Presentation on theme: "Topic - Anti-Forensics and Reasons for Optimism BJ Bellamy, Kentucky Auditor's Office 1. Introduction 2. An overview of anti-forensics tools and techniques."— Presentation transcript:
Topic - Anti-Forensics and Reasons for Optimism BJ Bellamy, Kentucky Auditor's Office 1. Introduction 2. An overview of anti-forensics tools and techniques 2.a. The digital landscape 2.b. The tools and techniques 3. Reasons to be optimistic 4. References Anti-forensics and reasons for optimism
Introduction While there has been discussion about anti-forensics since about 2002, there has been a growing concern that as far as being a viable crime scene, the digital-space, disks, RAM, files... has been lost to the opposition. But I believe there are reasons we, as auditors, should be optimistic.     
Some quotes: Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible."  "This is anti-forensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you."  Police officers [in Londons forensics unit] had two days to examine a computer. So your attack didnt have to be perfect. It just had to take more than two eight-hour working days for someone to figure out. That was like an unwritten rule. They only had those 16 hours to work on it. So if you made it take 17 hours to figure out, you win. 
The bad news… The bad guys are better at what they do than us good guys are at what the bad guys do. Why? 1.they have more time 2.they can be much more focused 3.they do not operate under the types of restraints or requirements we do
2. An overview of anti-forensics tools and techniques Rather than an exhaustive review of the different areas of a disk where information can be hidden, we will look at just a couple that can then be used to illustrate the main point, how anti-forensics works. First, the landscape… The typical disk, of any type (fixed, removable, camera cards, cell phone cards…), is organized into many separate areas that each have different intended uses. Hiding information is all about using those areas in ways other than were intended.
Disk Organization Host Protected Area (HPA) - an area of a hard drive that is not normally visible to an operating system(OS) but often used for manufacturer software Device Configuration Overlay (DCO) - used for disk metadata, also not visible to the OS Unallocated space - space not currently allocated to store a file File slack space - the unused space at the end of most files Good sectors that are maliciously flagged as bad Alternate Data Streams (ADS)
Disk fragmentation Notice the fragmentation and unallocated space.
2b. The tools and techniques There are several ways to categorize the anti-forensic efforts. The referenced articles illustrate many of them. Categories of anti-forensic attention, a variation on Tom Van de Wiele . 1.Data destruction 2.Data hiding 3.Data obfuscation 4.Data encryption 5.Attacking the analyst and the forensic process
1. Data Destruction This is more than simply deleting a file or its contents. Data destruction is destructively overwriting the material in a file, or elsewhere. The typical name is wiping. And there are several published standards detailing how it is to be performed. Zeroes Pseudo-random numbers Pseudo-random & Zeroes DoD M (3 Passes) DoD STD (7 Passes) Russian Standard – GOST B.Schneiers algorithm (7 passes) German Standard, VSITR(7 passes) Peter Gutmann(35 passes) US Army AR (3 passes) North Atlantic Treaty Organization – NATO Standard US Air Force, AFSSI 5020
Data Destruction (cont) Tools: Eraser - Srm - Sdelete - Darik's Boot and Nuke - dban.sourceforge.net/
2. Data Hiding Techniques: Steganography, unallocated space, file slack space, and ADS Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. With the advent of digital media, steganography has come to include the hiding of digital information within digital files.
Unallocated Disk Space 3. Unallocated space – storage space not currently allocated to store a file.
File Slack Space 1 Two blocks of 512 bytes (characters) each. A total of 1024 bytes of unallocated space ready to store anything. 2 A new file is written to this space, using all 1024 bytes 3 Then the file is deleted and the space is again considered unallocated. 4 A new file is created, but does not require all 1024 bytes of space. So only 800 bytes are written, destructively overwriting the first 800 bytes of the deleted file This slack space still contains the last 224 characters of the original "deleted" file. This area can be used to store hidden material
File Slack Space etc]# bmap --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096 etc]# cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # First we check a file to see how much slack space it has. Below is the content of the hosts.allow file, all 161 bytes.
File Slack Space etc]# bmap --verbose --mode putslack hosts.allow stuffing block file size was: 161 slack size: 3935 block size: 4096 This is a demonstration of using file slack space. NASACT etc]# bmap --verbose --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096 This is a demonstration of using file slack space. NASACT First we hide some material in the slack space of the hosts.allow file. And here we access the material we just hid.
File Slack Space etc]# bmap --verbose --mode wipeslack hosts.allow stuffing block file size was: 161 slack size: 3935 block size: 4096 etc]# bmap --verbose --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096 Now we wipe the slack space clean. And now the material is gone.
File Slack Space There were 386,059 bytes of slack space available in the file in the /etc directory alone. Slack space can be used to store any type of material, including compressed and encrypted material.
NTFS Alternate Data Streams ADS were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. 
NTFS Alternate Data Streams
NTFS Alternate Data Streams
3. Data obfuscation Techniques: metadata - "last modified", filename suffix, unusual characters ModificationWhen the metadata about the file was last modified AccessWhen the file was last accessed CreateWhen the file was created Entry modificationNTFS timestamps in the Master Table File.
