Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP …web.cse.msstate.edu/~hamilton/6350/lessons/10a_Anti... · 2017. 12. 24. · Auburn University Digital Forensics 1 Anti-Forensics

Auburn University Digital Forensics 1 www.eng.auburn.edu/users/hamilton/security/

Anti-Forensics

Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO,

CISSP-ISSAP, CISM, CISA, CIFI Vice President, Technology Evangelism

Secure Computing


An Introductory Example •  Mohammed Atif Siddique sentenced in a Scottish Court to eight years for

possession of terrorism related items. –  During his trial the jury had been told by Michael Dickson, a forensics analyst for

the National Hi-Tech Crime Unit, that Siddique's laptop computer had contained material placed in a Windows folder where it would be difficult for an inexperienced user to find.

–  The folder in question was c:windowsoptions, which is usually present on OEM Windows systems and is used for installation purposes.

–  It is not widely frequented by most computer users, but it's not secret either. Siddique seems not to have encrypted the material, which was described as videos, pictures and sound files "concerned with radical Islamic politics", and which included footage of Osama Bin Laden and the World Trade Center attack.

•  When police arrested Siddique, over 100 police officers were involved in an operation which broke down the door of his family home with a battering ram, closed off roads, and searched adjacent houses and shops.

–  Over 60 officers were involved in the investigation, along with 12 translators and experts from the National High Tech Crime Unit.

–  "Some 34 computers and hard drives were examined. –  More than 5,000 computer discs and DVDs were removed, along with 25 mobile

phones and another 19 SIM cards. –  Almost 700 documents were taken from the computers and more than 1,000

statements taken."


Outline •  The Rules Are Changing •  Creating Reasonable Doubt - Vulnerabilities in Forensic Products •  Virtual Environments - Have You Got Your MoJo •  The Reality of Plausible Deniability •  Vista - Encryption For The Masses •  Steganography - Use and Detection •  Disk Wiping – The Tools Are Getting Scarily Good •  What Good are Known Good/Bad Signatures

–  MetaSploit –  Slacker – Hide tons of data encrypted in slack –  Timestomp – So much for MAC –  Transmorgify – One Click Defense –  Samjuicer – No More DLL Injection

•  Advanced Anti-Forensics – Everything in RAM •  Linux Anti-Forensics – Where The Tools Don’t Look


The Rules are Changing •  Admitting computer evidence in the future - a stricter standard? •  Lorraine v Markel - Authentication of electronic evidence

–  Magistrate Judge Grimm refused to allow either party to offer e-mails in evidence to support their summary judgment motions. He found they failed to meet any of the standards for admission under the Federal Rules of Evidence.

–  The emails were not authenticated but simply attached to the parties motions as exhibits, as has been a common practice.

•  In re: Vinhnee, 2005 WL 3609376 –  A recent decision by a Ninth Circuit Bankruptcy Appellate Panel rejected the

prevailing standard for authenticating electronically stored records and imposed stringent requirements that may help defend against computerized evidence in a broad range of cases, including white-collar prosecutions. Although decisions of the Panel, which consists of three bankruptcy judges, are binding precedent only for bankruptcy courts in the Ninth Circuit, Vinhnee’s persuasive analysis has the potential to change the use of electronic evidence in other courts.

–  The trial court turned away the credit card company even though the defendant (debtor) did not even show up or enter any argument, having the company suffer "the ignominy of losing even though its opponent did not show


Reasonable Doubt? •  Encase and Sleuth kit Vulnerabilities

–  http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf

•  Evidentiary Implications of Potential Security Weaknesses in Forensic Software

–  “As with other forensic techniques, computer forensic tools are not magic; they are complex software tools that like all software may be subject to certain attacks.

–  Yet because these tools play such a critical role in our legal system, it is important that they be as accurate, reliable, and secure against tampering as possible.

•  Vulnerabilities would not only call into question the admissibility of forensic images, but could also create a risk that if undetected tampering occurs, courts may come to the wrong decisions in cases that affect lives and property.”

–  http://www.isecpartners.com/files/Ridder-Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Software.pdf


Have You Got Your Mojo? •  Your USB Drive or IPOD is your PC •  Leaves no trace on the host


Without a Trace •  Create an XP bootable CD

–  Boot from the CD and create an •  encrypted environment on the HD

–  No trace on the PC –  What’s next? –  How about Linux and a processor on

a USB


Encryption •  Encryption is a forensic analysis's nightmare •  It is only a matter of time before the bad guys adopt current

technology encryption •  Current offerings provide for multiple levels of “Plausible

Deniability” –  Create a hidden encrypted

volume within an encrypted volume

–  Bad guy gives up the password to the first level only

–  Second level remains hidden and looks like random data within the volume (undetectable)


