Presentation on theme: "Anti-forensics and reasons for optimism"— Presentation transcript:
1Anti-forensics and reasons for optimism Topic - Anti-Forensics and Reasons for Optimism BJ Bellamy, Kentucky Auditor's Office1. Introduction 2. An overview of anti-forensics tools and techniques 2.a. The digital landscape 2.b. The tools and techniques 3. Reasons to be optimistic 4. References
2IntroductionWhile there has been discussion about anti-forensics sinceabout 2002, there has been a growing concern that as far asbeing a viable crime scene, the digital-space, disks, RAM,files... has been lost to the opposition.But I believe there are reasons we, as auditors, should beoptimistic.     
3Some quotes:“Some say anti-forensics is developing faster. Why? Becausewhat was once only possible for the elite has now washeddownstream in the form of automated tools. More or less,anyone can throw trashcans in the path of forensic investigatorsnow that the tools are there to make it all possible."  "This is anti-forensics. It is more than technology. It is anapproach to criminal hacking that can be summed up like this:Make it hard for them to find you and impossible for them toprove they found you." “Police officers [in London’s forensics unit] had two days toexamine a computer. So your attack didn’t have to be perfect. Itjust had to take more than two eight-hour working days forsomeone to figure out. That was like an unwritten rule. They onlyhad those 16 hours to work on it. So if you made it take 17 hoursto figure out, you win.” 
4The bad guys are better at what they do than us The bad news…The bad guys are better at what they do than usgood guys are at what the bad guys do. Why?they have more timethey can be much more focusedthey do not operate under the types of restraints or requirements we do
52. An overview of anti-forensics tools and techniques Rather than an exhaustive review of the differentareas of a disk where information can be hidden, wewill look at just a couple that can then be used toillustrate the main point, how anti-forensics works.First, the landscape…The typical disk, of any type (fixed, removable,camera cards, cell phone cards…), is organized intomany separate areas that each have differentintended uses.Hiding information is all about using those areasin ways other than were intended.
6Disk OrganizationHost Protected Area (HPA) - an area of a hard drive that is not normally visible to an operating system(OS) but often used for manufacturer softwareDevice Configuration Overlay (DCO) - used for disk metadata, also not visible to the OSUnallocated space - space not currently allocated to store a fileFile slack space - the unused space at the end of most filesGood sectors that are maliciously flagged as badAlternate Data Streams (ADS)HPA Host Protected Area sometimes referred to as Hidden Protected Area is an area of a hard drive that is not normally visible to an operating system(OS).  Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media). DCO Can be used to enable and disable features on a harddisk. Commonly used to set the number of sectors.
7Disk fragmentationNotice the fragmentation and unallocated space.
82b. The tools and techniques There are several ways to categorize the anti-forensic efforts. Thereferenced articles illustrate many of them.Categories of anti-forensic attention, a variation on Tom Van deWiele .Data destructionData hidingData obfuscationData encryptionAttacking the analyst and the forensic process
91. Data DestructionThis is more than simply deleting a file or its contents.Data destruction is destructively overwriting the material in afile, or elsewhere. The typical name is “wiping”. And there areseveral published standards detailing how it is to be performed.ZeroesPseudo-random numbersPseudo-random & ZeroesDoD M (3 Passes)DoD STD (7 Passes)Russian Standard – GOSTB.Schneier’s algorithm (7 passes)German Standard, VSITR(7 passes)Peter Gutmann(35 passes)US Army AR (3 passes)North Atlantic Treaty Organization – NATO StandardUS Air Force, AFSSI 5020
112. Data HidingTechniques: Steganography, unallocated space, file slack space,and ADSSteganography is the art and science of writing hidden messagesin such a way that no one apart from the intended recipient knowsof the existence of the message; this is in contrast to cryptography,where the existence of the message itself is not disguised, but thecontent is obscured. With the advent of digital media, steganographyhas come to include the hiding of digital information within digital files.
12Unallocated Disk Space 3. Unallocated space – storage space notcurrently allocated to store a file.
