A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Anti-Forensics: Occult Computing  (Hacking Illustrated Series InfoSec Tutorial Videos)

Anti-Forensics: Occult Computing Class

This is a class I gave for the Kentuckiana ISSA on the the subject of Anti-forensics. It's about 3 hours long, and sort of meandering, but I hope you find it handy. For the record, Podge was operating the camera :) Apparently it was not on me during the opening joke, but so be it, no one seemed to get it. I spend way to much time on the Internet it seems. Also, I'm in need of finding video host to take these large files. This class video is 3 hours, 7 min and 1.2GB as captured.

Slides in PDF format
Slides in PPTX format
MP3 of just the audio

 
If the embedded video below does not show, try:
http://www.archive.org/download/Anti-Forensics-One-Big-File/anti-forensics.wmv (1.2GB, 3hr 7m)

I also did a shorter version of the same talk for Notacon, with updated slides:

Slides in PDF format
Slides in PPTX format

Video of the Notcon version should come later.
 

Below is the text version of the (original) slides, for easy searching:

Anti-Forensics
Or as I like to call it, Occult Computing
Adrian Crenshaw


About Adrian
• I run Irongeek.com
• I have an interest in InfoSec education
• I don’t know everything - I’m just a geek with time on my hands
Why Occult Computing?
• Occult comes from the Latin word occultus (clandestine, hidden, secret), referring to "knowledge of the hidden".
• Forensic: Relating to the use of science and technology in the investigation and establishment of facts or evidence in a court of law.
• Since hiding activities is what we are doing, Occult Computing seems like a good name.
• Since people are not necessarily hiding their activities from a court of law, the term anti-forensics may not apply.
• Occult Computing sounds cooler than Anti-forensics ?
Cthulhu fhtagn


What’s this class about?
Why:
• Not about just hiding your stash from the Fuzz…
• Law/policy enforcement may find it useful to know how folks hide their computer activities
• Users may want to know how to hide their activities from invasive law/policy enforcement
• Companies may want to know how to clear boxes before donating them
What:
• Mostly Windows, but most ideas are applicable to other operating systems
• Not going to cover malware analysis, nor network anti-forensics (at least not much)
• Mostly we will cover hiding tracks left on storage media
Four categories
• Don’t leave tracks in the first place
• Selective file removal and encryption tools
• Parlor Tricks
• Nuke it from orbit, it's the only way to be sure
What anti-forensic techniques are likely to be seen?
• Bow down before my Venn diagram of doom!!!


Background Info
Stuff that’s useful to know

Interesting legal stuff
IANAL
• Julie Amero
http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero 
http://www.securityfocus.com/columnists/434/ 
• Sebastien Boucher
http://en.wikipedia.org/wiki/United_States_v._Boucher 
• The “Hacker Defense”
http://www.forensicswiki.org/wiki/Legal_issues 
http://exforensis.blogspot.com/2008/07/troljan-horse-defense.html 
• If the system is set to wipe data at regular intervals normally, that may be ok. Wiping data once an investigation is about to be underway will make things worse.
• Spoliation: Someone screwed up the evidence
• CSI effect
http://en.wikipedia.org/wiki/CSI_effect 
• Plausible Deniability Tool Kit (PDTK)
http://www.nmrc.org/pub/pdtk/ 
http://www.defcon.org/html/links/dc-archives/dc-14-archive.html#weasel 

Tech Stuff
• It’s hard to cover this in order.
• You need to understand some things before you understand others, but which you have to understand first is questionable.
• Windows jams data in all sorts of places, and there are tools to make this data fairly easy to recover.

