1 / 37

Anti-forensics and reasons for optimism

Anti-forensics and reasons for optimism. Topic - Anti-Forensics and Reasons for Optimism BJ Bellamy, Kentucky Auditor's Office

Download Presentation

Anti-forensics and reasons for optimism

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anti-forensics and reasons for optimism Topic - Anti-Forensics and Reasons for OptimismBJ Bellamy, Kentucky Auditor's Office 1. Introduction2. An overview of anti-forensics tools and techniques    2.a. The digital landscape    2.b. The tools and techniques3. Reasons to be optimistic4. References

  2. Introduction While there has been discussion about anti-forensics since about 2002, there has been a growing concern that as far as being a viable crime scene, the digital-space, disks, RAM, files... has been lost to the opposition. But I believe there are reasons we, as auditors, should be optimistic. [1] [2] [3] [7] [8]

  3. Some quotes: “Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible." [11]"This is anti-forensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you." [2] “Police officers [in London’s forensics unit] had two days to examine a computer. So your attack didn’t have to be perfect. It just had to take more than two eight-hour working days for someone to figure out. That was like an unwritten rule. They only had those 16 hours to work on it. So if you made it take 17 hours to figure out, you win.” [2]

  4. The bad news… • The bad guys are better at what they do than us • good guys are at what the bad guys do. Why? • they have more time • they can be much more focused • they do not operate under the types of restraints or requirements we do

  5. 2. An overview of anti-forensics tools and techniques Rather than an exhaustive review of the different areas of a disk where information can be hidden, we will look at just a couple that can then be used to illustrate the main point, how anti-forensics works. First, the landscape… The typical disk, of any type (fixed, removable, camera cards, cell phone cards…), is organized into many separate areas that each have different intended uses. Hiding information is all about using those areas in ways other than were intended.

  6. Disk Organization • Host Protected Area (HPA) - an area of a hard drive that is not normally visible to an operating system(OS) but often used for manufacturer software • Device Configuration Overlay (DCO) - used for disk metadata, also not visible to the OS • Unallocated space - space not currently allocated to store a file • File slack space - the unused space at the end of most files • Good sectors that are maliciously flagged as bad • Alternate Data Streams (ADS)

  7. Disk fragmentation Notice the fragmentation and unallocated space.

  8. 2b. The tools and techniques • There are several ways to categorize the anti-forensic efforts. The • referenced articles illustrate many of them. • Categories of anti-forensic attention, a variation on Tom Van de • Wiele [13]. • Data destruction • Data hiding • Data obfuscation • Data encryption • Attacking the analyst and the forensic process

  9. 1. Data Destruction • This is more than simply deleting a file or its contents. • Data destruction is destructively overwriting the material in a • file, or elsewhere. The typical name is “wiping”. And there are • several published standards detailing how it is to be performed. • Zeroes • Pseudo-random numbers • Pseudo-random & Zeroes • DoD 5220.22-M (3 Passes) • DoD 5200.28-STD (7 Passes) • Russian Standard – GOST • B.Schneier’s algorithm (7 passes) • German Standard, VSITR(7 passes) • Peter Gutmann(35 passes) • US Army AR 380-19 (3 passes) • North Atlantic Treaty Organization – NATO Standard • US Air Force, AFSSI 5020

  10. Data Destruction (cont) • Tools: • Eraser - www.heidi.ie/eraser/ • Srm - www.thc.org • Sdelete - www.microsoft.com/technet/sysinternals/Security/SDelete.mspx • Darik's Boot and Nuke - dban.sourceforge.net/

  11. 2. Data Hiding Techniques: Steganography, unallocated space, file slack space, and ADS Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. With the advent of digital media, steganography has come to include the hiding of digital information within digital files.

  12. Unallocated Disk Space 3. Unallocated space – storage space not currently allocated to store a file.

  13. File Slack Space

  14. File Slack Space First we check a file to see how much slack space it has. [root@localhost etc]# bmap --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096 Below is the content of the hosts.allow file, all 161 bytes. [root@localhost etc]# cat hosts.allow## hosts.allow   This file describes the names of the hosts which are#               allowed to use the local INET services, as decided#               by the '/usr/sbin/tcpd' server.#

  15. File Slack Space First we hide some material in the slack space of the hosts.allow file. [root@localhost etc]# bmap --verbose --mode putslack hosts.allowstuffing block 7489556file size was: 161slack size: 3935block size: 4096 This is a demonstration of using file slack space. NASACT 2007. And here we access the material we just hid. [root@localhost etc]# bmap --verbose --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096This is a demonstration of using file slack space. NASACT 2007.

  16. File Slack Space Now we wipe the slack space clean. [root@localhost etc]# bmap --verbose --mode wipeslack hosts.allowstuffing block 7489556file size was: 161slack size: 3935block size: 4096 And now the material is gone. [root@localhost etc]# bmap --verbose --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096

  17. File Slack Space There were 386,059 bytes of slack space available in the file in the /etc directory alone. Slack space can be used to store any type of material, including compressed and encrypted material.

  18. NTFS Alternate Data Streams ADS were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. [17]

  19. NTFS Alternate Data Streams

  20. NTFS Alternate Data Streams [18]

  21. NTFS Alternate Data Streams

  22. NTFS Alternate Data Streams

  23. 3. Data obfuscation Techniques: metadata - "last modified", filename suffix, unusual characters

  24. Date and time stamps From The Metasploit Anti-forensics homepage [10], Timestomp – First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

  25. Date and timestamps (cont) Now TimeStomp.exe is used to change the creation date -m <date> M, set the "last written" time of the file -a <date> A, set the "last accessed" time of the file -c <date> C, set the "created" time of the file -e <date> E, set the "mft entry modified" time of the file -z <date> set all four attributes (MACE) of the file -b set the MACE timestamps so that EnCase shows blanks -r same as -b except it works recursively on a directory

  26. 4. Data encryption Encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. [19] • Encryption is used in several ways: • Encrypt and entire disk • Encrypt specific files • Encrypt material before hiding it Encryption usually includes file compression.

