Topic - Anti-Forensics and Reasons for OptimismBJ Bellamy, Kentucky Auditor's Office

1. Introduction2. An overview of anti-forensics tools and techniques    2.a. The digital landscape    2.b. The tools and techniques3. Reasons to be optimistic4. References

Anti-forensics and reasons for optimism

Introduction

While there has been discussion about anti-forensics since about 2002, there has been a growing concern that as far as being a viable crime scene, the digital-space, disks, RAM, files... has been lost to the opposition.

But I believe there are reasons we, as auditors, should beoptimistic. [1] [2] [3] [7] [8]

Some quotes:

“Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible." [11]

"This is anti-forensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you." [2]

“Police officers [in London’s forensics unit] had two days to examine a computer. So your attack didn’t have to be perfect. It just had to take more than two eight-hour working days forsomeone to figure out. That was like an unwritten rule. They onlyhad those 16 hours to work on it. So if you made it take 17 hoursto figure out, you win.” [2]

The bad news…

The bad guys are better at what they do than usgood guys are at what the bad guys do. Why?

1. they have more time2. they can be much more focused3. they do not operate under the types of restraints or

requirements we do

2. An overview of anti-forensics tools and techniques

Rather than an exhaustive review of the different areas of a disk where information can be hidden, wewill look at just a couple that can then be used toillustrate the main point, how anti-forensics works.

First, the landscape…

The typical disk, of any type (fixed, removable,camera cards, cell phone cards…), is organized into many separate areas that each have different intended uses.

Hiding information is all about using those areasin ways other than were intended.

Disk Organization

•Host Protected Area (HPA) - an area of a hard drive that is not normally visible to an operating system(OS) but often used for manufacturer software

•Device Configuration Overlay (DCO) - used for disk metadata, also not visible to the OS

•Unallocated space - space not currently allocated to store a file

•File slack space - the unused space at the end of most files

•Good sectors that are maliciously flagged as bad

•Alternate Data Streams (ADS)

Disk fragmentation

Notice the fragmentation and unallocated space.

2b. The tools and techniques

There are several ways to categorize the anti-forensic efforts. Thereferenced articles illustrate many of them.

Categories of anti-forensic attention, a variation on Tom Van deWiele [13].

1. Data destruction2. Data hiding3. Data obfuscation4. Data encryption5. Attacking the analyst and the forensic process

1. Data Destruction

This is more than simply deleting a file or its contents.Data destruction is destructively overwriting the material in afile, or elsewhere. The typical name is “wiping”. And there are several published standards detailing how it is to be performed.

• Zeroes• Pseudo-random numbers• Pseudo-random & Zeroes • DoD 5220.22-M (3 Passes) • DoD 5200.28-STD (7 Passes) • Russian Standard – GOST • B.Schneier’s algorithm (7 passes) • German Standard, VSITR(7 passes) • Peter Gutmann(35 passes) • US Army AR 380-19 (3 passes) • North Atlantic Treaty Organization – NATO Standard • US Air Force, AFSSI 5020

Data Destruction (cont)

Tools:

• Eraser - www.heidi.ie/eraser/• Srm - www.thc.org • Sdelete -

www.microsoft.com/technet/sysinternals/Security/SDelete.mspx• Darik's Boot and Nuke - dban.sourceforge.net/

2. Data Hiding

Techniques: Steganography, unallocated space, file slack space,

and ADS

Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. With the advent of digital media, steganography has come to include the hiding of digital information within digital files.

Unallocated Disk Space

3. Unallocated space – storage space notcurrently allocated to store a file.

File Slack Space

1 Two blocks of 512 bytes (characters) each. A total of 1024 bytes of unallocated space ready to store anything.

2 A new file is written to this space, using all 1024 bytes

3 Then the file is deleted and the space is again considered unallocated.

4 A new file is created, but does not require all 1024 bytes of space. So only 800 bytes are written, destructively overwriting the first 800 bytes of the deleted file

This slack space still contains the last 224 characters of the original "deleted" file. This area can be used to store “hidden” material

File Slack Space

[root@localhost etc]# bmap --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096

[root@localhost etc]# cat hosts.allow## hosts.allow   This file describes the names of the hosts which are#               allowed to use the local INET services, as decided#               by the '/usr/sbin/tcpd' server.

#

First we check a file to see how much slack space it has.

Below is the content of the hosts.allow file, all 161 bytes.

File Slack Space

[root@localhost etc]# bmap --verbose --mode putslack hosts.allowstuffing block 7489556file size was: 161slack size: 3935block size: 4096

This is a demonstration of using file slack space. NASACT 2007.

[root@localhost etc]# bmap --verbose --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096This is a demonstration of using file slack space. NASACT 2007.

First we hide some material in the slack space of the hosts.allow file.

And here we access the material we just hid.

File Slack Space

[root@localhost etc]# bmap --verbose --mode wipeslack hosts.allowstuffing block 7489556file size was: 161slack size: 3935block size: 4096

[root@localhost etc]# bmap --verbose --mode slack hosts.allowgetting from block 7489556file size was: 161slack size: 3935block size: 4096

Now we wipe the slack space clean.

And now the material is gone.

File Slack Space

There were 386,059 bytes of slack space available in the file in the /etc directory alone.

Slack space can be used to store any type of material, including compressed and encrypted material.

NTFS Alternate Data Streams

ADS were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. [17]

NTFS Alternate Data Streams

NTFS Alternate Data Streams

[18]

NTFS Alternate Data Streams

NTFS Alternate Data Streams

3. Data obfuscation

Techniques: metadata - "last modified", filename suffix, unusual characters

Modification When the metadata about the file was last modified

Access When the file was last accessed

Create When the file was created

Entry modification NTFS timestamps in the Master Table File.

Date and time stamps

Command Results

C:\>dir /tc Cain.lnk 07/03/2007  10:12 AM

C:\>dir /ta Cain.lnk 08/28/2007  09:00 AM

C:\>dir /tw Cain.lnk 07/30/2007  01:28 PM

C:\>timestomp Cain.lnk -v Modified:             Monday 7/30/2007 13:28:43Accessed:           Tuesday 8/28/2007 9:28:21Created:              Tuesday 7/3/2007 10:12:10Entry Modified:     Monday 7/30/2007 13:28:43

From The Metasploit Anti-forensics homepage [10], Timestomp – First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.

Date and timestamps (cont)

Command Results

C:\>TimeStomp Cain.lnk -c "Saturday 3/22/2228 5:15:55 AM"

07/03/2007  10:12 AM

C:\>dir /ta Cain.lnk 03/22/2228  05:15 AM

C:\>dir /tw Cain.lnk 07/30/2007  01:28 PM

C:\>timestomp Cain.lnk -v Modified:                  Monday 7/30/2007 13:28:43Accessed:                 Tuesday 8/28/2007 9:28:21Created:                 Saturday 3/22/2228 5:15:55Entry Modified:            Monday 7/30/2007 13:28:43

Now TimeStomp.exe is used to change the creation date

-m <date> M, set the "last written" time of the file-a <date> A, set the "last accessed" time of the file-c <date> C, set the "created" time of the file-e <date> E, set the "mft entry modified" time of the file-z <date> set all four attributes (MACE) of the file

-b set the MACE timestamps so that EnCase shows blanks-r same as -b except it works recursively on a directory

4. Data encryption

Encryption is used in several ways:

•Encrypt and entire disk•Encrypt specific files•Encrypt material before hiding it

Encryption is the process of transforming information (referred to as plaintext) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. [19]

Encryption usually includes file compression.

4. Data encryption (cont)

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440 . GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. [14],

TrueCrypt is a free open source on-the-fly encryption (OTFE) program for Microsoft Windows 2000/XP/2003/Vista and Linux. It can create a "file-hosted container" which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. [15]

5. Attacking the analyst

Rather than focus on protecting my data in the ways already discussed, another approach is to make it difficult not only to find evidence, but to tie it to a specific person. Remember the 17-hour rule?

Examples include:•false leads and misdirection, •backfilling with massive amounts of material•Seeding with virus signature and suspicious keyword•dummy files (100 index.dat files scattered around)•landmines for Encase and TSK

3. Reasons for Optimism

Many of the reasons for optimism come from the same issue that causes most security risks in the first place - regardless of the technology or its capabilities, there are still "people" using it.

And people have the certain tendencies that you can count on…

3. Reasons for Optimism

1. People are still generally unaware of ordo not care about anti-forensics. "What do I care, I am not a criminal!"“I have nothing to hide!”

2. People do not use "normal" software effectively, why expect them to us anti-forensic tools effectively . "I wiped my free-space last month - doesn't that take care of everything I have done since?"

