Anti-Forensics


Aug 28, 2008
60
0
#1
As part of a project I am undertaking I'm looking for views from members as to the weaknesses and strengths of anti forensic tools they have used or have studied.
There are several effective open source tools out there, but which ones do you like?
 

Complete

Administrator
Aug 19, 2006
861
0
#2
In my opinion, the only "anti-forensics" tool worth it's salt is encryption. If I encounter a drive with whole disk encryption and I don't have the password, then I'm pretty much done. There is simply no available data for me to get at.

Look at other other tools like TimeStomp. Someone could change all of the timestamps for files on a drive, but there will still be other artifacts for me to look at. LNK files and the registry will all have times contained within them that can help me build part of the timeline.

Maybe I haven't looked at all the anti-forensics tools out there, but in short, my vote is for TrueCrypt.
 
Aug 28, 2008
60
0
#3
Thanks for the reply. I agree that encryption is as good as maybe it gets depending on what encryption is used eg WEP, WPA, AES etc, but hiding data this way shows the investigator that there is something to be investigated (unless its an empty file/folder designed to slow the analysis). How about hiding evidence in the Slack Files, Bad Sectors, Master File Table or by using Steganography eg SNOW?
Using one or more of these methods may be something that some investigators will not think about (ok, maybe they should look, but some wont) as they are not obvious.
I am at fault here (only the first time though. I learn fast!) as I spent days and days analysing a drive, finding a lot of data but not much to 'link it all together'. It was only after looking at the slack space that I found stuff that provided the links in the case. Now I always look - seek and ye shall find!
 

DanHaynes

New Member
Aug 6, 2008
87
0
#4
i'm a little new at this but if it is encrypted then can't you image it to a FAT drive and that will defeat the encryption?
also, analyzing the partition table should show all partitions, even hidden. also, finding deleted files (i have used runtime disk explorer) to show the deleted file and that shows the starting cluster and you can then follow the clusters to change the hex values to something other than FF7 or 00 or E5.
we haven't learned NTFS yet so maybe i'm wrong here.
 
Aug 28, 2008
60
0
#5
I wish it was that easy to see encrypted files. An image is just that, an image of a file etc so it's attributes are the same as the original. Hidden files are those that have been hidden within another file eg hiding an image or text file inside another image.
Hidden data in the slack space is sort of like having a box that is only partly full of a substance but with plenty of space left for hiding a diamond ring (in that empty space). A poor analogy maybe but I hope you see what I'm getting at. Put that into all the available free space of a drive and it can make it extremely difficult to find evidence.
Bad sectors are those sectors of a drive (P-list or G-list) that are ignored by the system but where data can be hidden.
Changing the hex values in the header or footer of a file is a favourite way to hide data. Winhex or similar is maybe the best tool for correcting theses values and so getting back the original file type.
 

Complete

Administrator
Aug 19, 2006
861
0
#6
i'm a little new at this but if it is encrypted then can't you image it to a FAT drive and that will defeat the encryption?
You're kind of right... if you are logged in and have EFS enabled, when you move an encrypted file to a FAT drive then the file will lose its encryption on the FAT drive.
but hiding data this way shows the investigator that there is something to be investigated
Every laptop should have whole disk encryption. My laptop is encrypted but I have nothing worth investigating on there. I think that if you start using typical anti-forensic tools you will raise more red flags than just having encryption present.
Put that into all the available free space of a drive and it can make it extremely difficult to find evidence.
Hiding data in slack space is fine, but unless it is encrypted a simple keyword search will still find the relevant data.
 
Aug 28, 2008
60
0
#7
1.
You're kind of right... if you are logged in and have EFS enabled, when you move an encrypted file to a FAT drive then the file will lose its encryption on the FAT drive.
This doesn't apply to Windows XP Home Edition, Windows Vista Basic, and Windows Vista Home Premium which are the main OSs used by home users.
2.
Every laptop should have whole disk encryption. My laptop is encrypted but I have nothing worth investigating on there. I think that if you start using typical anti-forensic tools you will raise more red flags than just having encryption present.
The point of anti-forensics is to slow or prevent the process of finding data on a system. Putting lots of red herring encrypted files is one sure way of agrrievating the process.
3.
Hiding data in slack space is fine, but unless it is encrypted a simple keyword search will still find the relevant data.
There are several tools out there (eg - Slacker or FragFs) that will hide data in the slack space and simply searching for a keyword wont always work. Create two or more partitions, put some data into them, and then delete one of the partitions. Since deleting the partition does not actually delete the data, that data is now hidden.
 

Complete

Administrator
Aug 19, 2006
861
0
#8
There are several tools out there (eg - Slacker or FragFs) that will hide data in the slack space and simply searching for a keyword wont always work. Create two or more partitions, put some data into them, and then delete one of the partitions. Since deleting the partition does not actually delete the data, that data is now hidden.
Seems like a lot of work when you could just employ full disk encryption with a strong password and not have to worry about it either way. :D
 
Aug 28, 2008
60
0
#9
It may seem like a lot of work but if someone wants to hide something then it's a relatively good place to hide it.
Maybe better than encrypting the whole drive which, to the investigator, shows that there is something to be found.
Is it better to hide data in a haystack or is it better to put it in a safe?
Very few haystacks contain data but most safes contain something of interest.
 
Dec 31, 2006
3,405
0
#10
A utility like DriveCrypt allows you to create a hidden, encrypted operating system.
SecureStar said:
DriveCrypt

Container and Partition based encryption

Ideal to encrypt USB-disks/sticks, secondary disks /partitions, CDs, DVDs, containers etc. DriveCrypt also allows to hide data in music files and create hidden containers/ partitions: By entering the correct password, the disks open, if however you are forced to reveal a password, you could reveal a pre-configured “fake” password and the disk will open showing fake, prepared information.
I agree that there are many tools out there, however as Complete wrote, "the only "anti-forensics" tool worth it's salt is encryption." Obfuscating the obvious is not enough. I can search a haystack, opening a safe is a much harder process.
 
Aug 28, 2008
60
0
#11
Quite often the point of anti-forensics is to frustrate the investigation and to lay false paper trails. How many haystacks would you be willing to search before you got fed up? On the other hand, setting up a password cracker to open a folder etc and leaving it run for a few hours, days (weeks?) while you carry on with other work is hardly strenuous.
 
Dec 31, 2006
3,405
0
#12
I can and do search a lot of haystacks. There are very few safes that are worth taking the time to crack (and I have 25 machines in an AccessData DNA Cluster to throw at encrypted containers).
 
Aug 28, 2008
60
0
#13
I am not saying that you don't. What I am saying is that some suspects hide data inside slack spaces because many investigators will not delve into that many spaces before giving up, believing that no data is there to be found.
On the other hand, hiding data inside an encrypted file is less strenuous because the system does most of the work, leaving them free to do other things, whether it be work, rest, or play.
Many consultants are not as thorough as you in their pursuit of evidence.
Certainly from a security point of view, encryption is maybe the best method of concealing data, but from the lazyitis viewpoint it is not.
PS - No offence intended to you or anyone else.
:)
 
Dec 31, 2006
3,405
0
#14
No offense taken. Without spirited discourse there is no learning.

My take on this is that in terms of effectiveness encryption trumps obfuscation. That is not to say hiding data is ineffective, just in terms of resources, on cases I have investigated, decryption takes more than other methods I have encountered.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu