Anti Forensics and Defeating Antiforensic Measures

8/22/2019 Anti Forensics and Defeating Antiforensic Measures

1/16

1

RESEARCH PAPER

ANTI FORENSICS AND DEFEATING ANTI FORENSICS MEASURES

HARPREET SINGH DARDI

DFI-MUM-1-6


2/16

2

INTRODUCTION

According to Locards principle, When a crime is committed, there is a cross transfer of evidence between

the scene and the perpetrator (Saferstein, 1998).

It means that one who commits crime will definitely bring something into the crime scene and leave with

something from it and both of these elements can be used as forensic evidence.

Same is the case with Digital Forensics where the crime scene occurs at the computer systems or other

digital medias. Criminal will definitely leave one or the other traces of tools and techniques used by him to

commit the crime and these traces can be used as forensic evidence for the court proceedings.

The only thing that is to be focused upon is the proper examination of the suspect computer system or digital

media by the investigators to ensure a correct outcome. Investigators need to apply locards principle to thecyber world in order to understand the relation between various aspects like time when the particular events

took place, what actually happened , what was the source for the same etc. Then , connecting these free facts

to prepare one single coherent statement could reveal the whole nature of the action.

However criminals may use anti forensic methods to divert the normal investigation procedure and to

confuse the investigators.

This research paper focuses on various anti forensic methods and measures to defeat the same.

Various types of anti forensic and forensic tools have been used here within to experiment with the security

of forensic tools and strength of anti forensic tools.


3/16

3

COMPUTER FORENSICS AND ANTI FORENSICS

The term Forensics is quite simple and specific using science and technology applications to investigate

a crime.

Computer Forensics is the branch of Digital Forensics pertaining to evidence found in computers and digital

media. The main motive behind computer forensics is the examination of digital media in a forensically

sound manner for collecting, analyzing and presenting evidence to the courts.

Forensic Analysis plays an important role in cyber crime investigations as it helps the investigators to obtain

certain relevant information such as boot configuration data, network packets etc.This information is then

converted into permanent reports that is acceptable by the court of law.

Certain Computer Forensic Tools are used by forensic examiners to

collect information/data from computer systems or other digital media

analyzing the collected data to uncover information that may not be immediately obvious generating a report that will be acceptable in legal proceedings

Computer forensic tools (CFTs) broadly fall into two classes:

Persistent Data Tools: As clear from the name, these tools help in collecting the data that is stationary overthe digital media. In other words, the data that remains when the computer system is turned off.

E.g. The Sleuth Kit

Volatile Data Tools: These tools help in collecting the data that is transitory and would be lost if not

captured such as the packets travelling across the network.

E.g. WinHex

ANTI FORENSICS ( Against Forensics in layman language) is the collection of tools and techniques to

confront forensics and to frustrate the investigator and the process of investigation.

CFT

Persistent

Data ToolsVolatile Data

Tools


4/16

4

Using anti forensic techniques and tools, investigators and forensic examiners are mislead from the ongoing

investigation procedures.

GOALS OF ANTI FORENSICS

1. Making it impossible for the investigators to detect the event happened.2. Preventing the investigator from detecting the evidence.

3. Investigator has to spend a huge of amount of time in order to find out what actually has happenedand how it prolonged.

4.

Casting doubt on the report generated.

5. Using anti forensic tools and techniques in such a way so as to make the forensic tool attack thesuspect computer itself instead of retrieving the evidence.

6. Anti forensic tool should not leave any trace of its use.

7. The information collected should be disrupted in a way or other.8. Investigator should not be able to distinguish between the actual evidence and other data.9. The forensic tools used for data recovery or collection should reveal the wrong results which could

further misguide the investigator in the investigation process.

10.The forensic tool can itself be used to attack the organization in which it is running.

Anti Forensic Techniques are broadly divided into two categories:

AFT

Traditional

AFT

Modern

AFT


5/16

5

ANTI FORENSIC CATEGORIES

Anti Forensics is broadly divided into 4 categories.