Disks, Tracks, Sectors
• A. Track
• B. Geometric Sector
• C. Track Sector
• D. Cluster

Slack Space
• Yum…Leftovers!!!
• RAM slack (but name no longer really applies) and Residual slack

Hash
One way functions:
Easy:
md5("I am a string") = "1710528bf976601a5d203cbc289e1a76“
Hard:
String("1710528bf976601a5d203cbc289e1a76“) = ("I am a string")

Can be used to fingerprint files, or see if they have changed

Host-Protected Areas and Disk Configuration Overlay
• Parts of the drive that can be set a side that normal OS and BIOS functions can’t see
• Possible to hide data there, but it’s a pain
• Taft (he’s one bad mother….)
http://www.vidstrom.net/stools/taft/ 
• More info
http://www.forensicswiki.org/wiki/DCO_and_HPA 
Forensically interesting areas in the Windows file system
• Way too many to list, but lets check some out:
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots 

• Nirsoft has a lot of tools for grabbing data:
http://www.nirsoft.net/ 

• Deft Linux
http://www.deftlinux.net/ 

Don’t leave tracks in the first place

Pr0n mode and places data hides
Privacy mode (aka porn mode) in browsers
• Firefox (Private Browsing)
Keyboard shortcut: Ctrl+Shift+P
Command line: No command line, but can be set on start via Tools>Options>Privacy “Use custom setting”
• IE (InPrivate)
Keyboard shortcut: Ctrl+Shift+P
Command line: -private
• Chrome (Incognito mode)
Keyboard shortcut: Ctrl+Shift+N
Command line: --incognito
• Opera (kiosk mode)
Ok, not quite the same thing, but maybe someone will email me a solution
• Do some research online to see how good your browser’s “porn mode” really is.

Private portable browsers
• Portable Apps
http://portableapps.com/apps/internet 
• Tor Browser Bundle
http://www.torproject.org/easy-download.html.en
Firefox based, comes with Tor and Pidgin
• OperaTor
http://archetwist.com/opera/operator 
Opera based, comes with Tor
• Keep in mind, Tor != Secure

Boot media
Linux:
• Knoppix
http://www.knoppix.net/
• Ubuntu
http://www.ubuntu.com/ 
• Unetbootin
http://unetbootin.sourceforge.net/ 
And so many more… Look up the noswap option
Windows:
• Bart PE
http://www.nu2.nu/pebuilder/
• Ultimate Boot CD for Windows
http://www.ubcd4win.com/ 
• WinBuilder
http://winbuilder.net/

Selective file removal and encryption
For those that don’t want to go all the way
Links to automated selective wiping tools
• Clean After Me
http://www.nirsoft.net/utils/clean_after_me.html
• CCleaner
http://www.ccleaner.com/
• And many more….

Tools for selective file wiping
• DD
dd if=/dev/zero of=f:\Notes.docx bs=12940 count=1
I like this Windows version:
http://www.chrysocome.net/dd
• Sdelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx 
• Eraser
http://eraser.heidi.ie/ 
• *nix guys, look into Shred
http://en.wikipedia.org/wiki/Shred_%28Unix%29 

Just slack and unused space
• Eraser
• Cipher that comes with Windows as a command line EFS tool
Run once:
cipher /w:g:
Schedule script:
REM at 2:00 /every:m,t,w,th,f,s,su c:\defragandcipher.bat
defrag c: /f
defrag c: /f
defrag c: /f
cipher /w:c:\

Selective File Encryption
• EFS
http://en.wikipedia.org/wiki/Encrypting_File_System
Hash insertion does not help (Pnordahl)
Can read file names
Best to use a SYSKEY password or boot key
• TrueCrypt
http://www.truecrypt.org/
http://sourceforge.net/projects/tcexplorer/ 
• FreeOTFE
http://www.freeotfe.org/ 
• Good encryption does not compress much

Reasons why relying on selective file wiping is not a good idea
• Windows jams data in all sorts of places, it’s hard to get them all
• You got the main file, but what about the temp?
• Defrag, moving files and abandoned clusters
• USB device logs
• Page and hibernation files
• Data carving ?

Defrag issues
• You defrag a drive
• You wipe a file on that drive
• What about the remnants of the file from before the defrag?

