Anti-Forensics: Occult Computing (Hacking Illustrated Series InfoSec Tutorial Videos) Anti-Forensics: Occult Computing Class This is a class I gave for the Kentuckiana ISSA on the the subject of Anti-forensics. It's about 3 hours long, and sort of meandering, but I hope you find it handy. For the record, Podge was operating the camera :) Apparently it was not on me during the opening joke, but so be it, no one seemed to get it. I spend way to much time on the Internet it seems. Also, I'm in need of finding video host to take these large files. This class video is 3 hours, 7 min and 1.2GB as captured. Slides in PDF format

Slides in PPTX format

MP3 of just the audio

If the embedded video below does not show, try:

http://www.archive.org/download/Anti-Forensics-One-Big-File/anti-forensics.wmv (1.2GB, 3hr 7m)



I also did a shorter version of the same talk for Notacon, with updated slides: Slides in PDF format

Slides in PPTX format Video of the Notcon version should come later.

Below is the text version of the (original) slides, for easy searching: Anti-Forensics

Or as I like to call it, Occult Computing

Adrian Crenshaw

About Adrian

� I run Irongeek.com

� I have an interest in InfoSec education

� I don�t know everything - I�m just a geek with time on my hands

Why Occult Computing?

� Occult comes from the Latin word occultus (clandestine, hidden, secret), referring to "knowledge of the hidden".

� Forensic: Relating to the use of science and technology in the investigation and establishment of facts or evidence in a court of law.

� Since hiding activities is what we are doing, Occult Computing seems like a good name.

� Since people are not necessarily hiding their activities from a court of law, the term anti-forensics may not apply.

� Occult Computing sounds cooler than Anti-forensics ?

Cthulhu fhtagn

What�s this class about?

Why:

� Not about just hiding your stash from the Fuzz�

� Law/policy enforcement may find it useful to know how folks hide their computer activities

� Users may want to know how to hide their activities from invasive law/policy enforcement

� Companies may want to know how to clear boxes before donating them

What:

� Mostly Windows, but most ideas are applicable to other operating systems

� Not going to cover malware analysis, nor network anti-forensics (at least not much)

� Mostly we will cover hiding tracks left on storage media

Four categories

� Don�t leave tracks in the first place

� Selective file removal and encryption tools

� Parlor Tricks

� Nuke it from orbit, it's the only way to be sure

What anti-forensic techniques are likely to be seen?

� Bow down before my Venn diagram of doom!!!

Background Info

Stuff that�s useful to know Interesting legal stuff

IANAL

� Julie Amero

http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero

http://www.securityfocus.com/columnists/434/

� Sebastien Boucher

http://en.wikipedia.org/wiki/United_States_v._Boucher

� The �Hacker Defense�

http://www.forensicswiki.org/wiki/Legal_issues

http://exforensis.blogspot.com/2008/07/troljan-horse-defense.html

� If the system is set to wipe data at regular intervals normally, that may be ok. Wiping data once an investigation is about to be underway will make things worse.

� Spoliation: Someone screwed up the evidence

� CSI effect

http://en.wikipedia.org/wiki/CSI_effect

� Plausible Deniability Tool Kit (PDTK)

http://www.nmrc.org/pub/pdtk/

http://www.defcon.org/html/links/dc-archives/dc-14-archive.html#weasel Tech Stuff

� It�s hard to cover this in order.

� You need to understand some things before you understand others, but which you have to understand first is questionable.

� Windows jams data in all sorts of places, and there are tools to make this data fairly easy to recover. Disks, Tracks, Sectors

� A. Track

� B. Geometric Sector

� C. Track Sector

� D. Cluster Slack Space

� Yum�Leftovers!!!

� RAM slack (but name no longer really applies) and Residual slack Hash

One way functions:

Easy:

md5("I am a string") = "1710528bf976601a5d203cbc289e1a76�

Hard:

String("1710528bf976601a5d203cbc289e1a76�) = ("I am a string")



Can be used to fingerprint files, or see if they have changed



Host-Protected Areas and Disk Configuration Overlay

� Parts of the drive that can be set a side that normal OS and BIOS functions can�t see

� Possible to hide data there, but it�s a pain

� Taft (he�s one bad mother�.)

http://www.vidstrom.net/stools/taft/

� More info

http://www.forensicswiki.org/wiki/DCO_and_HPA

Forensically interesting areas in the Windows file system

� Way too many to list, but lets check some out:

http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots



� Nirsoft has a lot of tools for grabbing data:

http://www.nirsoft.net/



� Deft Linux

http://www.deftlinux.net/



Don�t leave tracks in the first place



Pr0n mode and places data hides

Privacy mode (aka porn mode) in browsers

� Firefox (Private Browsing)

Keyboard shortcut: Ctrl+Shift+P

Command line: No command line, but can be set on start via Tools>Options>Privacy �Use custom setting�

� IE (InPrivate)

Keyboard shortcut: Ctrl+Shift+P

Command line: -private

� Chrome (Incognito mode)

Keyboard shortcut: Ctrl+Shift+N

Command line: --incognito

� Opera (kiosk mode)

Ok, not quite the same thing, but maybe someone will email me a solution

� Do some research online to see how good your browser�s �porn mode� really is.



Private portable browsers

� Portable Apps

http://portableapps.com/apps/internet

� Tor Browser Bundle

http://www.torproject.org/easy-download.html.en

Firefox based, comes with Tor and Pidgin

� OperaTor

http://archetwist.com/opera/operator

Opera based, comes with Tor

� Keep in mind, Tor != Secure Boot media

Linux:

� Knoppix

http://www.knoppix.net/

� Ubuntu

http://www.ubuntu.com/

� Unetbootin

http://unetbootin.sourceforge.net/

And so many more� Look up the noswap option

Windows:

� Bart PE

http://www.nu2.nu/pebuilder/

� Ultimate Boot CD for Windows

http://www.ubcd4win.com/

� WinBuilder

http://winbuilder.net/ Selective file removal and encryption

For those that don�t want to go all the way

Links to automated selective wiping tools

� Clean After Me

http://www.nirsoft.net/utils/clean_after_me.html

� CCleaner

http://www.ccleaner.com/

� And many more�. Tools for selective file wiping

� DD

dd if=/dev/zero of=f:\Notes.docx bs=12940 count=1

I like this Windows version:

http://www.chrysocome.net/dd

� Sdelete

http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

� Eraser

http://eraser.heidi.ie/

� *nix guys, look into Shred

http://en.wikipedia.org/wiki/Shred_%28Unix%29



Just slack and unused space

� Eraser

� Cipher that comes with Windows as a command line EFS tool

Run once:

cipher /w:g:

Schedule script:

REM at 2:00 /every:m,t,w,th,f,s,su c:\defragandcipher.bat

defrag c: /f

defrag c: /f

defrag c: /f

cipher /w:c:\



Selective File Encryption

� EFS

http://en.wikipedia.org/wiki/Encrypting_File_System

Hash insertion does not help (Pnordahl)

Can read file names

Best to use a SYSKEY password or boot key

� TrueCrypt

http://www.truecrypt.org/

http://sourceforge.net/projects/tcexplorer/

� FreeOTFE

http://www.freeotfe.org/

� Good encryption does not compress much Reasons why relying on selective file wiping is not a good idea

� Windows jams data in all sorts of places, it�s hard to get them all

� You got the main file, but what about the temp?

� Defrag, moving files and abandoned clusters

� USB device logs

� Page and hibernation files

� Data carving ? Defrag issues

� You defrag a drive

� You wipe a file on that drive

� What about the remnants of the file from before the defrag? USB device log

� Ah, so the suspect has a camera/thumbdrive/iPod/etc

� USBDeview

http://www.nirsoft.net/utils/usb_devices_view.html

� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

� Search for �USBSTOR� in c:\windows\inf\setupapi.dev.log Page file

� File used for swapping memory:

pagefile.sys

� Linux folks, investigate swap

Disable page file

� Disable:

Control Panel->System and Security->System->Advanced System Settings->Performance->Advanced->Virtual Memory->Change

Wipe page file

� Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ ClearPageFileAtShutdown to 1



Hibernation file

� File used for storing active memory when going into hibernation mode:

hiberfil.sys

Go into power setting to disable

Data carving

� Go down the drive bit by bit looking for file headers



� DiskDigger

http://dmitrybrant.com/diskdigger

� Photorec

http://www.cgsecurity.org/wiki/PhotoRec

� Other file carving tools

http://www.forensicswiki.org/wiki/Tools:Data_Recovery#Carving

� File system compression makes file carving far less reliable!

So, what is writing where?

What needs to be wiped? What is this tool doing?



� Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

� RegFromApp

http://www.nirsoft.net/utils/reg_file_from_application.html

� ProcessActivityView

http://www.nirsoft.net/utils/process_activity_view.html



Parlor Tricks

Maybe useful sometimes, but mostly fluff

Tool/Solution Kiddies

� Does the examiner understand the concepts, or just the tool?

� Think back to the Julie Amero case

� What is their case load like? Timestomp

� Making the chain of events hard to manage http://www.metasploit.com/research/projects/antiforensics/

-m <date> M, set the "last written" time of the file

-a <date> A, set the "last accessed" time of the file

-c <date> C, set the "created" time of the file

-e <date> E, set the "mft entry modified" time of the file

-z <date> set all four attributes (MACE) of the file

-v show the UTC (non-local time) MACE values for file

-b sets the MACE timestamps so that EnCase shows blanks -r does the same recursively , Know as the Craig option





� For setting an arbitrary time recursively:

Command:

for /R c:\users\ %i in (*) do timestomp.exe %i -z "Monday 3/12/2099 10:00:00PM"

AltDS

� Alternate data streams

type mypr0n.jpg disney.jpg:hide

mspaint disney.jpg:hide

� Hit or miss with file carving

� Practical Guide to Alternative Data Streams in NTFS

http://www.irongeek.com/i.php?page=security/altds



Steganography

(Hiding stuff in stuff so people don�t find your stuff)

� With encryption, most times people know that some data is there, just not what it is.

� With Stego, they hopeful will not even know it�s there.

� Tacked on

copy /B image.jpg+putty.zip test.jpg

� Insertion

Example: Putting a file inside of a DOCX, it�s just a ZIP file with some XML, just add you inserted file name into [Content_Types].xml so the DOCX does not report as corrupted.

� Additive

LSB (Least Significant Bit), for example making imperceptible changes to a format that can take loss and still be useful (audio, images, video).

Vecna

http://www.uni-koblenz.de/~strauss/vecna/ Lemonwipe

(rude and crude)

Repeat script to feed into DD:

@Echo Off

:TOP

type %1

Goto TOP

Command:

repeat.bat adrianbeer.jpg | dd of=\\.\f:

Create one big file:

@Echo Off

:TOP

type %1 >>%2\%1

if not %errorlevel%==0 goto :error

Goto TOP

:error

echo Exiting and deleting %2\%1

del %2\%1

exit /B -1

Command:

Smack.bat image.jpg f:



Two partitions on a thumbdrive

� Two partitions on a thumb drive? Windows sees one.

Cloud Computing?

� Use the browser�s privacy mode, and SSL

� If it�s not on the drive, they can�t find it on the drive

� Less 4th amendment protection?

� Find a country that does not work well with US law enforcement



Attack the forensic software?