3. People do not perform routine tasks like updates and backups. So, why expect them to use anti-forensic tools frequently enough to be effective.

4. People are not commonly aware of all the areas where forensic analysis can be fruitful (removable media, the different areas of HD space, the different system and application logs...)

3. Reasons for Optimism

5. Automation will compress the 17-hour rule so that 60 analyst hours worth of analysis can be done in 10 hours.

6. Most people do not know what data can be incriminating, where that data is, or which anti-forensic tool to use to eliminate it.

7. The current anti-forensic tools focus on general purpose personal computers. But what about cell-phones, PDAs, jump drives, CDs, backup tapes, key-catchers, backups, off-site email, network servers...

8. None of the current anti-forensic tools "do it all".

9. Most commercial software does not deliver on its hype.

3. Reasons for Optimism

10. Encrypting the “smoking gun”, but saving the password in a cleartext file.

11. Very guessable passwords and keyloggers.

Conclusion

Computer forensics is hard!

Anti-forensics makes it harder!

However, there are plenty of reasons for being optimistic, and really no reason to give up.

“Pessimism never won any battle.” Dwight D. Eisenhower

4. References

[1] How Online Criminals Make Themselves Tough to Find, Near Impossible to NabScott Berinato, CSOMay 31, 2007  www.cio.com/article/114550

[2] The Rise of Anti-ForensicsNew, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevantBy Scott Berinatowww.csoonline.com/read/060107/fea_antiforensics.html

[3] Anti Forensics: making computer forensics hard.Wendel Guglielmetti Henrique a.k.a dum_dumhttp://www.intruders.com.brws.hackaholic.org/slides/AntiForensics-CodeBreakers2006-Translation-To-English.pdf

[4] The Art of Defiling: Defeating Forensic AnalysisBlackhat Presentation 2005the Grugqwww.blackhat.com/presentations/bhusa-05/bh-us-05-grugq.pdf.

[6] Arriving at an Anti-forensics Consensus - Examining How to Define and Control the Anti-forensics ProblemRyan HarrisCERIAS, Purdue UniversityDFRWS 2006dfrws.org/2006/proceedings/6-Harris-pres.pdf

References (cont)

[7] Anti-forensic techniquesAnti-forensic techniques try to frustrate forensic investigators and their techniques.www.forensicswiki.org/wiki/Anti-forensic_techniques

[8] Breaking Forensics Software:Weaknesses in Critical Evidence CollectionAugust 1, 2007 - Version 1.1Tim Newsham - <tim[at]isecpartners[dot]com>Chris Palmer - <chris[at]isecpartners[dot]com>Alex Stamos - <alex[at]isecpartners[dot]com>Jesse Burns - <jesse[at]isecpartners[dot]com>iSEC Partners, Incwww.isecpartners.com

[9] CD: Jitter, Errors & MagicRobert Harley, May, 1990 stereophile.com/reference/590jitter/

[10] Anti-Forensics:Techniques, Detection and CountermeasuresSimson L. GarfinkelNaval Postgraduate Schoolhttp://www.simson.net/ref/2007/ICIW.pdf

[11] Antiforensics: When Tools Enable the MassesJune 28, 2007By Sonny Discinihttp://www.esecurityplanet.com/best_practices/article.php/3685836

References (cont)

[12] Evaluating Commercial Counter-Forensic ToolsMatthew GeigerCarnegie Mellon Universitymgeiger@cmu.eduwww.dfrws.org/2005/proceedings/geiger_couterforensics.pdf

[13] BCIE Training – ICT Anti-ForensicsTom Van de Wiele - Uniskilltom.vandewiele@uniskill.com, CISSP, GCFA, SSCAwww.uniskill.com

[14] The GNU Privacy GuardGnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440 . GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. www.gnupg.org/

[15] T r u e C r y p tFree open-source disk encryption software for Windows Vista/XP/2000 and Linux.TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). www.truecrypt.org/

[16] Host Protected Areaen.wikipedia.org/wiki/Host_Protected_Area

[17] Windows NTFS Alternate Data Streamswww.securityfocus.com/infocus/1822

[18] Streams v1.56By Mark RussinovichPublished: April 27, 2007www.microsoft.com/technet/sysinternals/Utilities/Streams.mspx

References (cont)

[19] EncryptionFrom Wikipedia, the free encyclopediaen.wikipedia.org/wiki/Encryption