1. DATA HIDING: This category of anti forensic method is used to hide the evidences from theinvestigator. This makes the case more complicated as examiners are unable to reveal the relevant

content and will keep on analysing the non evident data. Most common techniques used for data

hiding are Cryptography and Steganography.

a) CRYPTOGRAPHY: is the science of converting readable text to unreadable form with the help ofcertain algorithms. In order to read the exact message, examiner has to decrypt it. For the process of

decryption, he needs to know certain important elements like :

Algorithm used to encrypt the text. Password used Software used

Finding out these elements is the most chaotic task to be completed and may take an investigators

ample time.

DATA HIDING ARTIFACTWIPING

TRIAL

OBFUSCATION

ATTACKS

AGAINST CFT

TOOLS


6/16

6

Before Encryption After Encryption

Tools currently available for cryptography are PGP, Crypo, GNU Privacy Guard, Disk Utility and many

more.

b. STEGANOGRAPHY: is the art of hiding data behind an image or any other file. Only the intendedrecipient and the sender are able to see the message.

A normal human eye cannot distinguish between the normal and steganographic image above. Even the size

remains the same.

Tools currently available for Steganography are S-Tools, Steghide, Steganos and many more.

2. Artifact Wiping: The evidences can be permanently removed from the computer systems or digitalmedia by the use of certain tools. One can permanently delete a single file or can wipe the whole

system.

The main concept behind wiping is that it overwrites each and every byte of data so many times

that it becomes difficult for the tools to reveal what actually was present.

The transaction number is

900900900.

qANQR1DDDQQJAwKA

cltao2NfX2DSUwHvn1VuWLoY+9RDXKoxtn8UtB

Q7kRLKKUZ1

PRYUopn/7+pKBcTgNXE

pM+CnBL+cPoHkqbfwW

vMcLT0S+vHhrp47oViX

GLHUF/7j

5PrZjZQGmu7x


7/16

7

The tools available for Data wiping these days include TotalWipeOut, Kill Disk, BCWipe etc.

3. Trial Obfuscation: In order to divert or disorientate the investigation process, trial obfuscation isdone. Varieties of techniques and tools can be used for the same.

Trial Obfuscation includes deleting logs, spoofing the headers, changing file extensions, using

Trojan commands over the computer system to divert investigators mind and many more.

4. Attacks against CFT Tools: These attacks are used to make the forensic tools inefficient. Thesetechniques and tools focuses on each and every phase of the investigation process and hampers the

CFTs performance by revealing wrong or limited results.

There have been successful attacks on many of the major computer forensic tools like WinHex, FTK

and many more. These attacks play with file system directories and other attributes to tamper the

software functionalities.


8/16

8

EXPERIMENT CONDUCTED

The experimental part of this paper has been divided into different stages as under:

STAGE 1 : For Data Hiding Techniques

A laptop with certain steganographic files and encrypted files and drive has been used.

Following table shows the tools used for the same purpose :

Data Hiding Technique Tools Used

Steganography S-Tools

Camouflage

Cryptography PGP

On The Fly Encryption Truecrypt

For camouflaged filesThe forensic tool WinHex has been used to detect the camouflage file.However, certain online tools

are also available that detects whether the file is camouflaged or not.

The concept behind camouflage is Appending the file to End of File. Hence, the size of camouflaged

file varies from the original file.

But the main point to be focused upon by the investigators is how to find out whether the file has

been camouflaged or not and to crack it to reveal the hidden data.

STAGE 1 For data hiding techniques

STAGE 2 For data wiping

STAGE 3 Attacks against CFT


9/16

9

Following snapshots depicts the difference between a normal file and a camouflaged file when

opened up in WinHex.

Using Winhex , the password for camouflaged files can be changed and hidden data can be revealed.

The snapshots given below depicts the steps used to crack a camouflage file using WinHex.

EOF of normal file when

opened up in WinHex.

EOF of a camouflaged file

when opened up in WinHex.


10/16

10

STEP 1: Detecting whether the file is camouflaged or not.

STEP 2: Searching for the series 00 01 00----------00 09 00 near End of File.

STEP 3: Changing the password for the file and recovering the hidden data.

This is done by changing the first hexadecimal value of the password to 63 ( 63 is the hexadecimal value for

a) and remaining to 20 ( 20 is for blank spaces). Hence, the new password for the camouflaged file becomes

a (without inverted commas).

Using this password and camouflage software, hidden data can be revealed.

The series 00 02 00 is visible

near End of File. Password for

the file is 73 E2 1F 50 78 DF.


