Upload
brad-hill
View
20
Download
2
Embed Size (px)
Citation preview
Anti-Forensics Methodsand Mitigating Obscured Data
By Brad HillStudent at Champlain College
What is Computer Forensics?
“The process of applying scientific methods to collect and analyze data and information that can be used as evidence in a court of law” (Nelson, 2010)
Following the trail
Evidence
The Role of Anti-Forensics
• Obfuscate Data Trails• Prolong an Investigation• Destroy Evidence• Hide Information• Defeat Forensic Software• Keep Private Information
Private
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Scrambles the contents of a file or message so that it can be read only by someone who has the
right encryption key to unscramble it.
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Data erasing tools can zero out areas of a volume and make it next to impossible to recover
deleted files.
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Steganography uses two files in which to hide data, one is called the carrier file, and the other is the payload or secret message.
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
ADS are not visible for most Windows based applications, a user can attach an ADS to hide
secret information to any type of file on their HDD.
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Portions of the hard disk are invisible to the operating system,
making it harder to delete, such as the Host Protected Area (HPA) and
Device Configuration Overlay (DCO); and can be manipulated by
open-source software to hide information from view.
Legacy Methods
EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC
Other Methods
Timestomp:This tool can be used to alter the Modified-Accessed-Created-Entry (MACE) characteristics of a file.
Other Methods
Transmogrify:This tool can modify the header and extensions of any file type; disrupting hash values of a known file.
Other Methods
Slacker:This tool takes advantage of the slack space left behind when a file does not fill up an entire sector or cluster; users can place files here of their choosing.
Going Diskless-Bootable Media
Virtual Machines (VM):VM’s can emulate numerous operating systems; borrowing a computers resources they can leave very few trails to follow .
Evidence Counterfeiting
Rubber Ducky:An inconspicuous USB device that when attached to a host computer injects a predetermined payload using a keystroke injection attack platform.
Non-Traditional
Gaming Consoles:With the abundance of gaming consoles owned worldwide their use as methods of communication is becoming more prevalent and can include the use of steganography techniques (Podhradsky, 2012).
Prolong the Investigation
1) Own Numerous Media Devices2) Dummy Hard Disk Drive3) Cloud Storage4) Uncommon RAID Array
Prolong the Investigation
1) Own Numerous Media DevicesHaving numerous and varying forms of media devices to search can become cumbersome for an investigator and deplete a departments resources.
Prolong the Investigation
2) Dummy Hard Disk DriveDummy drives can be used regularly to appear as the official HDD being used. An investigator discovering the dummy drive wont find incriminating evidence.
Prolong the Investigation
3) Cloud StorageCloud computing, where people can store information in a remote location, can prolong an investigation as the storage device holding criminal information could be out of state and even out of the country in places that do not care about US jurisdiction issues.
Prolong the Investigation
4) Uncommon RAID ArrayUse of uncommon Redundant Array of Independent Disks (RAID) controllers, with unique stripe sizes, order, and endianness can make the reconfiguration of files tedious without the appropriate RAID controller.
Last but not Least
Physical DestructionDestroying digital evidence physically can be effective but is not a cure all as investigators have successfully, albeit expensively, rebuilt intentionally damaged drives.
Hammer:Effective but not
permanent.
Industrial Hard Drive Shredder:
Permanent
Mitigating AF Techniques
The use of “fuzzy hashing” identifies similar files.Search Log Files for application and system activity.A look into the $FILE_NAME time could indicate something mischievous has
been done if the time occurs after the $STANDARD_INFORMATION creation time.
Traces of software programs associated with data wiping/hiding implies guilt and requires other methods of recovering information, i.e., social engineering.
Lack of evidence can be evidence in and of itself (Homewood, 2012).Finding multiple copies of a file (pictures, audio, etc.) different in size could
indicate the use of steganography practices.Use the suspects own system to piece together unknown formats.Having an inquisitive nature allows an investigator to track unfamiliar
challenges associated with anti-forensics.