USB device log
• Ah, so the suspect has a camera/thumbdrive/iPod/etc
• USBDeview
http://www.nirsoft.net/utils/usb_devices_view.html
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
• Search for “USBSTOR” in c:\windows\inf\setupapi.dev.log

Page file
• File used for swapping memory:
pagefile.sys
• Linux folks, investigate swap
Disable page file
• Disable:
Control Panel->System and Security->System->Advanced System Settings->Performance->Advanced->Virtual Memory->Change
Wipe page file
• Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ ClearPageFileAtShutdown to 1

Hibernation file
• File used for storing active memory when going into hibernation mode:
hiberfil.sys
Go into power setting to disable
Data carving
• Go down the drive bit by bit looking for file headers

• DiskDigger
http://dmitrybrant.com/diskdigger 
• Photorec
http://www.cgsecurity.org/wiki/PhotoRec
• Other file carving tools
http://www.forensicswiki.org/wiki/Tools:Data_Recovery#Carving
• File system compression makes file carving far less reliable!
So, what is writing where?
What needs to be wiped? What is this tool doing?

• Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
• RegFromApp
http://www.nirsoft.net/utils/reg_file_from_application.html 
• ProcessActivityView
http://www.nirsoft.net/utils/process_activity_view.html 

Parlor Tricks
Maybe useful sometimes, but mostly fluff
Tool/Solution Kiddies
• Does the examiner understand the concepts, or just the tool?
• Think back to the Julie Amero case
• What is their case load like?

Timestomp
• Making the chain of events hard to manage http://www.metasploit.com/research/projects/antiforensics/
-m <date> M, set the "last written" time of the file
-a <date> A, set the "last accessed" time of the file
-c <date> C, set the "created" time of the file
-e <date> E, set the "mft entry modified" time of the file
-z <date> set all four attributes (MACE) of the file
-v show the UTC (non-local time) MACE values for file
-b sets the MACE timestamps so that EnCase shows blanks -r does the same recursively , Know as the Craig option


• For setting an arbitrary time recursively:
Command:
for /R c:\users\ %i in (*) do timestomp.exe %i -z "Monday 3/12/2099 10:00:00PM"
AltDS
• Alternate data streams
type mypr0n.jpg disney.jpg:hide
mspaint disney.jpg:hide
• Hit or miss with file carving
• Practical Guide to Alternative Data Streams in NTFS
http://www.irongeek.com/i.php?page=security/altds

Steganography
(Hiding stuff in stuff so people don’t find your stuff)
• With encryption, most times people know that some data is there, just not what it is.
• With Stego, they hopeful will not even know it’s there.
• Tacked on
copy /B image.jpg+putty.zip test.jpg
• Insertion
Example: Putting a file inside of a DOCX, it’s just a ZIP file with some XML, just add you inserted file name into [Content_Types].xml so the DOCX does not report as corrupted.
• Additive
LSB (Least Significant Bit), for example making imperceptible changes to a format that can take loss and still be useful (audio, images, video).
Vecna
http://www.uni-koblenz.de/~strauss/vecna/ 

Lemonwipe
(rude and crude)
Repeat script to feed into DD:
@Echo Off
:TOP
type %1
Goto TOP
Command:
repeat.bat adrianbeer.jpg | dd of=\\.\f:
Create one big file:
@Echo Off
:TOP
type %1 >>%2\%1
if not %errorlevel%==0 goto :error
Goto TOP
:error
echo Exiting and deleting %2\%1
del %2\%1
exit /B -1
Command:
Smack.bat image.jpg f:

Two partitions on a thumbdrive
• Two partitions on a thumb drive? Windows sees one.
Cloud Computing?
• Use the browser’s privacy mode, and SSL
• If it’s not on the drive, they can’t find it on the drive
• Less 4th amendment protection?
• Find a country that does not work well with US law enforcement

Attack the forensic software?
• XSS, not just for web forms anymore
http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors 
• Breaking Forensics Software: Weaknesses in Critical Evidence Collection (Encase and Sleuth Kit)
ISEC Partners presentation at Defcon 15
http://www.defcon.org/html/links/dc-archives/dc-15-archive.html#Palmer
• 42.zip = 4.5 PetaBytes
http://www.unforgettable.dk/
http://en.wikipedia.org/wiki/Zip_bomb 
• Two comments on these attacks:
• If the examiner sees the data attacking him, they will know something is up.
• Do you really think it’s a good idea to piss off the forensic examiner?