11/16

11

Using the above method to defeat the anti forensic technique Steganography, following data was revealed.

The another tool used to detect steganographic files is STEGDETECT.

The snapshot given below is from stegdetect . It depicts the detection of steganographic file.

Password of camouflaged

file changed to a

(without inverted

commas

Negative result .

Stegdetect was not able todetect the steganographic

file.


12/16

12

For Encrypted Text and On the Fly encryptions:Cryptanalysis has to be done in order to defeat cryptography.

Encryption is being used by several applications for security purposes.

Encryption cannot be broken until and unless investigator knows which software and algorithm has

been used to encrypt the document or the content. Stronger the algorithm, difficult is to decrypt the

content. This is one of the anti forensic methods that have steadily and strongly resisted computer

forensic examinations.

STAGE 2 : For Data Wiping

Following table lists the tools with their purpose used in this stage of the experiment.

Tool Used Purpose

WinHex For Wiping of Files and

Directories

For checking whether the

wiped files can be

recovered back or notFree Wipe Wizard For File wiping

STEP 1 : Wiping the files/ folders using WinHex

Wiping of files/folders

using wipe securelyfeature of WinHex


13/16

13

Same files and folders have been wiped using the software Free Wipe Wizard.

STEP 2 : Checking whether the wiped folders and files can be recovered.

STAGE 3 : Attacks against CFTs

If one has detailed knowledge of how a specific forensic tool is working, he can manifest bugs in the

tool itself so as to make the results unreliable.

Certain kinds of vulnerabilities have been caught in various CFTs. These vulnerabilities are

exploited by the attacker to hamper the investigation process.

Some of the vulnerabilities are listed as under :

Buffer overflow bugs in network forensic softwares like tcpdump, ethereal, snort. Files that cause softwares like Encase to crash.

For the experimental phase of this stage, following tools were used :

Tool Used Purpose

Extension changer To change the extension

of the filesFile Properties

changer

To change the properties

of the file

WinHex To detect File Extension

Mismatch

Wiped folders were

recovered back.


14/16

14

STEP 1 : Extension changer was used to change the extension of the files. These files were then deleted

And image for the container folder was created.

STEP 2 : WinHex was used to recover the files and detect the file extension mismatch.

Option to detect file type

mismatch using WinHexFile Type mismatch detected


15/16

15

CONCLUSION

The conducted experiments prove that all anti forensic techniques and tools are not strong enough to divertan investigation process. In many cases, these tools and techniques fail to perform some important anti

forensic functions like wiping the data irreversibly , hiding data behind files , changing the extension of

files, changing the time stamps for the files created and many more.

However, some of the anti forensic measures like encryption are still acting as an hindrance for investigators

and investigation processes. Many forensic techniques used these days can be circumvented. CFTs need to

be developed keeping in mind the security aspects so that they cannot be altered in any way and anti

forensics measures can be defeated easily.

The results for the experiment conducted is summarized as below :

Anti Forensic

Technique

Anti Forensic tool used Forensic tool used Result

Steganography S-Tools

Camouflage

WinHex

Stegdetect

Camouflaged file

was detected and

cracked.

Stegdetect was not

able to detect the file.Encryption PGP

Trucrypt

Only cryptanalysis

can be done.

Data Wiping WinHex

Free Wipe Wizard

WinHex Wiped folders were

recovered back.

Attacks against

CFTs

File Extension Changer

File Properties Changer

WinHex File Extension

Mismatch was

detected


16/16

16

REFERENCES :

1.Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control

the anti-forensics problem. Journal of Digital Investigation 3(suppl. 1), 4449 (2006)

2. Warren, G., et al.: Computer Forensics, Incident Response Essentials, p. 4. Addison-

Wesley, London (2002)

3. Sartin, B.: Anti-forensics, distorting the evidence. Journal of Computer Fraud and Security

(5), 46 (2006)

4.Geiger, M.: Evaluating Commercial Counter-Forensic Tools. Carnegie Mellon University,

Pittsburgh (2005)

5. Carrier, B.: File System Forensic Analysis, p. 283. Addison Wesley, London (2005)

6. Frith, D.: Stenography approaches, options and implications. International Journal of NetworkSecurity (4), 46 (2007)

Documents

Anti Forensics and Defeating Antiforensic Measures