13File Slack Space1Two blocks of 512 bytes (characters) each. A total of 1024 bytes of unallocated space ready to store anything.2A new file is written to this space, using all 1024 bytes3Then the file is deleted and the space is again considered unallocated.4A new file is created, but does not require all 1024 bytes of space. So only 800 bytes are written, destructively overwriting the first 800 bytes of the deleted fileThis slack space still contains the last 224 characters of the original "deleted" file. This area can be used to store “hidden” material
14File Slack SpaceFirst we check a file to see how much slack space it has.etc]# bmap --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096Below is the content of the hosts.allow file, all 161 bytes.etc]# cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
15File Slack SpaceFirst we hide some material in the slack space of the hosts.allow file.etc]# bmap --verbose --mode putslack hosts.allow stuffing block file size was: 161 slack size: 3935 block size: 4096This is a demonstration of using file slack space. NASACT 2007.And here we access the material we just hid.etc]# bmap --verbose --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096 This is a demonstration of using file slack space. NASACT 2007.
16File Slack SpaceNow we wipe the slack space clean.etc]# bmap --verbose --mode wipeslack hosts.allow stuffing block file size was: 161 slack size: 3935 block size: 4096And now the material is gone.etc]# bmap --verbose --mode slack hosts.allow getting from block file size was: 161 slack size: 3935 block size: 4096
17File Slack SpaceThere were 386,059 bytes of slack space available in the file in the /etc directory alone.Slack space can be used to store any type of material, including compressed and encrypted material.
18NTFS Alternate Data Streams ADS were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. 
23Techniques: metadata - "last modified", filename suffix, 3. Data obfuscationTechniques: metadata - "last modified", filename suffix,unusual charactersModificationWhen the metadata about the file was last modifiedAccessWhen the file was last accessedCreateWhen the file was createdEntry modificationNTFS timestamps in the Master Table File.
24From The Metasploit Anti-forensics homepage , Timestomp – Date and time stampsFrom The Metasploit Anti-forensics homepage , Timestomp –First ever tool that allows you to modify all four NTFS timestampvalues: modified, accessed, created, and entry modified.CommandResultsC:\>dir /tc Cain.lnk07/03/2007 10:12 AMC:\>dir /ta Cain.lnk08/28/2007 09:00 AMC:\>dir /tw Cain.lnk07/30/2007 01:28 PMC:\>timestomp Cain.lnk -vModified: Monday 7/30/ :28:43 Accessed: Tuesday 8/28/2007 9:28:21 Created: Tuesday 7/3/ :12:10 Entry Modified: Monday 7/30/ :28:43
25Date and timestamps (cont) Now TimeStomp.exe is used to change the creation dateCommandResultsC:\>TimeStomp Cain.lnk -c "Saturday 3/22/2228 5:15:55 AM"07/03/2007 10:12 AMC:\>dir /ta Cain.lnk03/22/2228 05:15 AMC:\>dir /tw Cain.lnk07/30/2007 01:28 PMC:\>timestomp Cain.lnk -vModified: Monday 7/30/ :28:43 Accessed: Tuesday 8/28/2007 9:28:21 Created: Saturday 3/22/2228 5:15:55 Entry Modified: Monday 7/30/ :28:43-m <date> M, set the "last written" time of the file-a <date> A, set the "last accessed" time of the file-c <date> C, set the "created" time of the file-e <date> E, set the "mft entry modified" time of the file-z <date> set all four attributes (MACE) of the file-b set the MACE timestamps so that EnCase shows blanks-r same as -b except it works recursively on a directory
264. Data encryptionEncryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. Encryption is used in several ways:Encrypt and entire diskEncrypt specific filesEncrypt material before hiding itEncryption usually includes file compression.
274. Data encryption (cont) GnuPG is the GNU project's complete and free implementationof the OpenPGP standard as defined by RFC GnuPG allowsto encrypt and sign your data and communication, features aversatile key managment system as well as access modules for allkind of public key directories. ,TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows 2000/XP/2003/Vista and Linux. It can create a "file-hosted container" which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. 
285. Attacking the analystRather than focus on protecting my data in the ways already discussed, another approach is to make it difficult not only to find evidence, but to tie it to a specific person. Remember the 17-hour rule?Examples include:false leads and misdirection,backfilling with massive amounts of materialSeeding with virus signature and suspicious keyworddummy files (100 index.dat files scattered around)landmines for Encase and TSK
293. Reasons for OptimismMany of the reasons for optimism come from the same issue thatcauses most security risks in the first place - regardless of thetechnology or its capabilities, there are still "people" using it.And people have the certain tendencies that you can count on…
303. Reasons for Optimism1. People are still generally unaware of ordo not care about anti-forensics."What do I care, I am not a criminal!" “I have nothing to hide!”2. People do not use "normal" software effectively, why expect them to us anti-forensic tools effectively . "I wiped my free-space last month - doesn't that take care of everything I have done since?" 3. People do not perform routine tasks like updates and backups. So, why expect them to use anti-forensic tools frequently enough to be effective.4. People are not commonly aware of all the areas where forensic analysis can be fruitful (removable media, the different areas of HD space, the different system and application logs...)
313. Reasons for Optimism5. Automation will compress the 17-hour rule so that 60 analyst hours worth of analysis can be done in 10 hours.6. Most people do not know what data can be incriminating, where that data is, or which anti-forensic tool to use to eliminate it. 7. The current anti-forensic tools focus on generalpurpose personal computers. But what aboutcell-phones, PDAs, jump drives, CDs, backuptapes, key-catchers, backups, off-site ,network servers None of the current anti-forensic tools"do it all".9. Most commercial software does not deliver on its hype.
323. Reasons for Optimism10. Encrypting the “smoking gun”, but saving the password in a cleartext file.11. Very guessable passwords and keyloggers.
33ConclusionComputer forensics is hard!Anti-forensics makes it harder!However, there are plenty of reasons for being optimistic, and really no reason to give up.“Pessimism never won any battle.” Dwight D. Eisenhower
344. References How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab Scott Berinato, CSO May 31, 2007  The Rise of Anti-Forensics New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant By Scott Berinato  Anti Forensics: making computer forensics hard. Wendel Guglielmetti Henrique a.k.a dum_dum ws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf  The Art of Defiling: Defeating Forensic Analysis Blackhat Presentation 2005 the Grugq  Arriving at an Anti-forensics Consensus - Examining How to Define and Control the Anti-forensics Problem Ryan Harris CERIAS, Purdue University DFRWS 2006 dfrws.org/2006/proceedings/6-Harris-pres.pdf
35References (cont) Anti-forensic techniques Anti-forensic techniques try to frustrate forensic investigators and their techniques.  Breaking Forensics Software: Weaknesses in Critical Evidence Collection August 1, Version 1.1 Tim Newsham - <tim[at]isecpartners[dot]com> Chris Palmer - <chris[at]isecpartners[dot]com> Alex Stamos - <alex[at]isecpartners[dot]com> Jesse Burns - <jesse[at]isecpartners[dot]com> iSEC Partners, Inc  CD: Jitter, Errors & Magic Robert Harley, May, stereophile.com/reference/590jitter/  Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School  Antiforensics: When Tools Enable the Masses June 28, 2007 By Sonny Discini
36References (cont) Evaluating Commercial Counter-Forensic Tools Matthew Geiger Carnegie Mellon University  BCIE Training – ICT Anti-Forensics Tom Van de Wiele - Uniskill CISSP, GCFA, SSCA  The GNU Privacy Guard GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.  T r u e C r y p t Free open-source disk encryption software for Windows Vista/XP/2000 and Linux. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). Host Protected Area en.wikipedia.org/wiki/Host_Protected_Area Windows NTFS Alternate Data Streams Streams v1.56By Mark RussinovichPublished: April 27, 2007
37References (cont)  Encryption From Wikipedia, the free encyclopediaen.wikipedia.org/wiki/Encryption