Thermite
• http://hackaday.com/2008/09/16/how-to-thermite-based-hard-drive-anti-forensic-destruction/
• Uhm, just no.
• Destruction of evidence charges
• Fire hazard
• Just use full drive encryption
• While we are on that topic:
http://www.youtube.com/watch?v=Bv5LHamqAsI

Nuke it from Orbit
It’s the only way to be sure

Wipe Tools
• DD
dd if=/dev/zero of=\\.\f: --progress bs=1M
dd if=/dev/zero of=\\.\Volume{de891b6a-8432-11de-86d4-005056c00008} bs=1M –progress
• DBAN
http://www.dban.org/
• HDD Wipe Tool
http://hddguru.com/content/en/software/2006.04.13-HDD-Wipe-Tool/


One wipe?
• Magnetic Force Microscopy
http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/
• On a pristine modern drive 92% chance to recover the correct previous bit , 56% on a used drive
• Probabilities multiply, so to get one byte:
.92^8=51% (more or less)
• For 1 Kilobyte= 2.238e-297

Enhanced Secure Erase
Not only is it faster, but it can wipe remapped blocks (bad sectors) from the G-LIST
• HDParm
http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
• MHDD
http://hddguru.com/content/en/software/2005.10.02-MHDD/
http://hddguru.com/content/en/software/2006.02.10-Magic-Boot-Disk/

• HDDErase
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml 

Full System Drive Encryption
• BitLocker
http://www.microsoft.com/windows/windows-vista/features/bitlocker.aspx
Built in to Windows Vista/7
AES CBC
Pain to setup in Vista
Look into Bitlocker To Go to secure your USB drive
To enable Bitlocker without TPM in Win 7, gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup > Enable
Bitlocker Modes:
TPM only
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key
USB Key
• TrueCrypt
http://www.truecrypt.org/ 
Open source
(for review of a lot of eyes)
Read from other platforms
Works on XP
More cipher options
Uses XTS which is better than CBC, but ask a cryptographer why
• Also, look into hardware based options
http://www.enovatech.net/ 

How about running a VM form an encrypted volume?
• Easy to do
• I have some concern about data leaking into swap/ page file. This needs more testing.
• A few suggested tweaks:
MemAllowAutoScaleDown = "FALSE"
mainMem.useNamedFile = "FALSE“

• Use some of the page file wiping techniques mentioned before
Other tools
• Deft Linux
http://www.deftlinux.net/
• FTK Imager
http://www.accessdata.com/downloads.html
• WinHex
http://www.x-ways.net/winhex/ 

How do I know someone had ran anti-forensics software on a computer?
• No 100% positive way
• Look for files names I mentioned in this presentation
• Leftovers from the tool, for example:
HKCU\Software\Sysinternals\SDelete\EulaAccepted
• I need to work on some tools to do this sort of detection…
• Look at the drive for large sections of all zeros/random bytes, but this could be for other reasons (Vista & < after full format, Solid-state Drives)
• Hash search of know anti-forensics tools

HashMyFiles
http://www.nirsoft.net/utils/hash_my_files.html 
Change the hash of the file ?
• If it’s just the hash, change a few bytes, preferably in strings
• Compile from source if you have it
• Use a packer
UPX
http://upx.sourceforge.net/ 
http://sourceforge.net/projects/upxer/files/ 
• Shikata Gai Nai from Metasploit
http://www.metasploit.com

Events
• Free ISSA classes
• ISSA Meeting
http://issa-kentuckiana.org/ 
• Louisville Infosec
http://www.louisvilleinfosec.com/ 
• Phreaknic/Notacon/Outerz0ne
http://phreaknic.info 
http://notacon.org/
http://www.outerz0ne.org/ 

Helping with the free classes
• Got old hardware you would like to donate?
• Is there a subject you would like to teach?
• Let others know about upcoming classes, and the videos of previous classes.

Thanks
• Scott Moulton
http://www.myharddrivedied.com/
• Tyler “Trip” Pitchford
• Folks at Binrev and Pauldotcom
• Louisville ISSA
• John for the extra camera

Questions?
42
 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast