Upload
cml-home
View
214
Download
0
Embed Size (px)
Citation preview
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
1/47
2006 Secure Computing Corporation. All Rights Reserved.1
11/15/2007
Anti - ForensicsAnti - Forensics
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI
Vice President, Technology Evangelism
Secure Computing
Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI
Vice President, Technology Evangelism
Secure Computing
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
2/47
2
Before We Get Started
What is the one thing to date that law enforcement / forensicinvestigators have always been been able to count on?
Criminals by their very nature are (fill in expletive of choice)
Mohammed Atif Siddique sentenced to eight years for possession of terrorism-related items. During his trial the jury had been told by Michael Dickson, a forensicsanalyst for the National Hi-Tech Crime Unit, that Siddique's laptop computer hadcontained material placed in a Windows folder where it would be difficult for aninexperienced user to find.The folder in question was c:windowsoptions, which isusually present on OEM Windows systems and is used for installation purposes. It isnot widely frequented by most computer users, but it's not secret either. Siddiqueseems not to have encrypted the material, which was described as videos, picturesand sound files "concerned with radical Islamic politics", and which included footageof Osama Bin Laden and the World Trade Center attack.
When police arrested Siddique in April of last year, over 100 police officers wereinvolved in an operation which broke down the door of his family home with abattering ram, closed off roads, and searched adjacent houses and shops. Over 60officers were involved in the investigation, along with 12 translators and experts fromthe National High Tech Crime Unit. "Some 34 computers and hard drives wereexamined. More than 5,000 computer discs and DVDs were removed, along with 25mobile phones and another 19 SIM cards. Almost 700 documents were taken fromthe computers and more than 1,000 statements taken."
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
3/47
3
What We Will Cover
The Rules Are Changing
Creating Reasonable Doubt - Vulnerabilities in Forensic Products
Virtual Environments - Have You Got Your MoJo
The Reality of Plausible Deniability
Vista - Encryption For The Masses
Steganography - Use and Detection
Disk Wiping The Tools Are Getting Scarily Good
What Good are Known Good/Bad Signatures
MetaSploit Slacker Hide tons of data encrypted in slack
Timestomp So much for MAC
Transmorgify One Click Defense
Samjuicer No More DLL Injection
Advanced Anti-Forensics Everything in RAM
Linux Anti-Forensics Where The Tools Dont Look
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
4/47
4
The Rules Are Changing
Admitting computer evidence in the future - a stricter standard?
Lorraine v Markel - Authentication of electronic evidence
Magistrate Judge Grimm refused to allow either party to offer e-mails in evidence to support their summaryjudgment motions. He found they failed to meet any of the standards for admission under the Federal Rules of
Evidence. The emails were not authenticated but simply attached to the parties motions as exhibits, as has been
a common practice.
In re: Vinhnee, 2005 WL 3609376
A recent decision by a Ninth Circuit Bankruptcy Appellate Panel rejected the prevailing standardfor authenticating electronically stored records and imposed stringent requirements that may help
defend against computerized evidence in a broad range of cases, including white-collarprosecutions. Although decisions of the Panel, which consists of three bankruptcy judges, arebinding precedent only for bankruptcy courts in the Ninth Circuit, Vinhnees persuasive analysishas the potential to change the use of electronic evidence in other courts.
The trial court turned away the credit card company even though the defendant (debtor) did not even show up orenter any argument, having the company suffer "the ignominy of losing even though its opponent did not show
up."
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
5/47
5
Reasonable Doubt?
Encase and Sleuth kit Vulnerabilities
http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf
Evidentiary Implications of Potential Security Weaknesses inForensic Software
As with other forensic techniques, computer forensic tools are not magic;they are complex software tools that like all software may be subject to
certain attacks. Yet because these tools play such a critical role in our legalsystem, it is important that they be as accurate, reliable, and secure againsttampering as possible. Vulnerabilities would not only call into question theadmissibility of forensic images, but could also create a risk that ifundetected tampering occurs, courts may come to the wrong decisions in
cases that affect lives and property. http://www.isecpartners.com/files/Ridder-
Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Software.pdf
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
6/47
6
Have You Got Your MoJo?
Your USB Drive or IPOD is your PC
Leaves no trace on the host
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
7/47
7
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
8/47
8
Keeping It Simple
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
9/47
9
With Out A Trace
Create an XP bootable CD
Boot from the CD and create anencrypted environment on the HD
No trace on the PC
Whats next?
How about Linux and a processor on a USB
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
10/47
10
Encryption
Encryption is a forensic analysis's nightmare
It is only a matter of time before the bad guys adopt currenttechnology encryption
Current offerings provide for multiple levels of Plausible Deniability Create a hidden encrypted volume within an encrypted volume
Bad guy gives up the password to the first level only
Second level remains hidden and looks like random data within the volume
(undetectable)
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
11/47
11
TrueCrypt
Settings are not stored in the registry Uses a key file rather then a crypto key
Which of the thousands of files on the image did the bad guy use as the key file?
Uses LRW to replace CRW eliminating any possible detection of nonrandom data within an image
Creates a virtual encrypted disk within a file and mounts it as a disk
Can work in Traveler mode with BartPE to eliminate any traces of itsuse within Windows
New version 4.3a just released Vista Support
Plausible deniability improved
Sector size other then 512 Traveler mode
Multi Algorithm Cascade
Total Number of Downloads 3,487,388
Number of Downloads Yesterday 5,547
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
12/47
12
Free On The Fly Encryption
FreOTFE
TrueCrypt
Cryptainer LE
CryptoExpert 2004 Lite
CompuSec
E4M Disk Encrytion
Scramdisk Encryption
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
13/47
13
Vista Encryption
The fear
TPM hardware
Encryption key stored on removable USB drive
The reality
Not in all versions of Vista - only enterprise version
Limited availability of motherboards with TPM chips
High end versions of Vista not exactly flying off the shelves Be sure to seize those USB keys
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
14/47
14
Steganography
Hiding data in graphic or audio files
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
15/47
15
Free Steganography
S-Tools 4t HIT Mail Privacy Lite
Camouflage
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
16/47
16
Stegdetect
Automated detection of data within an image
Works against:
Jsteg
Jphide Invisible secrets
Outguess
F5
appendixX and Comouflage
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
17/47
17
Evidence Eliminator
http://www.evidence-eliminator.com/register_reasons.d2w
Just some reasons why you must buyprotection for yourselfright now.PelicanBay State Prison (USA)"....putting a
prisoner in a cell with a known assaulter andsetting up alleged sex offenders for attackare not uncommon...."Cocoran Prison(California USA)"....Dillard, who weighed120 pounds, fought back but Robertson wastoo powerful. He said he pounded on thecell door, banged at it in a way that the
guards surely must have heard, but nobodyever came as he was raped...."The ViewFrom Behind Prison Bars (USA)"....Theguard in the tower decided to blow one ofthe inmates' heads off.... The suicides atSan Quentin are amazing. I never knew
doing time would subject me to watchingguys do swan dives off the fifth tier. Oneguy ripped his jugular out with a canopener. How about the inmate who wasshot to death while dangling from thefence? They left his body there for fourhours.... we were forced to sleep in shifts to
keep the cockroaches from crawling in ourmouths...."
Get total protection. Buy yourlicense to Evidence Eliminator.$149 is less than 149 years.Permanent protection for only
$149.95(US)
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
18/47
18
The Bad Guys Are Not Paying For It
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
19/47
19
Other Disk Wiping Products
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
20/47
20
Wipes Deeper Then Ever
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
21/47
21
Defeat Forensics For Only $29.95
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
22/47
22
Other Popular Wiping Tools
srm,
dban,
Necrofile,
Tracks Eraser Pro
Just Google disk wiping tools
Results 1 - 100 of about 1,960,000 fordisk wiping tools.
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
23/47
23
How Do They Measure Up?
Evaluating Commercial Counter-Forensic Tools, Matthew Geiger
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
24/47
24
Signatures
Examining hashes is a quick way to determine if specific files are or are not onthe image that is being examined
However altering a single byte will alter the hash but still leave a maliciousprogram executable
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
25/47
25
Signatures
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
26/47
26
Unreliable
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
27/47
27
EXE Packers
A Packer can change the signature of any exe file and render a search for aknown MD5 useless
The potentially malicious file will not be found with an antivirus scanner
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
28/47
28
Available Packers
Alloy 4.14
Aspack 21
Cexe NT only
Diet
Lzexe 1.00a Pack 1.0
Pecompact 1.20
Pecompact 1.23
Petite21
Petite22
Pklite32
Stoner_Compress
Gui for several packers UPX101
wWinlite
WWpack 3.05b3
ProTools
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
29/47
29
Binders
Binders combine two or more executable in to a single executable file
Allows the bad guy to attach a Trojan, Key logger or other maliciousprogram to a common exe file
The resulting MD5 will not match a known bad database 37 different free binders are downloadable at
http://www.trojanfrance.com/index.php?dir=Binders/
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
30/47
30
Downloadable Binders
Dropper Source Generator 0.1
Attach
Asylum Binder 1.0 by Slim
BigJack Joiner
Binder
Binding Suite
BladeJoiner 1.0 by BladeBladeJoiner 1.5 by Blade
BladeJoiner 1.55 by Blade
Blade-Bogart Joiner
Blade-Stoner Joiner
Concealer
EliteWrap
Embedder 1.50
Exe Bind 1.0
Exe Maker
FC Binder
GoboWrap 1.0b
Infector 2.0
Infector 9.0Juntador Beta
MultiBinder
PE-intro adder
Rat PackerRNS Exe Joiner
SaranWrap
Senna Spy One Exe Maker
Senna Spy One Exe Maker 2000
Senna Spy One Exe Maker 2000 - 2.0a
SilkRope 1.0
SilkRope 1.1SilkRope 2.0
SilkRope2k
TOP 1.0 by DaRaT
TOP 2.0 by DaRaT
TOP 2.0 beta by DaRaT
TOP 2.1 by DaRaT
TOP 4.0 by DaRaTTOP GUI by DaRaT
TOP GUI 2 by DaRaT
TrojanMan
WeirdBinder by Weird
X-Exejoiner and Icon changer by Lazarus
Zyon 1.0 multibinder
Sudden Discharge Compresso
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
31/47
31
Metasploit Anti Forensics
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
32/47
32
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
uses the following Windows system calls:
NtQueryInformationFile()
NtSetInformationFile()
doesnt use
SetFileTime()
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
33/47
33
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
Ti t FTK U difi d
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
34/47
34
Timestomp FTK Unmodified
Ti t FTK M difi d
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
35/47
35
Timestomp - FTK Modified
Ti t E U difi d
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
36/47
36
Timestomp Encase Unmodified
Timestomp Encase Modified
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
37/47
37
Timestomp Encase Modified
Timestomp Explorer Unmodified
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
38/47
38
Timestomp Explorer Unmodified
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
39/47
Slacker
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
40/47
40
Slacker
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
Slacker Example
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
41/47
41
Slacker Example
Transmogrify Coming Soon
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
42/47
42
Transmogrify Coming Soon
Transmogrify - First ever tool todefeat EnCase's file signaturecapabilities by allowing you to maskand unmask your files as any filetype. (Coming Soon)
Well they have been saying thatsince 2005 and it is still not here
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
Samjuicer
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
43/47
43
Samjuicer
SAM Juicer does what pwdump does without hitting thedisk
Pwdump opens a share, drops binaries to the disk and starts aservice to inject itself in to LSASS
Reuses a transport channel that the Metaspoit frameworkuses, remotely and directly injects itself into the LSASSand sucks down the encrypted password files withoutleaving a file, touching the registry or starting a service.
Not having files or services starting makes protection technologiesthat rely on that 'signature' to prevent the attack rather impotent.
MetasploitAntiForensics
Project
www.metasploit.com/projects/antiforensics/
Future Work
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
44/47
44
Future Work
NTFS change journal modification Secure deletion
Documentation of anti-forensic techniques
Browser log manipulation
File meta-data modification NTFS extended attributes
MetasploitAntiForensics
Project
www.metasploit.com/projects/antiforensics/
Vincent Liu
Partner in Stach & Liu
www.stachliu.com
Advanced Anti-Forensics
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
45/47
45
Advanced Anti Forensics
What if the malicious file never touched the disk? MOSDEF (mose-def) is short for Most Definitely
MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking
In short, after you've overflowed a process you can compile programs to run inside that process and report back to you
www.immunitysec.com/resources-freesoftware.shtml
Linux Anti-Forensics
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
46/47
46
Linux Anti Forensics
Simply hide data where commercial forensic tools dont necessarily look Rune fs
Hide data in bad blocks inode
Waffen fs
Hide data in spoofed journal file
KY fs
Hide data in null directory entries
Data mule fs
Hide data in reserved space
8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]
47/47
2006 Secure Computing Corporation. All Rights Reserved.47
11/15/2007
Thank YouThank YouPaul A. HenryMCP+I, MCSE, CFSA, CFSO, CCSA, CCSE, CISM, CISA, CISSP-ISSAP, CIFI
Vice President, Technology Evangelism
Secure Computing