Anti-forensics: What the bad guys are doing…

John MalleryManaging Consultant816 221-6300jmallery@bkd.com

Issues

• Computer forensics is becoming more mainstream

• Computer users are learning more effective methods to cover their tracks

• Programmers are writing tools to defeat specific commercial computer forensics products

• Computer forensics examiners are slaves to their tool(s)

Agenda

• Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings

• Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc.

• Tools and methods designed specifically to fool computer forensics programs.

Simple

• “Shift+Delete” to bypass Recycle Bin

• Recycle Bin – configured to delete immediately

• defrag

OS/Application Supplied

Empty Temporary Internet Files folder when browser

is closed.

OS/Application Supplied

Shutdown: Clear virtual memory pagefile Enabled

XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies | Security Options | Shutdown: Clear virtual memory Page File | Select Enabled

Clear Page File

Configured? Check following registry key:

Hive: HKEY_LOCAL_MACHINE\SYSTEM

Key: CurrentControlSet\Control\Session Manager\Memory Management

Name: ClearPageFileAtShutdown

Type: REG_DWORD

Value: 1

Slows down shutdown process

OS/Application Supplied

CIPHER - “Displays or alters the encryption of directories[files] on NTFS partitions”

CIPHER /W:directory

(XP)

Alternate Data Streams

• The NTFS File System provides the ability to have additional data streams associated with a file. (Provides support for Apple’s HFS – Hierarchical File System)

Alternate Data Stream

• Demo – thanks to Harlan Carvey• At the command prompt:• C:\mkdir ads• C:\cd ads• C:\echo “This is a standard text file.” >textfile.txt• C:\echo “The password is weasel.”

>textfile.txt:pword.txt.• To read alternate data stream:

C:\notepad textfile.txt:pword.txt.

OS/Application Supplied

Disk Cleanup

OS/Application Supplied

ON LINE DOC CREATION & STORAGE

OS/Application Supplied

• Word (Excel)– Hidden font– White on White– Small font

• Plug ins– Remove hidden data tool– Redaction tool– Payne scrambling tool

Hidden Font

Hidden font

Redaction tool

http://tinyurl.com/dgokp(Word 2003)

“OverviewRedaction is the careful editing of a document to remove confidential information.

The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”

Remove Hidden Data(metadata)

http://tinyurl.com/5bams

Remove Hidden Data

Scramble Assistant

http://www.payneconsulting.com/products/scramword_free/

For Word&

Excel

Advantages of OS Supplied Tools

• Appear less “nefarious” than commercial tools (Evidence Eliminator).

• Free

Third Party Tools

Fun for the Whole Family

Registry Cleaner

Merge Streams/Glue

• Hides Excel file within a Word Document (vice versa)• .doc – see Word file• .xls – see Excel file• Won’t fool forensics examiner – may confuse them• Word – “Recover Text from any file”

Merge Streams/Glue

Merge Streams/Glue

• Demo• http://www.ntkernel.com/w&p.php?id=23

File Properties Changer

www.segobit.com

File Splitting

• 1toX - http://www.logipole.com/indexe.html

• Gsplithttp://www.gdgsoft.com/gsplit/

• Some tools can split files, password protect and encrypt pieces.

• Split file and store pieces in different locations…

Wiping Tools

• Gazillions of them• Eraser (comes with DBAN)• Sdelete – www.sysinternals.com• Evidence Eliminator • BC Wipe• Cyberscrub• Etc.• Do they perform as promised? PGP does it

really wipe slack space?• Are they used frequently?

Removing Residual Data

• Tools exist to remove residual data

• But do not use them in response to litigation

• See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.”

• Anderson v. Crossroads Capital Partners

SoftwareHKEY_CURRENT_USER\Software\

[Manufacturer Name]\[Tool]

Encryption

• Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs )

• EFS• OTFE – Encrypted partitions

www.truecrypt.org• USB Thumb Drives – new ones include

encrypted partitions • Encrypted file stored on an encrypted partition…

• Locknote - http://locknote.steganos.com/

Steganography

• Includes encryption• Free tools• Complex method of hiding data• But easy to do…• Can you detect it?• “Duplicate Colors?”• Wetstone Technologies• Steganograhy Analysis and Research Center• stegdetect

stools

DEMO

Metasploit Project

• Timestomp – modifies MAC times so EnCase can’t read them.

http://www.metasploit.com/projects/antiforensics/

Timestomp

Timestomp

Timestomp

Document Lifecycle Management

• Controlling documents even when they are “out of your control”

• Expiration dates• Encryption

Document lifecycle Management

“Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format thatallows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files(settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”.

http://www.net-it.com/nin.htm

Example

Use a MAC

• Entry level programs such as WinHex and ProDiscover Basic do not handle the HFS+ file system.

• Most computer forensics training programs do not address MAC’s.

• Most computer forensics examiners “fear” conducting an examination of MAC’s – they just don’t understand them.

HPA

• Store Data in the Host Protected Area

Good News/Bad News

• First the Bad News• Using a combination of these tools on a

regular basis can defeat a computer forensics examination

• Now the Good News• Very few users know about “all” of these

tools and methods• Not all tools perform as promised

Last thoughts

• Determining whether these tools have been used can be just as important as finding evidence.

• Finding these tools can counter the “I’m not sophisticated enough” argument.

• Found in illegal movie and music distribution cases.

MAC OS X – the shape of things to come

FileVault – Encrypted Home Folder

Secure Virtual Memory

MAC OSX – the shape of things to come

Mac OS X - Safari

IE7

Questions/Comments

John MalleryManaging Consultant

BKD, LLP816 221-6300

jmallery@bkd.com