Transcript Anti-forensics: What the bad guys are doing…

Anti-forensics: What the bad
guys are doing…
John Mallery
Managing Consultant
816 221-6300
[email protected]
Issues
• Computer forensics is becoming more
mainstream
• Computer users are learning more
effective methods to cover their tracks
• Programmers are writing tools to defeat
specific commercial computer forensics
products
• Computer forensics examiners are slaves
to their tool(s)
Agenda
• Configuration settings – methods used to
cover tracks using “supplied” tools and
configuration settings
• Third party tools – wiping, properties
changers, registry cleaners,
steganography/encryption, etc.
• Tools and methods designed specifically
to fool computer forensics programs.
Simple
• “Shift+Delete” to
bypass Recycle Bin
• Recycle Bin –
configured to delete
immediately
• defrag
OS/Application Supplied
Empty Temporary Internet
Files folder when browser
is closed.
OS/Application Supplied
Shutdown: Clear virtual memory pagefile Enabled
XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies |
Security Options | Shutdown: Clear virtual memory Page File | Select Enabled
Clear Page File
Configured? Check following registry key:
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session
Manager\Memory Management
Name: ClearPageFileAtShutdown
Type: REG_DWORD
Value: 1
Slows down shutdown process
OS/Application Supplied
CIPHER - “Displays or alters the encryption of directories
[files] on NTFS partitions”
CIPHER /W:directory
(XP)
Alternate Data Streams
• The NTFS File System provides the ability
to have additional data streams
associated with a file. (Provides support
for Apple’s HFS – Hierarchical File
System)
Alternate Data Stream
•
•
•
•
•
•
Demo – thanks to Harlan Carvey
At the command prompt:
C:\mkdir ads
C:\cd ads
C:\echo “This is a standard text file.” >textfile.txt
C:\echo “The password is weasel.”
>textfile.txt:pword.txt.
• To read alternate data stream:
C:\notepad textfile.txt:pword.txt.
OS/Application Supplied
Disk Cleanup
OS/Application Supplied
ON LINE DOC CREATION & STORAGE
OS/Application Supplied
• Word (Excel)
– Hidden font
– White on White
– Small font
• Plug ins
– Remove hidden data tool
– Redaction tool
– Payne scrambling tool
Hidden Font
Hidden font
Redaction tool
“Overview
Redaction is the careful editing of a document to remove
confidential information.
The Microsoft Office Word 2003 Redaction Add-in makes
it easy for you to mark sections of a document for redaction.
You can then redact the document so that the sections you
specified are blacked out. You can either print the redacted
document or use it electronically. In the redacted version of
the document, the redacted text is replaced with a black bar
and cannot be converted back to text or retrieved.”
http://tinyurl.com/dgokp
(Word 2003)
Remove Hidden Data(metadata)
http://tinyurl.com/5bams
Remove Hidden Data
Scramble Assistant
For Word
&
Excel
http://www.payneconsulting.com/products/scramword_free/
Advantages of OS Supplied Tools
• Appear less “nefarious” than commercial
tools (Evidence Eliminator).
• Free
Third Party Tools
Fun for the Whole Family
Registry Cleaner
Merge Streams/Glue
• Hides Excel file within a Word Document (vice versa)
• .doc – see Word file
• .xls – see Excel file
• Won’t fool forensics examiner – may confuse them
• Word – “Recover Text from any file”
Merge Streams/Glue
Merge Streams/Glue
• Demo
• http://www.ntkernel.com/w&p.php?id=23
File Properties Changer
www.segobit.com
File Splitting
• 1toX http://www.logipole.com/indexe.html
• Gsplit
http://www.gdgsoft.com/gsplit/
• Some tools can split files, password
protect and encrypt pieces.
• Split file and store pieces in different
locations…
Wiping Tools
•
•
•
•
•
•
•
•
Gazillions of them
Eraser (comes with DBAN)
Sdelete – www.sysinternals.com
Evidence Eliminator
BC Wipe
Cyberscrub
Etc.
Do they perform as promised? PGP does it really
wipe slack space?
• Are they used frequently?
Removing Residual Data
• Tools exist to remove residual data
• But do not use them in response to
litigation
• See - Kucala Enterprises, Ltd. v. Auto Wax
Co., Inc., 2003 WL 21230605 (N.D.Ill.), May
27, 2003 - "Any reasonable person can
deduce, if not from the name of the
product itself, then by reading the
website, that Evidence Eliminator is a
product used to circumvent discovery.”
• Anderson v. Crossroads Capital Partners
Software
HKEY_CURRENT_USER\Software\
[Manufacturer Name]\[Tool]
Encryption
• Cryptext – free and easy to use, a shell
extension (http://tinyurl.com/do2qs )
• EFS
• OTFE – Encrypted partitions
www.truecrypt.org
• USB Thumb Drives – new ones include
encrypted partitions
• Encrypted file stored on an encrypted partition…
• Locknote - http://locknote.steganos.com/
Steganography
•
•
•
•
•
•
•
•
•
Includes encryption
Free tools
Complex method of hiding data
But easy to do…
Can you detect it?
“Duplicate Colors?”
Wetstone Technologies
Steganograhy Analysis and Research Center
stegdetect
stools
DEMO
Metasploit Project
• Timestomp – modifies MAC times so EnCase
can’t read them.
http://www.metasploit.com/projects/antiforensics/
Timestomp
Timestomp
Timestomp
Document Lifecycle Management
• Controlling documents even when they
are “out of your control”
• Expiration dates
• Encryption
Document lifecycle Management
“Net-It® Now is a free print driver that renders
your files to CSF (content secure format), a
compressed encrypted format that
allows you to add Visual Rights™, including
password protection, an expiration date, and
feature restrictions, to your files
(settings). Files are viewable with the free
Brava! Reader (views TIFF, PDF and CSF
files)”.
http://www.net-it.com/nin.htm
Example
Use a MAC
• Entry level programs such as WinHex
and ProDiscover Basic do not handle the
HFS+ file system.
• Most computer forensics training
programs do not address MAC’s.
• Most computer forensics examiners
“fear” conducting an examination of
MAC’s – they just don’t understand them.
HPA
• Store Data in the Host Protected Area
Good News/Bad News
• First the Bad News
• Using a combination of these tools on a
regular basis can defeat a computer
forensics examination
• Now the Good News
• Very few users know about “all” of these
tools and methods
• Not all tools perform as promised
Last thoughts
• Determining whether these tools have
been used can be just as important as
finding evidence.
• Finding these tools can counter the “I’m
not sophisticated enough” argument.
• Found in illegal movie and music
distribution cases.
MAC OS X – the shape of things
to come
FileVault –
Encrypted Home Folder
Secure Virtual Memory
MAC OSX – the shape of things
to come
Mac OS X - Safari
IE7
Questions/Comments
John Mallery
Managing Consultant
BKD, LLP
816 221-6300
[email protected]