Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
ii
ABSTRACT
To challenge forensic investigators from finding the evidence, attackers are using many
methods since many years where one of the example includes using hand gloves in
criminal activity to avoid fingerprint tracing by investigators. Now a day‘s computer
forensics which deals with digital data became key for investigations so anti-forensics
came into existence which has both tools, techniques that can be used by bad guys to
destroy digital evidence or hide that information from being retrieved by investigators.
It is an accepted fact that anti-forensic techniques are being widely used with
an ultimate goal for bad guys is to challenge investigators and also in return investigators
are gaining considerable knowledge about the drawbacks available in currently used
forensic tools, which helps to develop a error-free forensic tool.
In this project, an investigation of the traditional anti forensic techniques is
conducted such as hiding data using cryptography approaches, masking, changing file
attributes and renaming of a file to unreadable extension by building an anti-forensic
prototype, where the test cases are performed on the currently available forensic tools
FTK and Prodiscover.
Finally, Impact on the developed anti-forensic tool against forensic tools are
given and also comparative results between the other tool DiskOff which is the previous
version of the tool is documented, where it has other methods implemented like cloning,
deleting of files are implemented.
iii
ACKNOWLEDGEMENT
My experience of successfully completing graduate project became possible
because of the never ending support and guidance of Dr. Mario Garcia, Professor of the
Department of Computing Sciences, Texas A & M University –Corpus Christi.
I am very thankful to Dr.Longzhuang Li, Texas A&M University – Corpus Christi
for being part of my project as committee member. His supportive suggestions helped me
to complete this project successfully.
I am very thankful to Dr. David Thomas, Associate Professor of Computing
Sciences, Texas A&M University – Corpus Christi, for his support in completing my
project report and proposal with all the document standards, and also for his valuable
suggestions and attention, which helped me to complete my project on time.
I am very thankful to Srilakshmi for her support in completion of this project, who
provided me all the details about the previous version of the tool, which helped me a lot
to use my time effectively in completion of this project.
My sincere heartfelt thanks to all the faculty, and staff of the Department of
Computing Sciences for making me to complete this project.
Last but not least, I would like to thank my parents, family who provided the
much needed moral support and boosted me in reaching the successful completion of
the project .
iv
TABLE OF CONTENTS
Abstract.................................................................................................................………..ii
Acknowledgement ..................................................................................................……...iii
Table of Contents…….…………………………………………………………………...iv
List of Figures.……………………………………………………………..………….....vii
List of Tables ………………... ...…………………… ………….………..……….... ix
1. Introduction
1.1 Computer Forensics and Anti-Forensics …………………………….…...1
1.1.2 Anti-Forensics Goals……………………….………………………......2
1.2 Anti-Forensics Methods ……………………………………..………….…3
1.2.1 Data Destruction………………………………………………..…...4
1.2.2 Data Hiding………………………..….………………………..…...7
1.2.21 Encryption………………………………………………..…...7
1.2.22 Steganography…………………………………………;….….9
1.2.3 Trail Obfuscation…………………………………………….….….9
1.2.4 Attacks Against Computer Forensics……………………………..10
1.3 History………………………………………………………………......11
1.3.1 Background and Related Work …………………………………...12
1.4 Objective…………………………………………………………...…....13
1.5 Rationale…………………………………………………….………......14
2. Narrative..…………………………………….…..………………......……........15
2.1 Problems from Investigators Approach.…..………………………….....15
v
2.1.1 Scope…………………………………………………………...15
2.2 Functionalities of Anti-Forensic Tools………………….……………..16
2.3 Reducing the Methods of Anti-Forensic Methods.………………....….16
3. Proposed System Design …………………………………………………....…18
3.1 Framework.……………………………………………………………..18
3.2 Proposed Mechanism…………………………………………………...20
4. Functionalities. of the tool… …………………….. ……………………..…....21
4.1 Encryption……………………………………………………………..22
4.2. Camouflage……………………………………………………………23
4.3 Change File Properties………………………………………………..27
4.4 Renaming…………………………………………………………….29
5. Testing and Evaluation……………… . . ………………………………...…..30
5.1 Forensic Tools Used…………………………………………………….…30
5.1.11 FTK………………………………………………………….……….30
5.1.12 Prodiscover…………………………………………………….……..31
5.2 Testing Methodology……………………………………………….……...32
5.2.11 Analyzing Using FTK………………………………………….…….35
5.2.12 Analyzing Using Prodiscover…………………………………….…43
6. Results………………………………………………………………….……...54
7. Conclusion…………………………………………………………….……….56
8. Future work…………………………………………………………….……....57
Bibliography and References…...………………………………...……………………..58
APPENDIX A. DEFINITION OF TOOLS……………………………………………..60
vi
LIST OF FIGURES
Figure 1: Framework…………………………………………………………...………19
Figure 2: Snapshot of the prototype application developed……………………………21
Figure 3: Encryption Window in Encachare Application………………………….…..22
Figure 4: Camouflage Window in Encachare Application……………………….……23
Figure 5: Hiding data using Encachare Application with Camouflage………………..24
Figure 6: Searching for Hidden Files using Encachare Application…………………..25
Figure 7: Unhiding using Encachare Application for Camouflage……………………26
Figure 8: Change File Properties Window in Encachare Application…………….…..27
Figure 9: After Applying File Attributes to File…………………………………...….28
Figure 10.: After Renaming using Encachare Application……………………….…...29
Figure 11: File Selection for Encryption in Encachare………………………….…….32
Figure 12: After Encryption using Encachare Application……………………….…...33
Figure 13. Before Encryption Content in Text file……………………………………34
Figure 14: After Encryption Content in Text File……………………………………..34
Figure 15: FTK Case Information……………………………………………………..35
Figure 16: FTK Processing…………………………………………………………….36
Figure 17: FTK Result Page After Encryption………………………………………...37
Figure 18. Before Renaming the Text File…………………………………………….38
Figure 19: FTK Analyzing Renamed Files…………………………………………….39
Figure 20: FTK Analyzing the File with Changed Properties…………………………40
Figure 21: FTK Searching for Camouflage Files………………………………………41
Figure 22: Properties of Image File after Masking………………………………….…42
vii
Figure 23: Prodiscover in Action to Investigate………………………………………..43
Figure 24: Prodiscover Imaging the Pendrive………………………………………….44
Figure 25: Recovered Files from Pendrive using Prodiscover…………………………45
Figure 26: Prodiscover Analyzing Renamed Files……………………………...……...46
Figure 27: Prodiscover Analyzing Files with Altered Attributes……………..….…….47
Figure 28: Prodiscover Analyzing Camouflage Files on Pendrive……………..….…..48
Figure 29: Prodiscover Analyzing Encrypted Files…………………………...……….49
Figure 30: First Look of Discoff………………………………………...……………..50
Figure 31: Discoff Cleaning User Data…………..……………………………………51
Figure 32: Deleting Files Using Discoff………………………………………..……..52
Figure 33: Cloning Files Using Discoff………………………….………………...…53
viii
LIST OF TABLES
Table 1 Anti-Forensic Methods…………………………. ………………………….. 4
Table 2 Data Destruction Methods and Security level……………………………..… 5
Table 3 Various Exploitations under Anti-Forensic Methods ……………………….17
Table 4 Impact on FTK and Prodiscover…………………………………………….54
Table 5 Comparison between Encachare and Diskoff……….………………………55
1. Introduction
1.1 Computer Forensics
Computer forensics is also called as computer forensic sciences belong to the stream of
digital forensics where its main focus is on digital media. Typically the word ‗Forensics‘
can be explained as to bring to evidence in to the court of law and it is mostly related to
the information and network systems field. Forensics help to recover and analyze
evidence whenever a false thing happens in a company, evidence can be of any form
from fingerprints to bloodstains on hard drive [Srilakshmi 2010]. Computer forensics
mainly focuses on the tools and mechanisms available for recovering the evidence and it
can be widely related to the hard drives and other digital media [Berghel 2007].