TrueCrypt •  Settings are not stored in the registry •  Uses a “key file” rather then a crypto key •  Which of the thousands of files on the image did the bad guy use as

the key file? •  Uses LRW to replace CRW eliminating any possible detection of

nonrandom data within an image •  Creates a virtual encrypted

disk within a file and mounts it as a disk

•  Can work in “Traveler” mode with BartPE to eliminate any traces of use within Windows

–  New version 4.3a just released –  Vista Support –  Plausible deniability improved –  Sector size other then 512 –  Traveler mode –  Multi Algorithm Cascade

•  Total Downloads 3,487,388, 1 Day Download 5,547


Free On The Fly Encryption

•  FreOTFE •  TrueCrypt •  Cryptainer LE •  CryptoExpert 2004 Lite •  CompuSec •  E4M Disk Encrytion •  Scramdisk Encryption


Vista Encryption

•  The fear –  TPM hardware –  Encryption key stored on removable USB drive

•  The reality –  Not in all versions of Vista - only enterprise

version –  Limited availability of motherboards with TPM

chips –  High end versions of Vista not exactly flying

off the shelves –  Be sure to seize those USB keys


Steganography

•  Hiding data in graphic or audio files


Free Steganography

•  S-Tools •  4t HIT Mail Privacy Lite •  Camouflage


StegDetect

•  Automated detection of data within an image •  Works against:

–  Jsteg –  Jphide –  Invisible secrets –  Outguess –  F5 –  appendixX –  Camouflage


www.evidenceeliminator.comregister_reasons.d2w • Just some reasons why you must buy protection for yourself right now. •  Pelican Bay State Prison (USA)"....putting a prisoner in a cell with a known assaulter and setting up alleged sex offenders for attack are not uncommon.... •  "Cocoran Prison (California USA)"....Dillard, who weighed 120 pounds, fought back but Robertson was too powerful. He said he pounded on the cell door, banged at it in a way that the guards surely must have heard, but nobody ever came as he was raped.... •  "The View From Behind Prison Bars (USA)"....The guard in the tower decided to blow one of the inmates' heads off.... The suicides at San Quentin are amazing. I never knew doing time would subject me to watching guys do swan dives off the fifth tier... we were forced to sleep in shifts to keep the cockroaches from crawling in our mouths...."

Get total protection. Buy your license to Evidence Eliminator™. $149 is less than 149 years. Permanent protection for only $149.95(US)


Bad Guys Don’t Pay For Software


Other Disk Wiping Products


Wipes D

eeper Then Ever


$29.95 Utility


Other Popular Wiping Tools

•  srm, •  dban, •  Necrofile, •  Tracks Eraser Pro •  Just Google disk wiping tools •  Results 1 - 100 of about 1,960,000 for disk wiping

tools.


Evaluating Commercial Counter-Forensic Tools Matthew Geiger


Signatures •  Examining hashes is a quick way to determine if specific

files are or are not on the image that is being examined •  Altering a single byte will alter the hash but still leave a

malicious program executable


Some Hash Utilities are Unreliable


EXE Packers •  A Packer can change the signature of any exe file and

render a search for a known MD5 useless •  The potentially malicious file will not be found with an

antivirus scanner


Binders

•  Binders combine two or more executable in to a single executable file

•  Allows the bad guy to attach a Trojan, Key logger or other malicious program to a common exe file

•  The resulting MD5 will not match a known bad database

•  37 different free binders are downloadable at http://www.trojanfrance.com/index.php?dir=Binders/


Metasploit Anti Forensics


TimeStomp (Metasploit) •  uses the following Windows

system calls: •  NtQueryInformationFile() •  NtSetInformationFile()

•  doesn’t use SetFileTime()

Metasploit AntiForensics Project


Unmodified FTK


Modified FTK


Timestomp – Encase Unmodified


Timestomp – Encase Modified


Timestomp – Explorer Unmodified


Timestomp – Explorer Modified


Slacker (Metasploit)


Slacker Example


Linux Anti-Forensics

•  Simply hide data where commercial forensic tools don’t necessarily look

•  Rune fs –  Hide data in bad blocks inode

•  Waffen fs –  Hide data in spoofed journal file

•  • KY fs –  Hide data in null directory entries

•  • Data mule fs –  Hide data in reserved spac


Future Work

•  NTFS change journal modification •  Secure deletion •  Documentation of anti-forensic techniques •  Browser log manipulation •  File meta-data modification •  NTFS extended attributes •  Vincent Liu

–  Partner in Stach & Liu –  www.stachliu.com


Future Work (Conclusions)

•  What if the malicious file never touched the disk? •  MOSDEF (mose-def) is short for “Most Definitely”

–  MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking

–  In short, after you've overflowed a process you can compile programs to run inside that process and report back to you

–  www.immunitysec.com/resources-freesoftware.shtml

Documents

Paul A. Henry MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP …web.cse.msstate.edu/~hamilton/6350/lessons/10a_Anti... · 2017. 12. 24. · Auburn University Digital Forensics 1 Anti-Forensics