Date and time stamps CommandResults C:\>dir /tc Cain.lnk07/03/ :12 AM C:\>dir /ta Cain.lnk08/28/ :00 AM C:\>dir /tw Cain.lnk07/30/ :28 PM C:\>timestomp Cain.lnk -vModified: Monday 7/30/ :28:43 Accessed: Tuesday 8/28/2007 9:28:21 Created: Tuesday 7/3/ :12:10 Entry Modified: Monday 7/30/ :28:43 From The Metasploit Anti-forensics homepage , Timestomp – First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.
Date and timestamps (cont) CommandResults C:\>TimeStomp Cain.lnk -c "Saturday 3/22/2228 5:15:55 AM" 07/03/ :12 AM C:\>dir /ta Cain.lnk03/22/ :15 AM C:\>dir /tw Cain.lnk07/30/ :28 PM C:\>timestomp Cain.lnk -v Modified: Monday 7/30/ :28:43 Accessed: Tuesday 8/28/2007 9:28:21 Created: Saturday 3/22/2228 5:15:55 Entry Modified: Monday 7/30/ :28:43 Now TimeStomp.exe is used to change the creation date -m M, set the "last written" time of the file -a A, set the "last accessed" time of the file -c C, set the "created" time of the file -e E, set the "mft entry modified" time of the file -z set all four attributes (MACE) of the file -b set the MACE timestamps so that EnCase shows blanks -r same as -b except it works recursively on a directory
4. Data encryption Encryption is used in several ways: Encrypt and entire disk Encrypt specific files Encrypt material before hiding it Encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information.  Encryption usually includes file compression.
4. Data encryption (cont) GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. , TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows 2000/XP/2003/Vista and Linux. It can create a "file-hosted container" which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. 
5. Attacking the analyst Rather than focus on protecting my data in the ways already discussed, another approach is to make it difficult not only to find evidence, but to tie it to a specific person. Remember the 17-hour rule? Examples include: false leads and misdirection, backfilling with massive amounts of material Seeding with virus signature and suspicious keyword dummy files (100 index.dat files scattered around) landmines for Encase and TSK
3. Reasons for Optimism Many of the reasons for optimism come from the same issue that causes most security risks in the first place - regardless of the technology or its capabilities, there are still "people" using it. And people have the certain tendencies that you can count on…
3. Reasons for Optimism 1. People are still generally unaware of or do not care about anti-forensics. "What do I care, I am not a criminal!" I have nothing to hide! 2. People do not use "normal" software effectively, why expect them to us anti-forensic tools effectively. "I wiped my free-space last month - doesn't that take care of everything I have done since?" 3. People do not perform routine tasks like updates and backups. So, why expect them to use anti-forensic tools frequently enough to be effective. 4. People are not commonly aware of all the areas where forensic analysis can be fruitful (removable media, the different areas of HD space, the different system and application logs...)
3. Reasons for Optimism 5. Automation will compress the 17-hour rule so that 60 analyst hours worth of analysis can be done in 10 hours. 6. Most people do not know what data can be incriminating, where that data is, or which anti-forensic tool to use to eliminate it. 7. The current anti-forensic tools focus on general purpose personal computers. But what about cell-phones, PDAs, jump drives, CDs, backup tapes, key-catchers, backups, off-site , network servers None of the current anti-forensic tools "do it all". 9. Most commercial software does not deliver on its hype.
3. Reasons for Optimism 10. Encrypting the smoking gun, but saving the password in a cleartext file. 11. Very guessable passwords and keyloggers.
Conclusion Computer forensics is hard! Anti-forensics makes it harder! However, there are plenty of reasons for being optimistic, and really no reason to give up. Pessimism never won any battle. Dwight D. Eisenhower
4. References  How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab Scott Berinato, CSO May 31,  The Rise of Anti-Forensics New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant By Scott Berinato  Anti Forensics: making computer forensics hard. Wendel Guglielmetti Henrique a.k.a dum_dum ws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf  The Art of Defiling: Defeating Forensic Analysis Blackhat Presentation 2005 the Grugq  Arriving at an Anti-forensics Consensus - Examining How to Define and Control the Anti-forensics Problem Ryan Harris CERIAS, Purdue University DFRWS 2006 dfrws.org/2006/proceedings/6-Harris-pres.pdf
References (cont)  Anti-forensic techniques Anti-forensic techniques try to frustrate forensic investigators and their techniques.  Breaking Forensics Software: Weaknesses in Critical Evidence Collection August 1, Version 1.1 Tim Newsham - Chris Palmer - Alex Stamos - Jesse Burns - iSEC Partners, Inc  CD: Jitter, Errors & Magic Robert Harley, May, 1990 stereophile.com/reference/590jitter/  Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School  Antiforensics: When Tools Enable the Masses June 28, 2007 By Sonny Discini
References (cont)  Evaluating Commercial Counter-Forensic Tools Matthew Geiger Carnegie Mellon University  BCIE Training – ICT Anti-Forensics Tom Van de Wiele - Uniskill CISSP, GCFA, SSCA  The GNU Privacy Guard GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.  T r u e C r y p t Free open-source disk encryption software for Windows Vista/XP/2000 and Linux. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device).  Host Protected Area en.wikipedia.org/wiki/Host_Protected_Area  Windows NTFS Alternate Data Streams  Streams v1.56 By Mark Russinovich Published: April 27, 2007
References (cont)  Encryption From Wikipedia, the free encyclopedia en.wikipedia.org/wiki/Encryption