  27. 4. Data encryption (cont) GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440 . GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. [14], TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows 2000/XP/2003/Vista and Linux. It can create a "file-hosted container" which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. [15]

  28. 5. Attacking the analyst • Rather than focus on protecting my data in the ways already discussed, another approach is to make it difficult not only to find evidence, but to tie it to a specific person. Remember the 17-hour rule? • Examples include: • false leads and misdirection, • backfilling with massive amounts of material • Seeding with virus signature and suspicious keyword • dummy files (100 index.dat files scattered around) • landmines for Encase and TSK

  29. 3. Reasons for Optimism Many of the reasons for optimism come from the same issue that causes most security risks in the first place - regardless of the technology or its capabilities, there are still "people" using it. And people have the certain tendencies that you can count on…

  30. 3. Reasons for Optimism 1. People are still generally unaware of or do not care about anti-forensics. "What do I care, I am not a criminal!"“I have nothing to hide!” 2. People do not use "normal" software effectively, why expect them to us anti-forensic tools effectively . "I wiped my free-space last month - doesn't that take care of everything I have done since?"3. People do not perform routine tasks like updates and backups. So, why expect them to use anti-forensic tools frequently enough to be effective. 4. People are not commonly aware of all the areas where forensic analysis can be fruitful (removable media, the different areas of HD space, the different system and application logs...)

  31. 3. Reasons for Optimism 5. Automation will compress the 17-hour rule so that 60 analyst hours worth of analysis can be done in 10 hours. 6. Most people do not know what data can be incriminating, where that data is, or which anti-forensic tool to use to eliminate it.7. The current anti-forensic tools focus on general purpose personal computers. But what about cell-phones, PDAs, jump drives, CDs, backup tapes, key-catchers, backups, off-site email, network servers...8. None of the current anti-forensic tools "do it all". 9. Most commercial software does not deliver on its hype.

  32. 3. Reasons for Optimism 10. Encrypting the “smoking gun”, but saving the password in a cleartext file. 11. Very guessable passwords and keyloggers.

  33. Conclusion Computer forensics is hard! Anti-forensics makes it harder! However, there are plenty of reasons for being optimistic, and really no reason to give up. “Pessimism never won any battle.” Dwight D. Eisenhower

  34. 4. References [1] How Online Criminals Make Themselves Tough to Find, Near Impossible to NabScott Berinato, CSOMay 31, 2007  www.cio.com/article/114550[2] The Rise of Anti-ForensicsNew, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevantBy Scott Berinatowww.csoonline.com/read/060107/fea_antiforensics.html[3] Anti Forensics: making computer forensics hard.Wendel Guglielmetti Henrique a.k.a dum_dumhttp://www.intruders.com.brws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf[4] The Art of Defiling: Defeating Forensic AnalysisBlackhat Presentation 2005the Grugqwww.blackhat.com/presentations/bhusa-05/bh-us-05-grugq.pdf.[6] Arriving at an Anti-forensics Consensus - Examining How to Define and Control the Anti-forensics ProblemRyan HarrisCERIAS, Purdue UniversityDFRWS 2006dfrws.org/2006/proceedings/6-Harris-pres.pdf

  35. References (cont) [7] Anti-forensic techniquesAnti-forensic techniques try to frustrate forensic investigators and their techniques.www.forensicswiki.org/wiki/Anti-forensic_techniques[8] Breaking Forensics Software:Weaknesses in Critical Evidence CollectionAugust 1, 2007 - Version 1.1Tim Newsham - <tim[at]isecpartners[dot]com>Chris Palmer - <chris[at]isecpartners[dot]com>Alex Stamos - <alex[at]isecpartners[dot]com>Jesse Burns - <jesse[at]isecpartners[dot]com>iSEC Partners, Incwww.isecpartners.com[9] CD: Jitter, Errors & MagicRobert Harley, May, 1990 stereophile.com/reference/590jitter/[10] Anti-Forensics:Techniques, Detection and CountermeasuresSimson L. GarfinkelNaval Postgraduate Schoolhttp://www.simson.net/ref/2007/ICIW.pdf[11] Antiforensics: When Tools Enable the MassesJune 28, 2007By Sonny Discinihttp://www.esecurityplanet.com/best_practices/article.php/3685836

  36. [12] Evaluating Commercial Counter-Forensic ToolsMatthew GeigerCarnegie Mellon Universitymgeiger@cmu.eduwww.dfrws.org/2005/proceedings/geiger_couterforensics.pdf[13] BCIE Training – ICT Anti-ForensicsTom Van de Wiele - Uniskilltom.vandewiele@uniskill.com, CISSP, GCFA, SSCAwww.uniskill.com[14] The GNU Privacy GuardGnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440 . GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. www.gnupg.org/[15] T r u e C r y p tFree open-source disk encryption software for Windows Vista/XP/2000 and Linux.TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). www.truecrypt.org/[16] Host Protected Areaen.wikipedia.org/wiki/Host_Protected_Area [17] Windows NTFS Alternate Data Streams www.securityfocus.com/infocus/1822 [18] Streams v1.56 By Mark Russinovich Published: April 27, 2007 www.microsoft.com/technet/sysinternals/Utilities/Streams.mspx References (cont)

  37. [19] Encryption From Wikipedia, the free encyclopedia en.wikipedia.org/wiki/Encryption References (cont)

More Related