Folder Secure Virtual Memory
MAC OSX – the shape of things to come
Mac OS X - Safari
Questions/Comments John Mallery Managing Consultant BKD, LLP