Anti Forensics and Defeating Antiforensic Measures

  • View
    213

  • Download
    1

Embed Size (px)

Text of Anti Forensics and Defeating Antiforensic Measures

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    1/16

    1

    RESEARCH PAPER

    ANTI FORENSICS AND DEFEATING ANTI FORENSICS MEASURES

    HARPREET SINGH DARDI

    DFI-MUM-1-6

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    2/16

    2

    INTRODUCTION

    According to Locards principle, When a crime is committed, there is a cross transfer of evidence between

    the scene and the perpetrator (Saferstein, 1998).

    It means that one who commits crime will definitely bring something into the crime scene and leave with

    something from it and both of these elements can be used as forensic evidence.

    Same is the case with Digital Forensics where the crime scene occurs at the computer systems or other

    digital medias. Criminal will definitely leave one or the other traces of tools and techniques used by him to

    commit the crime and these traces can be used as forensic evidence for the court proceedings.

    The only thing that is to be focused upon is the proper examination of the suspect computer system or digital

    media by the investigators to ensure a correct outcome. Investigators need to apply locards principle to thecyber world in order to understand the relation between various aspects like time when the particular events

    took place, what actually happened , what was the source for the same etc. Then , connecting these free facts

    to prepare one single coherent statement could reveal the whole nature of the action.

    However criminals may use anti forensic methods to divert the normal investigation procedure and to

    confuse the investigators.

    This research paper focuses on various anti forensic methods and measures to defeat the same.

    Various types of anti forensic and forensic tools have been used here within to experiment with the security

    of forensic tools and strength of anti forensic tools.

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    3/16

    3

    COMPUTER FORENSICS AND ANTI FORENSICS

    The term Forensics is quite simple and specific using science and technology applications to investigate

    a crime.

    Computer Forensics is the branch of Digital Forensics pertaining to evidence found in computers and digital

    media. The main motive behind computer forensics is the examination of digital media in a forensically

    sound manner for collecting, analyzing and presenting evidence to the courts.

    Forensic Analysis plays an important role in cyber crime investigations as it helps the investigators to obtain

    certain relevant information such as boot configuration data, network packets etc.This information is then

    converted into permanent reports that is acceptable by the court of law.

    Certain Computer Forensic Tools are used by forensic examiners to

    collect information/data from computer systems or other digital media

    analyzing the collected data to uncover information that may not be immediately obvious generating a report that will be acceptable in legal proceedings

    Computer forensic tools (CFTs) broadly fall into two classes:

    Persistent Data Tools: As clear from the name, these tools help in collecting the data that is stationary overthe digital media. In other words, the data that remains when the computer system is turned off.

    E.g. The Sleuth Kit

    Volatile Data Tools: These tools help in collecting the data that is transitory and would be lost if not

    captured such as the packets travelling across the network.

    E.g. WinHex

    ANTI FORENSICS ( Against Forensics in layman language) is the collection of tools and techniques to

    confront forensics and to frustrate the investigator and the process of investigation.

    CFT

    Persistent

    Data ToolsVolatile Data

    Tools

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    4/16

    4

    Using anti forensic techniques and tools, investigators and forensic examiners are mislead from the ongoing

    investigation procedures.

    GOALS OF ANTI FORENSICS

    1. Making it impossible for the investigators to detect the event happened.2. Preventing the investigator from detecting the evidence.

    3. Investigator has to spend a huge of amount of time in order to find out what actually has happenedand how it prolonged.

    4.

    Casting doubt on the report generated.

    5. Using anti forensic tools and techniques in such a way so as to make the forensic tool attack thesuspect computer itself instead of retrieving the evidence.

    6. Anti forensic tool should not leave any trace of its use.

    7. The information collected should be disrupted in a way or other.8. Investigator should not be able to distinguish between the actual evidence and other data.9. The forensic tools used for data recovery or collection should reveal the wrong results which could

    further misguide the investigator in the investigation process.

    10.The forensic tool can itself be used to attack the organization in which it is running.

    Anti Forensic Techniques are broadly divided into two categories:

    AFT

    Traditional

    AFT

    Modern

    AFT

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    5/16

    5

    ANTI FORENSIC CATEGORIES

    Anti Forensics is broadly divided into 4 categories.

    1. DATA HIDING: This category of anti forensic method is used to hide the evidences from theinvestigator. This makes the case more complicated as examiners are unable to reveal the relevant

    content and will keep on analysing the non evident data. Most common techniques used for data

    hiding are Cryptography and Steganography.

    a) CRYPTOGRAPHY: is the science of converting readable text to unreadable form with the help ofcertain algorithms. In order to read the exact message, examiner has to decrypt it. For the process of

    decryption, he needs to know certain important elements like :

    Algorithm used to encrypt the text. Password used Software used

    Finding out these elements is the most chaotic task to be completed and may take an investigators

    ample time.

    DATA HIDING ARTIFACTWIPING

    TRIAL

    OBFUSCATION

    ATTACKS

    AGAINST CFT

    TOOLS

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    6/16

    6

    Before Encryption After Encryption

    Tools currently available for cryptography are PGP, Crypo, GNU Privacy Guard, Disk Utility and many

    more.

    b. STEGANOGRAPHY: is the art of hiding data behind an image or any other file. Only the intendedrecipient and the sender are able to see the message.

    A normal human eye cannot distinguish between the normal and steganographic image above. Even the size

    remains the same.

    Tools currently available for Steganography are S-Tools, Steghide, Steganos and many more.

    2. Artifact Wiping: The evidences can be permanently removed from the computer systems or digitalmedia by the use of certain tools. One can permanently delete a single file or can wipe the whole

    system.

    The main concept behind wiping is that it overwrites each and every byte of data so many times

    that it becomes difficult for the tools to reveal what actually was present.

    The transaction number is

    900900900.

    qANQR1DDDQQJAwKA

    cltao2NfX2DSUwHvn1VuWLoY+9RDXKoxtn8UtB

    Q7kRLKKUZ1

    PRYUopn/7+pKBcTgNXE

    pM+CnBL+cPoHkqbfwW

    vMcLT0S+vHhrp47oViX

    GLHUF/7j

    5PrZjZQGmu7x

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    7/16

    7

    The tools available for Data wiping these days include TotalWipeOut, Kill Disk, BCWipe etc.

    3. Trial Obfuscation: In order to divert or disorientate the investigation process, trial obfuscation isdone. Varieties of techniques and tools can be used for the same.

    Trial Obfuscation includes deleting logs, spoofing the headers, changing file extensions, using

    Trojan commands over the computer system to divert investigators mind and many more.

    4. Attacks against CFT Tools: These attacks are used to make the forensic tools inefficient. Thesetechniques and tools focuses on each and every phase of the investigation process and hampers the

    CFTs performance by revealing wrong or limited results.

    There have been successful attacks on many of the major computer forensic tools like WinHex, FTK

    and many more. These attacks play with file system directories and other attributes to tamper the

    software functionalities.

  • 8/22/2019 Anti Forensics and Defeating Antiforensic Measures

    8/16

    8

    EXPERIMENT CONDUCTED

    The experimental part of this paper has been divided into different stages as under:

    STAGE 1 : For Data Hiding Techniques

    A laptop with certain steganographic files and encrypted files and drive has been used.

    Following table shows the tools used for the same purpose :

    Data Hiding Technique Tools Used

    Steganography S-Tools

    Camouflage

    Cryptography PGP

    On The Fly Encryption Truecrypt

    For camouflaged filesThe forensic tool WinHex has been used to detect the camouflage file.However, certain online tools

    are also available that detects whether the file is camouflaged or not.

    The concept behind camouflage is Appending the file to End of File. Hence, the size of camouflaged

    file varies from the original file.

    But the main point to be focused upon by the investigators is how to find out whether the file has

    been camouflaged or not and to crack it to reveal the hidden data.

    STAGE 1 For data hiding techniques

    STAGE 2 For data wiping

    STAGE 3 Attacks against CFT