Anti-Forensics Methodsand Mitigating Obscured Data

By Brad HillStudent at Champlain College

What is Computer Forensics?

“The process of applying scientific methods to collect and analyze data and information that can be used as evidence in a court of law” (Nelson, 2010)

Following the trail

Evidence

The Role of Anti-Forensics

• Obfuscate Data Trails• Prolong an Investigation• Destroy Evidence• Hide Information• Defeat Forensic Software• Keep Private Information

Private

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Scrambles the contents of a file or message so that it can be read only by someone who has the

right encryption key to unscramble it.

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Data erasing tools can zero out areas of a volume and make it next to impossible to recover

deleted files.

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Steganography uses two files in which to hide data, one is called the carrier file, and the other is the payload or secret message.

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

ADS are not visible for most Windows based applications, a user can attach an ADS to hide

secret information to any type of file on their HDD.

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Portions of the hard disk are invisible to the operating system,

making it harder to delete, such as the Host Protected Area (HPA) and

Device Configuration Overlay (DCO); and can be manipulated by

open-source software to hide information from view.

Legacy Methods

EncryptionData WipingSteganographyAlternate Data StreamHiding in the HPA or DOC

Other Methods

Timestomp:This tool can be used to alter the Modified-Accessed-Created-Entry (MACE) characteristics of a file.

Other Methods

Transmogrify:This tool can modify the header and extensions of any file type; disrupting hash values of a known file.

Other Methods

Slacker:This tool takes advantage of the slack space left behind when a file does not fill up an entire sector or cluster; users can place files here of their choosing.

Going Diskless-Bootable Media

Virtual Machines (VM):VM’s can emulate numerous operating systems; borrowing a computers resources they can leave very few trails to follow .

Evidence Counterfeiting

Rubber Ducky:An inconspicuous USB device that when attached to a host computer injects a predetermined payload using a keystroke injection attack platform.

Non-Traditional

Gaming Consoles:With the abundance of gaming consoles owned worldwide their use as methods of communication is becoming more prevalent and can include the use of steganography techniques (Podhradsky, 2012).

Prolong the Investigation

1) Own Numerous Media Devices2) Dummy Hard Disk Drive3) Cloud Storage4) Uncommon RAID Array

Prolong the Investigation

1) Own Numerous Media DevicesHaving numerous and varying forms of media devices to search can become cumbersome for an investigator and deplete a departments resources.

Prolong the Investigation

2) Dummy Hard Disk DriveDummy drives can be used regularly to appear as the official HDD being used. An investigator discovering the dummy drive wont find incriminating evidence.

Prolong the Investigation

3) Cloud StorageCloud computing, where people can store information in a remote location, can prolong an investigation as the storage device holding criminal information could be out of state and even out of the country in places that do not care about US jurisdiction issues.

Prolong the Investigation

4) Uncommon RAID ArrayUse of uncommon Redundant Array of Independent Disks (RAID) controllers, with unique stripe sizes, order, and endianness can make the reconfiguration of files tedious without the appropriate RAID controller.

Last but not Least

Physical DestructionDestroying digital evidence physically can be effective but is not a cure all as investigators have successfully, albeit expensively, rebuilt intentionally damaged drives.

Hammer:Effective but not

permanent.

Industrial Hard Drive Shredder:

Permanent

Mitigating AF Techniques

The use of “fuzzy hashing” identifies similar files.Search Log Files for application and system activity.A look into the $FILE_NAME time could indicate something mischievous has

been done if the time occurs after the $STANDARD_INFORMATION creation time.

Traces of software programs associated with data wiping/hiding implies guilt and requires other methods of recovering information, i.e., social engineering.

Lack of evidence can be evidence in and of itself (Homewood, 2012).Finding multiple copies of a file (pictures, audio, etc.) different in size could

indicate the use of steganography practices.Use the suspects own system to piece together unknown formats.Having an inquisitive nature allows an investigator to track unfamiliar

challenges associated with anti-forensics.