Anti-forensics: What the bad guys are doing

1
Anti-forensics What the bad guys are doing

• John Mallery
• Managing Consultant
• 816 221-6300
• jmallery_at_bkd.com

2
Issues

• Computer forensics is becoming more mainstream
• Computer users are learning more effective
  methods to cover their tracks
• Programmers are writing tools to defeat specific
  commercial computer forensics products
• Computer forensics examiners are slaves to their
  tool(s)

3
Agenda

• Configuration settings methods used to cover
  tracks using supplied tools and configuration
  settings
• Third party tools wiping, properties changers,
  registry cleaners, steganography/encryption, etc.
• Tools and methods designed specifically to fool
  computer forensics programs.

4
Simple

• ShiftDelete to bypass Recycle Bin
• Recycle Bin configured to delete immediately
• defrag

5
OS/Application Supplied
Empty Temporary Internet Files folder when
browser is closed.
6
OS/Application Supplied
Shutdown Clear virtual memory pagefile Enabled
XP- Control Panel Administrative Tools Local
Security Policy Local Policies Security
Options Shutdown Clear virtual memory Page
File Select Enabled
7
Clear Page File

• Configured? Check following registry key
• Hive HKEY_LOCAL_MACHINE\SYSTEM
• Key CurrentControlSet\Control\Session
  Manager\Memory Management
• Name ClearPageFileAtShutdown
• Type REG_DWORD
• Value 1

Slows down shutdown process
8
OS/Application Supplied
CIPHER - Displays or alters the encryption of
directories files on NTFS partitions CIPHER
/Wdirectory
(XP)
9
Alternate Data Streams

• The NTFS File System provides the ability to have
  additional data streams associated with a file.
  (Provides support for Apples HFS Hierarchical
  File System)

10
Alternate Data Stream

• Demo thanks to Harlan Carvey
• At the command prompt
• C\mkdir ads
• C\cd ads
• C\echo This is a standard text file.
  gttextfile.txt
• C\echo The password is weasel.
  gttextfile.txtpword.txt.
• To read alternate data streamC\notepad
  textfile.txtpword.txt.

11
OS/Application Supplied
Disk Cleanup
12
OS/Application Supplied
13
ON LINE DOC CREATION STORAGE
14
OS/Application Supplied

• Word (Excel)
• Hidden font
• White on White
• Small font
• Plug ins
• Remove hidden data tool
• Redaction tool
• Payne scrambling tool

15
Hidden Font
Hidden font
16
Redaction tool
Overview Redaction is the careful editing of a
document to remove confidential information.The
Microsoft Office Word 2003 Redaction Add-in makes
it easy for you to mark sections of a document
for redaction. You can then redact the document
so that the sections you specified are blacked
out. You can either print the redacted document
or use it electronically. In the redacted version
of the document, the redacted text is replaced
with a black bar and cannot be converted back to
text or retrieved.
http//tinyurl.com/dgokp (Word 2003)
17
Remove Hidden Data(metadata)
http//tinyurl.com/5bams
18
Remove Hidden Data
19
Scramble Assistant
For Word Excel
http//www.payneconsulting.com/products/scramword_
free/
20
Advantages of OS Supplied Tools

• Appear less nefarious than commercial tools
  (Evidence Eliminator).
• Free

21
Third Party Tools

• Fun for the Whole Family

22
Registry Cleaner
23
Merge Streams/Glue

• Hides Excel file within a Word Document (vice
  versa)
• .doc see Word file
• .xls see Excel file
• Wont fool forensics examiner may confuse them
• Word Recover Text from any file

24
Merge Streams/Glue
25
Merge Streams/Glue

• Demo
• http//www.ntkernel.com/wp.php?id23

26
File Properties Changer
www.segobit.com
27
File Splitting

• 1toX - http//www.logipole.com/indexe.html
• Gsplithttp//www.gdgsoft.com/gsplit/
• Some tools can split files, password protect and
  encrypt pieces.
• Split file and store pieces in different
  locations

28
Wiping Tools

• Gazillions of them
• Eraser (comes with DBAN)
• Sdelete www.sysinternals.com
• Evidence Eliminator
• BC Wipe
• Cyberscrub
• Etc.
• Do they perform as promised? PGP does it really
  wipe slack space?
• Are they used frequently?

29
Removing Residual Data

• Tools exist to remove residual data
• But do not use them in response to litigation
• See - Kucala Enterprises, Ltd. v. Auto Wax Co.,
  Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 -
  "Any reasonable person can deduce, if not from
  the name of the product itself, then by reading
  the website, that Evidence Eliminator is a
  product used to circumvent discovery.
• Anderson v. Crossroads Capital Partners

30
Software

• HKEY_CURRENT_USER\Software\
• Manufacturer Name\Tool

31
Encryption

• Cryptext free and easy to use, a shell
  extension (http//tinyurl.com/do2qs )
• EFS
• OTFE Encrypted partitionswww.truecrypt.org
• USB Thumb Drives new ones include encrypted
  partitions
• Encrypted file stored on an encrypted partition
• Locknote - http//locknote.steganos.com/

32
Steganography

• Includes encryption
• Free tools
• Complex method of hiding data
• But easy to do
• Can you detect it?
• Duplicate Colors?
• Wetstone Technologies
• Steganograhy Analysis and Research Center
• stegdetect

33
stools
DEMO
34
Metasploit Project

• Timestomp modifies MAC times so EnCase cant
  read them.

http//www.metasploit.com/projects/antiforensics/
35
Timestomp
36
Timestomp
37
Timestomp
38
Document Lifecycle Management

• Controlling documents even when they are out of
  your control
• Expiration dates
• Encryption

39
Document lifecycle Management

• Net-It Now is a free print driver that renders
  your files to CSF (content secure format), a
  compressed encrypted format thatallows you to
  add Visual Rights, including password
  protection, an expiration date, and feature
  restrictions, to your files(settings). Files are
  viewable with the free Brava! Reader (views TIFF,
  PDF and CSF files).
• http//www.net-it.com/nin.htm

40
Example
41
Use a MAC

• Entry level programs such as WinHex and
  ProDiscover Basic do not handle the HFS file
  system.
• Most computer forensics training programs do not
  address MACs.
• Most computer forensics examiners fear
  conducting an examination of MACs they just
  dont understand them.

42
HPA

• Store Data in the Host Protected Area

43
Good News/Bad News

• First the Bad News
• Using a combination of these tools on a regular
  basis can defeat a computer forensics examination
• Now the Good News
• Very few users know about all of these tools
  and methods
• Not all tools perform as promised

44
Last thoughts

• Determining whether these tools have been used
  can be just as important as finding evidence.
• Finding these tools can counter the Im not
  sophisticated enough argument.
• Found in illegal movie and music distribution
  cases.

45
MAC OS X the shape of things to come
46
MAC OSX the shape of things to come
47
Mac OS X - Safari
48
IE7
49
Questions/Comments
John Mallery Managing Consultant BKD, LLP 816
221-6300 jmallery_at_bkd.com