Benefits of computer forensics include evidence to support user case, helps on
to determine which devices need to be investigated and also to determine if evidence has
been modified or tampered with, to prove if the opposition is ―guilty‖ of wrongdoing, and
finally offer strategies to find the attack traces which provide support for the forensic
community to submit in court of law as an expert witness [Hilley 2007].
Anti-Forensics
Anti-Forensics is a field, which can be concluded as counter field for forensics where
bad guys mainly focus to confuse the investigators from retrieving the evidence. Anti-
forensics attackers have their own tools and mechanisms to outweigh forensic
investigation. The goals of anti-forensics system include avoiding detection, disrupting
information collection, increasing the examiner‘s time, Casting doubt on a forensic report
or testimony, Forcing a tool to reveal its presence, Subverting the tool — using it to
2
attack the examiner or organization. Looking into the past from six to nine years the
research in anti forensics has been improved tremendously in the terms of both scope and
popularity [Hilley 2007].
Anti-forensics tools are mainly used in hiding the data and also to change the Meta
data of files, causing investigator problem to detect the evidence. All these anti-forensics
tools and software are available in hacker‘s websites. [Harris 2006].Tools are being
developed with small goals which includes user-friendly interface, which makes easy
adoption for the hackers where new hackers are able to confuse investigators in very
short time.[Berghel 2007]
1.1.2. Anti-Forensics Goals:
There are 4 important goals that need to be given more importance when a tool is
developed they are as follows
Make impossible for investigator to detect the event happened
Prevent the investigator from detecting the evidence to collect information
Investigator has to spend more time to detect the event
Casting doubt on a forensic report or testimony [Liu and Brown 2006].
Other goals might include:
Make forensic tool to attack the system instead of retrieving the evidence.
There should be no evidence left that antiforensic tool has implemented. [Harris
2006].
3
1.2 Traditional Anti-Forensics and methods:
In the field of forensics related to the digital data, a debate frequently takes place
regarding the issue on Anti-Forensics goals and purpose of using antiforensic tools and
its methods. Most of the people believe that anti-forensic tools are harmful to use and
even to design, others believe they can be used to educate the investigators. This was
first noticed in the 2005 Black hat conference by all the authors related to the anti
forensics community and they finally came to a conclusion that antiforensic tools will
help to develop new efficient forensic tools and improves the investigators efficiency.
[Srilakshmi 2010]
Tool developers for anti-forensics follow a set of policies and rules which include
state laws, manpower, time, and the cost involved to develop tool. Every evidence in
digital format should be valid and reliable, these things are considered and confirmed by
federal community. If the evidence is not valid and reliable then it is considered as
hearsay.
Many researches and studies are made in the anti-forensics field about how these
methods got importance for the usage, where they found that due to its light weight
implementation with simple user interface which make novice user to learn the tool in no
time. Thus, based on the studies conducted anti-forensics has been classified in to
different methods called sub categories.
Anti-forensic methods became prominent in recent days and is divided in to many
sub-fields to make classification of different set of tools available for the specified area ,
Basically all these sub fields are classified in to 4 types according to [Rogers, 2005] they
are destruction, hiding, prevent the creation of evidence and finally counterfeiting data
4
and other scholar classified some categories that include Data Hiding, Trail Obfuscation,
attacks against tools itself [Rogers 2005]. Though both of them classified their own
methods they seem to similar, for example hiding and data hiding gives one the same
sense and in the same way they are similar in all the classified methods. Some of the
important methods that are really challenging for investigators are discussed in this
research
Table 1. Anti-Forensic Methods [Rogers 2005]
1.2.1 Data Destruction:
The most basic and traditional method used in anti forensics is destruction,
which makes investigation impossible by making no evidence available by destroying
everything and its classification is mainly deployed in to two types they are physical
destruction of data and logical destruction of data.
Physical destruction of data is possible by using brute force method
implementation and also with the use of tools that are made with magnets, for example
degaussing the media which is based on using magnet for destruction [Rogers 2005].
5
Data destruction can also be possible by destroying the platter in hard disk where
this involves shredding, smashing and grinding them. One can also dip platter in acid
which completely destroys the data.
Logical destruction is the other way used in antiforensics and it is implemented
by changing the information on the media significantly. Some of the methods for
destruction of data are explained in this research.
The easiest way to destroy the data is by overwriting the data again in to the
drive. Studies currently state that to destroy data one need to pass wiping procedure for
many times to remove the traces but it is not true, in modern disk drive even performing
deletion one time make data unavailable. Wiping is a technique that uses both software
and hardware resources to make data available in every bit. Wiping is more beneficial
compare to just deleting the files in a system [Harris 2006].
Table 2. Data Destruction Methods and Security Level [Rogers
2005]
6
Wiping is one of the techniques that is used for destruction of data, it can be done in
many ways but it have some commonalities where the data is over written at least once.
The current tools available for investigators are not able to discover the over written data.
But electron microscope can be used to find the previous state of electrons to replace the
data. The problem is very few investigators will have access to microscope so it is not
widely applicable to recover data. [Bryan 2006]
File wiping also called as secure deletion, deletes files by over writing the data
and makes the data unrecoverable for future purpose on the disk . In this process it
deletes all files available in the hard disk. [Satya Harini 2010].
Wiping the content available in the slack space where it is defined as unused
space at the end of file which is partially over written. So the data is altered with out
changing the previous contents that are available. When wiping is performed on the slack
space the data will be no longer available and recoverable.[ Garfinkel,S 2006]
Tools available for Destruction:
In this section, two of the most popularly used tools for destruction are discussed
they are klismafile and necrofile. Necrofile is a tool, which is used for dirty inode
selection which lists all dirty inodes meeting a common time for deleting, and scrub all
the inodes leaving no evidence to the forensic investigators.
Klismafile is another tool available for destruction where it removes the entries in
directory, it checks for the deleted entries in the directory and overwrites them, to do that
regular expressions are used [Srilakshmi 2010].
7
1.2.2. Data Hiding:
This is subfield of anti-forensics that is being used prominently among attackers
in both networking field and digital forensics field. This project is based on the data
hiding part which deals with hiding the evidence from investigators which makes the data
difficult to find and to use by forensic investigators in future to make situation more
challenging [Anti-Forensics 2010].
Data hiding is further sub-divided in to categories, they are classified and
explained in this research. Currently in the field of data hiding there are steganography,
encryption, and many different techniques which use software/hardware.
When multiple methods used in a combination to hide data it makes even more
difficult to retrieve the evidence by investigators, which can become a challenge.[Bryan
2006]
Cryptography and steganography are very efficient techniques in the field of anti-
forensics, cryptography is more reliable in information hiding process, though there are
tools in forensics which are used by investigators, where having capability to detect the
encrypted data if the key is obtained which can be possible by using for example spyware
or other covert channels. [Berghel 2007]
1.2.2.21. Encryption:
It is a subfield of cryptography and is widely used by all attackers to challenge
forensic investigators. Most of the forensic experts believe that encryption is nightmare
8
among forensic investigations. Currently there are many encryption based techniques are
available and most of them are based on the key to open the content of data. This process
makes impossible to find data until the key is known correctly [Anti-Forensics 2010].
File level encryption is the technique that is limited to encrypt the files, but this
leaves information about all the attributes of a file such as name, size, date modified, last
accessed as unencrypted. The file can be replaced by joining the parts of file that are
available In temporary files, swap files and unencrypted copies of a file left in the system
Encryption scheme with the combination of any other forensic technique makes the
forensic retrieval of evidence very difficult. The wide spread of this combinatory tools
leads to many disadvantages for digital forensics.
The encryption technique on digital data in a forensic investigation is mainly based
on what type of data is encrypted and how the procedure is implemented. A investigator
without using a key cannot decrypt the data, instead if the investigator follows traditional
brute force method it takes many years to compute the key . So, it is better for
investigator to follow other methods like using keystroke logger of to check in the system
memory for the decryption key. [Hong/Lee/Chang 2007].
Currently most of the techniques based on encryption are on windows based systems
, for other operating systems like Mac Os, Linux they follow partition level encryption
scheme i.e., only pieces of data in hard drive is used to encrypt and all these encrypted
data looks as randomized bits until they are decrypted using a key. These randomized bits
can be even hided in a place that doesn‘t allocated as drive space, this data hided can not
be detected easily until investigator performs attention in retrieving, though investigator
finds the traces of randomized bit cannot access the data until the decryption key is
9
known. [Satya Harini 2010].
1.2.2.22. Steganography:
It is another subfield of data hiding in anti-forensics, in this messages are hidden in
a way such that no one knows the existence of hidden file except the sender and receiver
of the file. Usually the files are hidden in other files like in a image file, mp3 file and also
can be hided in a video file while giving a view of video file in general context called
masking. Most of the investigators and forensics experts believe that this type of hiding is
still not prominent but the fact is if steganography is implemented it is very hard to detect
[Bin Liu 2006].
Steganography is different and has its own importance in data hiding when compared
to cryptography, but the only similarity is both are used for hiding. In modern days the
data is hided after encrypting using specific algorithms where the patterns look simple.
The formats supported by steganography are bmp, jpeg, gif, wav,mp3 and others. [Shawn
2007].
The tools that are currently available and most prominent for steganography are
steganos, s-tools, steghide, jphide, hiderman and others.
1.2.3 Trail Obfuscation:
The main goal of trail obfuscation is to confuse or divert the forensic
investigator from retrieving the evidence. It has its own methods and tools for confusing
the investigator they are log cleaner, spoofing, and zombie accounts.
Recently, In metasploit project they developed a tool called ―Timestomp‖ which
has ability to modify timestamps like data created, modified, last accessed by doing this
one can make a file unusable in the court of law as evidence. The other tool from
10
metasploit on trail obfuscation is named ―Transforgamity‖ where it has capability to
change the file from one extension to other extension , for example a document file can
be changed to an image file. When forensic investigators run tool on the drive they could
see these changed files as a regular file. [Anti-Forensics 2011]
1.2.4 Attacks against Computer Forensics
Recently the antiforensics has emerged a new of attacking the investigators by
making forensic tools itself in efficient, this process came into existence after the
traditional methods like deleting or destroying the data, hiding approaches like encryption
and steganography and also trail obfuscation.[Garfinkel 2006] Examples for the forensic
tools are encase, FTK, prodiscover where these are the target for attackers [Dixon 2005].
There are six methods defined by [palmer2005] which can be a possible
scenario to attack forensic tools they are as follows
1. Identification is a method followed by investigator to learn about the existence of
problem which need investigation. Obscuring the incident, or hiding the nexus between
the digital device and the event under investigation can undermine this phase.
2. Preservation is the second phase described by palmer where integrity is maintained for
the evidence . In this phase doubting the integrity of evidence retrieved by investigator
undermine this phase.
3. Collection is the third phase and concentrates on the details about how the data is
gathered from the available evidence. This phase is undermined when the tools gathered
data are questioned and also when the completeness of data is not achieved.
4. Examination is the fourth phase and is concern with data that is being viewed. This
11
phase can be undermined when tools are not efficient and unable to perform well or
scientifically not valid.
5. Analysis is the means by which an investigator draws conclusions from the evidence.
This phase relies on the tools, investigative prowess of the examiner, and the rest of the
evidence that was found. If a case hinges solely on digital evidence, the interpretation of
the evidence is the part most open to attack.
6. Presentation refers to the methods by which the results of the digital investigation are
presented to the court, jury, or other fact-finders. If the evidence is otherwise solid, anti-
forensics tools and methods will be used to attack the reliability and thoroughness of the
reports -- or the examiner. [Kessler 2006].
1.3 History
Formerly, anti-forensics was not much taken into focus, due to the reason that
majorly networks were internal and private. In forensics, the processors that were used
are largely aloof from enforcement law, passwords, and secret business data. Ever since
then, for business intelligence and data sharing the internet has become the only source.
Thus, anti-forensics gained importance and is being focused which helps in securing
networks and companies from external environment. From the time of their growth,
computer operating systems and the resultant applications produce large amounts of
information regarding the client‘s actions. All these reports tremendously became very
essential cause of confirmation along with the concentration on the legal innovation and
investigation. During this time only, consciousness among the clients has increased. For
example, clients learnt that removing documents does not signify erasing the data that
they hold. This knowledge has generated the need for counter-forensics software that
12
developers advertise as securing the clients privacy and/or safeguarding them from
acquiring penalty for the tasks carried on the system.
1.3.1 Background and Related Work
It is too tough to differentiate viable anti-forensic packages from other anti-forensic
utilities that are interrelated to attackers. Majorly, the commercial anti-forensic
applications that are designed so far are for Microsoft windows operating system and
among them only some are intended for Unix Linux platforms. These anti forensic
software‘s designed can be categorized into two sets based on their chief goals and ideas
like mentioned as follows:
The domain information is required about precise operating systems and structure
of their documents to follow the location of particular documents on a system.
The other set focuses on removing the information that is tracked on a system.
Some of these applications does not just concentrate on removing information but
also executes the functionality masking. This results in overwriting the erased
areas by application efficiently using any random values such that the data cannot
be recovered through any forensic tool. [Matthew 2005]
Primarily, the anti-forensics methods adopted general practices of using the
conventional techniques such as information thrashing commands and encryption. In
a while, the digitally accumulated information is where the major reliance is on and
also has significantly influenced many criminal and civil actions. Thus, to fight
against the threats the new methods were required and are in high demand that is seen
by forensic investigators [Scott 2007]. More on the challenges on anti-forensic tools
13
is described in detail in the ―Test Results‖ section of this paper that effectively locates
and also removes targeted information.
1.4 Objective
It may be a complex job for the analysts of digital forensics from many
commercial software tools that are developed to hide and to keep track of the records of
the system activities. In order to eradicate the proofs in criminal and civil legal
proceedings, these counter-forensic techniques have been used and also they signify an
area of ongoing apprehension for forensic examiners. [Matthew 2005]
The main aim of this project work is to develop a model application that can be
used as an anti-forensic tool and also to authenticate the efficacy and accuracy.
Evaluating can do this and testing with the other commercial anti-forensic methods in the
windows supported environment.
1. Through learning anti-anti-forensic techniques the vulnerabilities can be appraised
and also the effectiveness of these techniques will be decreased.
2. Report the problems of anti-forensic by making use of large range of available
tools that are on different platforms such as Linux, Windows, etc.
3. Need to assist the forensic tool builders in developing good products and also it is
important to direct the forensic investigators in knowing about those tools.
Moreover, in this project the performance of the tool and masking of information
is majorly concentrated, such that the techniques that are used in the process of forensics
that cannot retrieve any information that is erased priory.[Scott 2007]
14
1.5 Rationale
In view of the fact that the conventional research was typically done in 2004 to
2005, this category of study is relatively considered. In the period of 2004-2005, the
study in the field of anti-forensics has become mainly dissident. Soon after 2006, the
research shows that foundations of definitions, terms and other actions were implicated in
anti-forensics. Sequentially, the tasks were performed majorly beginning with the
explanation of techniques and procedures that are complex and designing of the tools that
destruct the forensic threats. Considering all these aspects, in this project, a framework to
test is designed in order to examine some of the anti-forensic applications which could
improve the new-fangled directions in building superior forensic applications for
exploration purposes.
Presently, the organizations that are supported by the government are performing
their research on these anti-forensic tools to know how those work and take advantage of
these tools by the digital forensic examination. In the direction to improve forensic
applications more this project helps in developing a archetype version. Also overcomes
the problems that are faced with the existing tools. The present methodology of forensic
investigation through exploration and attacking has largely resulted in disconnecting the
system or powering off the computer and this led to do a postmortem investigation about
the storage medium.
The report that includes all these anti-forensics applications and their affect on the
information is highlighted in this paper. The severe counter methodologies should be
handling the steady vulnerabilities of anti-forensics applications. There is a scope of
15
pointing out in this project considering all anti-forensics features, their functionalities and
methods to overcome the problems faced by using anti-anti-forensic approaches.
2. NARRATIVE
2.1 Problems from Investigator’s approach
The process of forensic examination becomes highly complex when a fraud
person makes the attacks. Everyday designed methods in encryption, steganography and
threats impose the digital forensic investigators to over think regarding the activities
performed by them. The present forensic procedures are not that strong in handling the
situations but these applications will surely add in very smart additions. This shows that
the present forensic procedure does not completely reply upon the forensic tools instead
will trust on the information and practice which they acquire while examining.
Thus, the necessity for evaluating and developing the anti-forensic applications
has increased. Many of the applications that presently exist for commercial use struggle
to remove information without leaving any functional names on the system. For
executing this, an extensive choice of forensic tools are considered to perform a thorough
study is performed that could cause danger to examiners by opening up specific threats.
This methodology will improve the developments by studying about the methods to
overcome the problems faced by all anti-forensic tools that use anti-anti-forensic
techniques [Rogers 2005].
2.1.1 Scope
The aim of the project is to present a support to study the anti-forensic
applications performance by calculating the use of the tools in the real time systems for
16
different platforms. Ultimately, this results in filing the problem scenarios that are
observed in the traditional software applications considering various test cases. In
addition, also comprehensive testing is performed in order to provide a solution for the
issues faced by using the anti-forensic techniques that uses anti-anti-forensic commercial
tools like FTK, Encase etc.
2.2 Functionalities of Anti-Forensic Tools
The key goal of this project will be helpful for the builders of the forensic
applications in manufacturing better products that could direct the examiners in carrying
out research and understanding the concepts in depth. The scope of the project includes
formerly the prototype developing and then follows with the evaluations by testing.
Besides, this project also provides the capability to figure out the functional signatures
that every applications loop holes such that the forensic investigation department can
understand and make better applications in capturing digital evidence. All these are
developed to halt the system forensic technologists.
2.3 Reducing the effectiveness of Anti-Forensic Methods
For the anti-forensic techniques to perform their actions well, they should depend
on the intrinsic issues with the forensic techniques. Attacks are usually used by the anti-
forensics, examiners and also exploit the dependency on particular applications or
procedures [Grugq 2005]. Unfortunately, it is not possible for anyone to fully control the
problems and cannot avoid the fraud of confirmation [Rogers 2005]. Nevertheless, one
after other if the goals to the issues are solved then there are chances of minimizing the
vulnerabilities of anti-forensics.
17
Table 3 explains the various exploitations of methods which depends on three
factors; human element, tool dependence, physical/logical limitations.
Table 3: Various Exploitations under Anti-Forensic Methods [Garfinkel 2006]
Name Human Element Tool Dependence Physical/Logical
Limitations
MACE alteration Investigator may
assume accuracy of
dates and times
Tools may not
function with
invalid or missing
dates and times
Invalid times and
dates make collating
information from
multiple evidentiary
sources difficult or
impossible
Removing/wiping
files
Investigator may
fail to examine
deleted files
Methods of
restoring deleted
files are specific to
the tool so
effectiveness may
vary
Time required to
restore wiped file
contents may
outweigh the
evidentiary value of
the data it contained
Account hijacking May fail to consider
whether the owner
of the account was
actually the person
at keyboard
Tools may not be
capable of
extracting
information that
would aid
investigator
Zombied computers
may produce
indirection
Archive/Image
bombs
Improperly designed
software may crash
Useful data might
be located in the
bomb itself
Disabling logs May not notice
missing logs
Software may not
flag events
Missing data might
be impossible to
reconstruct
Any client resolving the problems of anti-forensics will have to understand the
real problem in deeper view. This project makes efforts to explain the clear meaning of
anti-forensics and its increasing troubles that the forensic examiners have to face with the
tremendously growing usage of anti-forensics tools, and also should learn how the
attackers use anti-forensics to combat and calculate the forensic study. Always the
performed tests might not result useful content so the examiner of anti-forensics needs to
18
take advantage of the data to advance the faults in order to study more and should always
be updated with the each variation and changes happening in the field of anti-forensics
tools which are developed and introduced in today‘s internet.
3. PROPOSED SYSTEM DESIGN
The project has been designed keeping in consideration 4 clear goals
Simplicity: The application is developed in a way which can be easily understandable,
tested for user which indeed helps user to define the different implementations of
antiforensics in a declarative way by considering the results obtained from this project.
Adaptivity: The application should easily adopt all the testing modules without showing
any errors, any further updating should be supported in order to make application even
more powerful.
Scalability: It should be scalable for all test cases that are implemented by the forensic
investigator and should be able to perform well for all test cases leaving no evidence to
the forensic investigator.
Light-weight implementation: This application is implemented in a way that it does not
require large hardware requirements, even with limited network connectivity application
works well and also needs very minimal configuration and also is very easy to use.
3.1 Framework
This project main idea is to develop a tool which is completely based on anti-
forensic methods and procedures, and should be compared with currently available free
19
tools available and later to test under forensic tools for the integrity of the prototype
developed, where forensic tools try to break the efficient working of anti-forensics tools.
The main idea for this project is to discover the limitations that exist in the
current forensic tools that are available commercially or free tools and also to educate
forensic investigators about different type of antiforensic tools are in implementation and
how to react to the situation when exists. Because, now- a – days most of the people are
attracted towards forensic tools development. The figure below explains clearly about the
procedure that exactly takes place between the attacker and investigator
Client Side Investigator Side
Figure 1:Framework Supported for the Application and the Targets of Use
[Srilakshmi 2010]
Applications, Files
(includes MP3 files, text
files) and other storage
media
Anti-Forensic Tools
Forensic Examiner Tools
Equipment
&
Techniques
Various Platforms and File Systems
Windows, Unix/Linux, FAT and NTFS
Analysis Tools
FTK, ProDiscover, True crypt, Discoff etc
20
On the client side, the one who committed crime will have several applications,
browsers and other files on the disk at the crime scene to be evaluated along with anti-
forensic tools to damage the digital investigation process. Whereas, the investigator side
will posses forensic tool techniques used to acquire evidence. Both types of users work
on various platforms and file systems in which the functionality of forensic tools should
be well known in accordingly.
3.2 Proposed Mechanism:
The project is divided in to multiple phases, where in the first phase an application is
developed which looks similarly like an anti-forensic tool and this tool is developed by
taking reference of tools that are open source and currently in existence. The application
developed will be user friendly which can be easily learned by all the users who even
don‘t have any computer knowledge and it will be simple. The performance of the
application is checked in the later phase using the forensic tools used by investigators to
check the integrity of the application. The application developed possess following
requirements that are mentioned below.
1. The application should be able to hide all of the information using anti-
forensic techniques like stenography and encryption mechanism
2. It should be able to hide data from computer forensic tools to retrieve the data.
3. It should be able to better results in terms of both performance and usability.
4. The application will be developed using one well-known programming language
with an user-friendly interface.
5. After developing the application, it is tested under many forensic tools that are
available currently in order to educate forensic investigators about anti-forensics
21
Figure 2: Snapshot of the prototype application developed
4.Functionalities
The application developed has been divided into 3 phases for hiding the data, where the
phases are encryption, camouflage, and change file properties. Encryption is the first
phase where the data is encrypted using SHA algorithm; it converts the data to
unreadable format by using a key. The second phase is to mask the data into another file
at the tail, this seems to be very cool feature to hide data where the file looks like same as
22
the original file. The third phase is changing file attributes where the date last accessed
and the name of the file can be modified to keep investigation out of track.
4.1 Encryption:
Here in this project a encryption algorithm is used to hide the data where one can hide all
kinds of file formats including audio and video files. Encryption follows a mechanism
where it converts the text in to cipher using standard symmetric encryption algorithm
where a key should be given in before and then the file that need to be encrypted should
be added from the drive then you can encrypt the file which changes the content
unreadable.
If you want to decrypt the content to original file you need to specify the same key
that was given at the time of encryption. Be sure to remember the key that you give to
encrypt the file because, if you forget the key then you may lose the data forever.
Figure 3: Encryption Window in Encachare Application
23
4.2 Camouflage:
The second functionality involved in the application is camouflage which masks a file,
which can be a text, audio or any kind of file in an image. It involve any encryption
mechanism where the application needs a key to be entered in order to hide the data in a
secure way, one can unhide the data when the key is entered otherwise the data is not
found, it is the coolest thing that one cannot determine the existence of data by simply
looking at the file. It has another feature of destroying the source file where it is used for
data hiding leaving no evidence to the observer. Unhiding is done when the file which is
used for hiding is selected and a specific key given when the hiding is
done.
24
Figure 4: Camouflage Window in Encachare Application
Figure 5: Hiding data using Encachare Application with Camouflage
Figure 5. give a view about how data is hided in image file, here a key is given on the
top of the window which should not be less than 4 letters. A text file is selected and then
it is hided in jpeg file when hide button is clicked.
There are two check boxes, where one is used to create new copy of mask file
while keeping the existing file in its own space, other one is to destroy the source file
before hiding.
25
Figure 6: Searching for Hidden Files using Encachare Application
If the user forgets the file in which the data is hided, Encachare application has
a feature of searching for a file that has hidden data. To do this one need to remember the
key that was given during the time the data is hided.
26
Figure 7: Unhiding using Encachare Application for Camouflage
Figure 7. explains the un hiding procedure for camouflage application, where one needs
to select the file in which data is hidden. Then need to specify a folder where the un hided
data to be placed. There is a check box at the bottom which specifies to cut the secret file
from the file that has hidden data.
27
4.3 Change File Properties:
Change file properties is functionality in the application where the file properties
can be changed like date accessed, created, modified. Here in this application a file
should be selected and then apply the attributes to the file like hidden, system, read only
and more and change the properties of the file and then apply all the changes. Then the
file that changes applied have all the modifications done in the folder this may help when
the investigator looks date as reference to retrieve the data. It has another cool feature of
renaming the file to another format like files can be even changed to system files making
the content unreadable and leaving investigator no evidence by simply looking at the file.
Figure 8: Change File Properties Window in Encachare Application
28
Figure 9: After applying attributes to a file
To apply attributes like accessed, created, modified, first one has to select a file
that need to be changed, then should select properties in the Encachare application
and later apply the attributes. By following this process attributes of a file
changes.
29
4.4 Renaming:
Encachare has another functionality called file renaming, where using this feature
user can change the file into any format like one can make file as a system file or any
video , audio format e.t.c which makes file unreadable and makes hard to determine what
exactly the file is.
Figure 10: After Renaming using Encachare Application
In Figure 10, there is a batch file where it has been changed to batch file from text file
using Encachare application, if one tries to access the file it gives an error message like
unreadable format. This feature makes investigator confused when looking for specific
format of files.
30
5. Testing and Evaluation
This project has its own implementation of function and is developed under certain
procedures. Testing of this application can be done on desktop or any portable machine
with minimum system requirements like it should support all set of files and should have
minimum amount of RAM , Disk space. This tool developed is compare with the other
free anti-forensics tools that are available and the performance of the application is
determined by undergoing process through forensic tools like pro-discover and FTK. All
the respective anti-forensic tools and forensic tools are installed in the system with
separate user account, performance of the tools is determined and included in the final
results section. Though all tools doesn‘t have same functionality to the application
developed the tools with approximate similar functionality are used to determine the
efficiency of anti-forensic methods.
5.1Forensic Tools Used
5.1.11 FTK:
This tool is used by the most of the investigators to retrieve the evidence in the field of
computer forensics; this is widely used tool and is able to retrieve all the evidence related
to the files like pictures, documents, and encrypted data. The approach or mechanism
followed by this tool to retrieve data is it scans all the hard disk for text strings to detect
passwords in order to decrypt the encrypted data. [Garfinkel 2006].
5.1.12 Pro-Discover:
This is the second tool used to test the integrity of the anti-forensic application
developed, this tool is reliable and the retrieved evidence by the investigators at crime
scene can be provided in the court. It is being considered as evidence in both criminal
31
and civil cases. It has the capability of using an image in to a forensic workstation. This
tool got acceptance from many forensic investigators after testing its accuracy for many
times. It generates SHA1 hash signature after the evidence is retrieved which helps not
making modifications for the data gathered.
5.2Testing Methodology
Testing for this application is conducted on portable drive, to check the accuracy
of results, as the application is developed for windows system the portable drive is
connected to the windows system and all the anti-forensic methods are performed in the
drive using the application developed. Later the drive is tested with the tools specified in
order to check the working of the application. The application deals with hiding of data
so it is named Encachare and the performance of the application is evaluated by the other
tools that are available online. Testing is based on factors like the interface of application,
impact on forensic tools.
The encrypted data can be caught usually by performing scanning of character
string that exists in header of a file or a footer of a file. FTK can identify the existence of
data that is encrypted and in the same way password recovery tool kit. To find the
encryption in image file FTK processing is directly implemented on the images and finds
if any data is encrypted. After finding the existence of encrypted data, it is mandatory for
investigator to move the data to separate folder to decrypt it. To decrypt the files one has
to know the password this can be obtained by asking the person who encrypted the data
or by using password recovery toolkit. In this project a standard encryption mechanism
has been used which makes decryption impossible and password recovery is a night mare
for password recovery toolkit.
32
Encachare
Using this application a text file is encrypted in a pen drive and later performed
investigation with FTK tool to find the evidence of the encrypted data, after completion
of investigation the result is FTK did not recognize the encrypted data which makes the
tool more powerful with the encryption scheme that it has followed.
To encrypt a file application has been implemented one of technique in symmetric key
encryption mechanism. It is very important to remember the key that entered to encrypt
the data because once the key is lost then data is lost.
The steps that need to be followed while hiding the data using the prototype
developed can be clearly explained and all the screenshots taken when the FTK tool run
on the drive which is encrypted can be shown as follows.
Figure 11: File Selection for Encryption in Encachare
33
Figure 12: After Encryption using Encachare Application
After selecting a file, specify the key that needs to be remembered to encrypt and decrypt
the file and finally click on encrypt to encrypt the file. In Figure 12. Text file is created
and selected, then user need to check one of the two boxes in encryption window one is
to implement changes to the source file itself and the other one is to destroy source file
and creating a new one.
34
Figure 13. Before Encryption Content in Text file
Figure 14: After Encryption Content in the Text File
In this way user can encrypt all the file formats using a specific key to unreadable format.
Encachare performs many functionalities during encryption like destroying the source file
after encryption, one can even change the file format by renaming.
35
Now after this encryption, the next order of planning is to test with the forensic tool
to find the traces of the encrypted data using FTK and this involves several steps and it
takes more time to scan each frame of the disk to retrieve all the evidence from portable
drive like previously deleted files, any string data to determine the password for the
encryption done and many more operations.
5.2. 11 Analysis using FTK:
Figure 15: FTK Case Information
Figure 15. gives us the case details which can be used as reference for investigation about
the details like when investigation is done, who did the investigation, where is the
location of the results in the hard drive. This is the first step of FTK investigation
procedure.
36
Figure 16: FTK Processing
In this process the evidence added in local drive, then FTK processing on the drive is
performed and finally after certain amount of time able to retrieve the results page to find
the traces of encryption mechanism.
37
Figure 17: FTK Result Page After Encryption
In result page you can see on the encryption files tab, there are no files encrypted on the
drive which in turn gives us a conclusion that FTK did not recognize the existence of
encryption by the application prototype developed. Testing results are completely given
for the portable drive. FTK could able to display the file as a regular file but doesn‘t give
any clue for the investigation.
38
Figure 18. Before Renaming the Text File
Figure 18. gives user a view of the file chosen for renaming, skotha.txt file is selected
here and then Encachare application changed the file to other extension.
39
Figure 19: FTK analyzing renamed files
Using Encachare the file renaming is done , actually for this case a pdf file is renamed
with batch extension, Encachare able to change the extension excellently but when FTK
is run on the portable drive it is able to detect the file with bad extension also able to
determine the original version of the file. This concludes that FTK is capable to find the
bad extensions efficiently.
40
Figure 20: FTK analyzing the files with changed properties
In this test case, a file has been considered and the properties of the file have been change
like last accessed, last modified, date created. FTK could not show the original date it
was created, modified, accessed instead it shows the details of changed attributes.
Whenever the investigator is trying to do investigation looking for the traces on specific
dates, this tool can overcome the investigation from being data retrieved.
41
Figure 21: FTK searching for camouflage files
Using Encachare application developed the masking of one file in to another file has been
successfully done, where here a mp3 file is hidden in the image file. After running FTK
on portable drive the result is it could detect the image file as a normal file, it could not
able to determine the hidden content in the file, even though if it could recognize the
existence of hidden data, to retrieve the data the password should be known. This makes
more complex for the investigator in the retrieval of evidence.
42
Figure 22: Properties of Image File after Masking
Figure 22. gives the view of the properties that are shown are after performing
the masking, originally the image size was 834kb after masking the mp3 file into
the image file the properties changes like size. When tested on FTK it is shown as
a regular jpeg file.
43
5.2.12 Analysis using ProDiscover
To retrieve the evidence and evaluate the application developed the investigation is
performed using pro discover tool and the results obtained are as follows.
Figure 23: ProDiscover in action to investigate
Figure 23 describes the tool ProDiscover at the start up. In this figure _._ shows opening
of new case with name anti forensics and project number 01. With this investigation
begins using ProDiscover and followed by adding the suspects device for analysis.
44
Figure 24: ProDiscover imaging the pen drive
Figure 24 shows adding suspects device for imaging using ProDiscover. This enables
forensic investigator to choose among the devices that connected with forensic
workstation. It gives the flexibility to investigator to choose their own location to save the
suspect device image. The compression option can be altered depending up on
requirement, if imaging needs bit by bit copy the compression should be none.
ProDiscover also provides password option to protect image from being accessed by
others.
45
Figure 25: Recovered files from pen drive using ProDiscover
The first look of the evidence extraction using ProDiscover is shown in Figure
25 ProDiscover shows all the files folders extracted. ProDiscover recovers the deleted
files and marks them as deleted by using Red Cross mark. ProDiscover supplies different
views for extracted files for example tree structure, file view, cluster view, and etc.
46
Figure 26: ProDiscover analyzing renamed files
One of the test case is to search for files that have been renamed, ProDiscover unable to
detect he files that have been renamed by the tool Encachare. The folder attribute changes
contain the files that have been renamed using the tool Encachare. These files recovered
as any regular files by ProDiscover. The only way to detect those files with the help of
file attributes, which describes the file access date and timings.
47
Figure 27: Prodiscover analyzing files with altered attributes
ProDiscover unable to detect the renamed files, the next way of detecting the renamed
files is shown in the Figure 27. describes inability of ProDiscover to realize the changes
made to the file attributes such as date of creation, last modified date by the Encachare
application. Even ProDiscover unable to figure out bad extension files created by
Encachare application.
48
Figure 28: ProDiscover analyzing camouflage files on pen drive
Figure 28. gives user a conclusion about the inability of the tool in discovering the hided
file in the image, where after testing is done it shows the camouflage file as normal image
file.
49
Figure 29: ProDiscover analyzing encrypted files
Figure 29. clearly shows that prodiscover tool is not able to distinguish with the regular
file and encrypted file which concludes the lacking feature of prodiscover in determining
the encrypted files.
50
DiskOff:
Figure 30: First look of DiscOff
Figure 30 shows the first look of the application DiscOff[srilakshmi 2010].
DiscOff application provides three basic operation deleting files, cloning files and
masking of files.
51
Figure 31: DiscOff cleaning user data.
DiscOff clears all user data information such as cookies, favorites, history, and etc.
shown in figure 31. User can choose any of the fields to erase completely.
52
Figure 32: Deletion of files using DiscOff.
Figure 32. shows the file deletion process using DiscOff application. Normal file deletion
just deletes the pointer to the files, which makes file disappear from the user device, but
DiscOff overwrites the deleted files with some garbage values. This overwriting makes
forensic tools not to detect he deleted files.
53
Figure 33: Cloning operation by DiscOff
DiscOff ability to clone the files overwrites all the free space on the disk. Because of
cloning all the deleted files will be deleted permanently, without leaving any traces.
Cloning operation is shown in Figure 33.
54
6.Results
Table 4: Impact on FTK and ProDiscover
Criteria
Tool
Change in file
attributes
Camouflage Encrypted files
FTK Unable detect the changes to file attributes, but able to point out the files with bad extension
Unable to detect camouflaged files
Unable detect the encrypted files
ProDiscover Unable to detect neither changes in file attributes nor renamed or bad extension files.
Unable to detect camouflaged files
Unable detect the encrypted files
Table 4(fisrt table) shows the impact of Encachare application on FTK and ProDiscover
Table 4. give a complete overview of the test results obtained when prototype is
tested with different test cases against forensic tools. Testing criteria is based on the
individual feature of application and its impact on forensic tools.
When tested with Prodiscover it couldn‘t able to detect any of the problem with the
hiding techniques implemented. Whereas, in FTK it could able to find out the problem
for renaming.
55
Table 5: Comparison between Encachare and DiskOff [Srilakshmi 2010]
Application
Criteria
Encachare DiskOff
Deletion Not implemented Deletes the files along with extensions.
Encryption Encrypts the files No encryption
Masking Ability to mask any type and any size of files, uses stenographic techniques, any type of files can be used to mask the secret files. The secret files can be retrieved
Masks the files with any garbage values, and masked files can not be retrieved
Cloning Not implemented Can clone any number of files.
Changing file attributes Can change date created, date modified and last date accessed. Also can rename the file.
No such implementation
Impact on FTK FTK unable to detect the presence of evidence files even though they exists. But able to detect the bad extension files.
FTK unable to recover the deleted files
Impact on ProDiscover Unable to detect any files that can be suspected.
Unable to recover any deleted files.
Table 5. describes the functionalities of both DiscOff and Encachare by comparing the
operations performed and impact on forensic tools. The significant difference between
the two applications DiscOff implements delete operation, where as DiskOff do not
delete any content rather it hides the files from being detected by forensic investigators.
The files deleted by using DiscOff cannot be retrieved, but the files hidden by Encachare
can be made available by unhiding them. FTK and ProDiscover unable to recover the
content of files that were hidden by Disk Hide.
56
7. CONCLUSION
Due to the inefficiency of currently available forensic tools, attackers are
implementing different vulnerable tools with out getting caught from the investigators.
This project helps investigators in determining the different ways attackers can use,
where techniques are based on anti-forensics which in turn helps in fixing the errors and
also to eradicate the inability in determining the attack with the currently available
forensic tools .
Many of the currently available anti-forensic tools are mainly focused on
developing tools based on the techniques either using steganography or encryption and
this tool Encachare has the implementation of both steganography and also encryption.
Besides this, it also has a unique feature which is not focused by many antiforensic
attackers i.e., changing attributes, renaming the extension of a file.
The main goal of this project is to develop a tool to overcome the
investigation process done by the investigators with out getting caught. This tool is tested
with most popular and widely used tools FTK and Prodiscover and gave excellent results
with out leaving evidence. FTK caught only one feature in the Encachare application i.e.,
renaming extension .
Finally, forensic tool developers need to concentrate on the mechanisms
implemented in this project in order to protect the data. As most of the companies mainly
rely on data like banking. Though there are set of rules available for companies regarding
security, it is hard to detect if the attacker is a worker in the company.
f
57
8. FUTURE WORK
Due to the vast growth in anti-forensic tools and new techniques led researchers to
discover variety of tools which are challenging to investigators. Forensic investigators
should be educated on the various implementations. This project provides a detail on
things to be improved in the currently existing forensic tools. The future work for this
project can be implementing anti-forensic mechanisms that attacks forensic tools itself
and later behave like antiforensic tools. The future work can also be implementing all the
lacking features that exist in currently existing forensic tools like FTK and Prodiscover.
The project can also be extended on attacking the secure data which involves encryption
to challenge forensic investigators. Finally, research and on going study should be a part
of attackers in order to keep update themselves with the changes in forensic area.
58
9. BIBILIOGRAPHY & REFERENCES
[Anti-Forensics 2011] Anti-Computer Forensics, Available from Wikipedia ( visited
April 12th
2011)
[Berghel, H. (2007 / Vol. 50, No. 4)] Hiding Data, Forensics, and Anti-Forensics.
Communications of the ACM, 15-20, 2007.
[Bin Liu, 2006] ―Real-Time steganography in Compressed Video‖, 2006
[Bryan, S.(2006)]. Anti-Forensics-Distorting the Evidence, Computer Fraud and Security,
May 2006.
[Bragg 2004] Bragg, The Encrypting File System, Available from
www.technet.microsoft.com (visited April 14th
2011).
[Dixon 2005] An Overview of Computer Forensics, IEEE, Volume 24 Issue 5. IEEE
International, 2005
[Garfinkel,S.(2006)]. Anti-Forensics: Techniques, Detection and Counter measures. 2nd
International Conference on i-Warfare and Security, August 2006.
[Harris, R. (2006)]. Arriving at an Anti-Forensics Consensus: Examining how to define
and Control the Anti-Forensics Problem. Retrieved December 9, 2010
[Hilley, S.(2007)] Anti-forensics with a Small Army of Exploits, Digital Investigation,
2007.
[Hong, D/ Lee, S/ Lee, D/ Chang, K. (2007)] A new anti-forensic tool based on simple
data encryption, December 8, 2007.
[Kessler, G. (2006)] Anti-Forensics and Digital Investigator, Accessed on April 2011.
[Mathew, G. (2005)] Evaluating Commercial Counter Forensic Tools, Digital Forensics
Research Work shop, 2005.
[Przemyslaw, p./ Pimenidis, E.(2009)] Computer Anti-forensics Methods and Their
Impact on Computer Forensic Investigation, Springer-Verlag Berlin Heidelberg 2009.
[Rogers 2005], Rogers, Anti-Forensics, Available from www.cyberforensics.purdue.edu
(visited April 14th
2011).
[Srilakshmi, E. (2010)] Implementation of Anti-forensic Mechanisms and Testing with
59
Forensic Methods, December 14, 2010.
[Scott 2007] Scott, The Rise of Anti-Forensics, Available from
www.csoonline.com/article/221208/The_Rise_of_Anti_Forensics, 2010).
[ St. Louis Technology News. (2009)]. The Dark Side of Anti- Forensics, Accessed on
April 4th
2011.
[Shawn, D. (2007)]. An Overview of Steganography, July, 2007.
[Satya Harini, R. (2010)]. Analysis, Implementation and Testing of Anti-Forensic
Techniques, May , 2009.
[Sandeep 2010] Implementation of Steganalysis Tool to Detect Steganography in
Wireless Forensics Investigations, December 2010.
60
APPENDIX A. DEFINITIONS OF TOOLS [Srilakshmi 2010]
A-1: Tools which target Internet history, tracks of Internet activities and accounts
Absolute Shield: Absolute Shield Internet Eraser protects privacy by cleaning up
all the tracks of your Internet and computer activities.
Evidence Blaster: It has the capability to clear all the browsers history, cache,
system cookies and other temporary files.
Secure Clean: It securely cleans up all unwanted files and internet clutters which
thereby include the traces of passwords and other personal information.
Tracks Eraser Pro: Tracks Eraser erases the cache, cookies, history, typed URLs,
auto complete memory, index.dat from the browser and temp folder.
A-2: Tools which target computer related entities like logs, timestamps and hashes
Clear Logs: Clear Logs clears the event log (Security, System or Application) that
is specified.
Timestomp: It can be used to modify date and time stamps thereby falsifying the
validity of the document.
61
A-3: Tools which target forensic tool vulnerabilities
Evidence Eliminator: Evidence Eliminator quickly and professionally deep cleans
any computer that has sensitive material.
Hash Tool: Hash (Hacker Shell) is a tool to enable people to evade detection
while penetrating a system.
A-4: Tools which target the storage media in hard disk [Grugq 2005]
DBan: DBAN will automatically and completely delete the contents of any hard
disk that it can detect, which makes it an appropriate utility for bulk or emergency
data destruction.
Declasfy: The program is designed to "wipe" hard disks by writing the entire disk
with O‘s and 1‘s.
Diskzapper: Diskzapper Dangerous automatically begins erasing all the disks as
soon as the booting process is completed.
Eraser: Eraser is a Windows tool that allows you to securely remove files from
computer‘s hard drive and securely wipe free space.
Overwrite: Overwrite is a UNIX utility that tries to make harder data recovering.
Wipe: It is a tool that effectively degausses the surface of a hard disk, making it
virtually impossible to retrieve the data.
A-5: Tools, which target on hiding of files using encryption and steganography
techniques. [Bragg 2004]
62
BestCrypt: It tries to disguise the data needed by using strong encryption
techniques.
Cryptomite: CryptoMite enables the user to encrypt, decrypt, and wipe files and
folders of any type.
Invisible Secrets: Not only encrypts but also hides in places which appear to be
innocent.