Upload
kolby-neave
View
215
Download
0
Embed Size (px)
Citation preview
Issues
• Computer forensics is becoming more mainstream
• Computer users are learning more effective methods to cover their tracks
• Programmers are writing tools to defeat specific commercial computer forensics products
• Computer forensics examiners are slaves to their tool(s)
Agenda
• Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings
• Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc.
• Tools and methods designed specifically to fool computer forensics programs.
Simple
• “Shift+Delete” to bypass Recycle Bin
• Recycle Bin – configured to delete immediately
• defrag
OS/Application Supplied
Shutdown: Clear virtual memory pagefile Enabled
XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies | Security Options | Shutdown: Clear virtual memory Page File | Select Enabled
Clear Page File
Configured? Check following registry key:
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session Manager\Memory Management
Name: ClearPageFileAtShutdown
Type: REG_DWORD
Value: 1
Slows down shutdown process
OS/Application Supplied
CIPHER - “Displays or alters the encryption of directories[files] on NTFS partitions”
CIPHER /W:directory
(XP)
Alternate Data Streams
• The NTFS File System provides the ability to have additional data streams associated with a file. (Provides support for Apple’s HFS – Hierarchical File System)
Alternate Data Stream
• Demo – thanks to Harlan Carvey• At the command prompt:• C:\mkdir ads• C:\cd ads• C:\echo “This is a standard text file.” >textfile.txt• C:\echo “The password is weasel.”
>textfile.txt:pword.txt.• To read alternate data stream:
C:\notepad textfile.txt:pword.txt.
OS/Application Supplied
• Word (Excel)– Hidden font– White on White– Small font
• Plug ins– Remove hidden data tool– Redaction tool– Payne scrambling tool
Redaction tool
http://tinyurl.com/dgokp(Word 2003)
“OverviewRedaction is the careful editing of a document to remove confidential information.
The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”
Advantages of OS Supplied Tools
• Appear less “nefarious” than commercial tools (Evidence Eliminator).
• Free
Merge Streams/Glue
• Hides Excel file within a Word Document (vice versa)• .doc – see Word file• .xls – see Excel file• Won’t fool forensics examiner – may confuse them• Word – “Recover Text from any file”
File Splitting
• 1toX - http://www.logipole.com/indexe.html
• Gsplithttp://www.gdgsoft.com/gsplit/
• Some tools can split files, password protect and encrypt pieces.
• Split file and store pieces in different locations…
Wiping Tools
• Gazillions of them• Eraser (comes with DBAN)• Sdelete – www.sysinternals.com• Evidence Eliminator • BC Wipe• Cyberscrub• Etc.• Do they perform as promised? PGP does it
really wipe slack space?• Are they used frequently?
Removing Residual Data
• Tools exist to remove residual data
• But do not use them in response to litigation
• See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.”
• Anderson v. Crossroads Capital Partners
Encryption
• Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs )
• EFS• OTFE – Encrypted partitions
www.truecrypt.org• USB Thumb Drives – new ones include
encrypted partitions • Encrypted file stored on an encrypted partition…
• Locknote - http://locknote.steganos.com/
Steganography
• Includes encryption• Free tools• Complex method of hiding data• But easy to do…• Can you detect it?• “Duplicate Colors?”• Wetstone Technologies• Steganograhy Analysis and Research Center• stegdetect
Metasploit Project
• Timestomp – modifies MAC times so EnCase can’t read them.
http://www.metasploit.com/projects/antiforensics/
Document Lifecycle Management
• Controlling documents even when they are “out of your control”
• Expiration dates• Encryption
Document lifecycle Management
“Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format thatallows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files(settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”.
http://www.net-it.com/nin.htm
Use a MAC
• Entry level programs such as WinHex and ProDiscover Basic do not handle the HFS+ file system.
• Most computer forensics training programs do not address MAC’s.
• Most computer forensics examiners “fear” conducting an examination of MAC’s – they just don’t understand them.
Good News/Bad News
• First the Bad News• Using a combination of these tools on a
regular basis can defeat a computer forensics examination
• Now the Good News• Very few users know about “all” of these
tools and methods• Not all tools perform as promised
Last thoughts
• Determining whether these tools have been used can be just as important as finding evidence.
• Finding these tools can counter the “I’m not sophisticated enough” argument.
• Found in illegal movie and music distribution cases.