� XSS, not just for web forms anymore

http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors

� Breaking Forensics Software: Weaknesses in Critical Evidence Collection (Encase and Sleuth Kit)

ISEC Partners presentation at Defcon 15

http://www.defcon.org/html/links/dc-archives/dc-15-archive.html#Palmer

� 42.zip = 4.5 PetaBytes

http://www.unforgettable.dk/

http://en.wikipedia.org/wiki/Zip_bomb

� Two comments on these attacks:

� If the examiner sees the data attacking him, they will know something is up.

� Do you really think it�s a good idea to piss off the forensic examiner? Thermite

� http://hackaday.com/2008/09/16/how-to-thermite-based-hard-drive-anti-forensic-destruction/

� Uhm, just no.

� Destruction of evidence charges

� Fire hazard

� Just use full drive encryption

� While we are on that topic:

http://www.youtube.com/watch?v=Bv5LHamqAsI Nuke it from Orbit

It�s the only way to be sure Wipe Tools

� DD

dd if=/dev/zero of=\\.\f: --progress bs=1M

dd if=/dev/zero of=\\.\Volume{de891b6a-8432-11de-86d4-005056c00008} bs=1M �progress

� DBAN

http://www.dban.org/

� HDD Wipe Tool

http://hddguru.com/content/en/software/2006.04.13-HDD-Wipe-Tool/





One wipe?

� Magnetic Force Microscopy

http://sansforensics.wordpress.com/2009/01/15/overwriting-hard-drive-data/

� On a pristine modern drive 92% chance to recover the correct previous bit , 56% on a used drive

� Probabilities multiply, so to get one byte:

.92^8=51% (more or less)

� For 1 Kilobyte= 2.238e-297



Enhanced Secure Erase

Not only is it faster, but it can wipe remapped blocks (bad sectors) from the G-LIST

� HDParm

http://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

� MHDD

http://hddguru.com/content/en/software/2005.10.02-MHDD/

http://hddguru.com/content/en/software/2006.02.10-Magic-Boot-Disk/



� HDDErase

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml



Full System Drive Encryption

� BitLocker

http://www.microsoft.com/windows/windows-vista/features/bitlocker.aspx

Built in to Windows Vista/7

AES CBC

Pain to setup in Vista

Look into Bitlocker To Go to secure your USB drive

To enable Bitlocker without TPM in Win 7, gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup > Enable

Bitlocker Modes:

TPM only

TPM + PIN

TPM + PIN + USB Key

TPM + USB Key

USB Key

� TrueCrypt

http://www.truecrypt.org/

Open source

(for review of a lot of eyes)

Read from other platforms

Works on XP

More cipher options

Uses XTS which is better than CBC, but ask a cryptographer why

� Also, look into hardware based options

http://www.enovatech.net/



How about running a VM form an encrypted volume?

� Easy to do

� I have some concern about data leaking into swap/ page file. This needs more testing.

� A few suggested tweaks:

MemAllowAutoScaleDown = "FALSE"

mainMem.useNamedFile = "FALSE�



� Use some of the page file wiping techniques mentioned before

Other tools

� Deft Linux

http://www.deftlinux.net/

� FTK Imager

http://www.accessdata.com/downloads.html

� WinHex

http://www.x-ways.net/winhex/



How do I know someone had ran anti-forensics software on a computer?

� No 100% positive way

� Look for files names I mentioned in this presentation

� Leftovers from the tool, for example:

HKCU\Software\Sysinternals\SDelete\EulaAccepted

� I need to work on some tools to do this sort of detection�

� Look at the drive for large sections of all zeros/random bytes, but this could be for other reasons (Vista & < after full format, Solid-state Drives)

� Hash search of know anti-forensics tools HashMyFiles

http://www.nirsoft.net/utils/hash_my_files.html

Change the hash of the file ?

� If it�s just the hash, change a few bytes, preferably in strings

� Compile from source if you have it

� Use a packer

UPX

http://upx.sourceforge.net/

http://sourceforge.net/projects/upxer/files/

� Shikata Gai Nai from Metasploit

http://www.metasploit.com



Events

� Free ISSA classes

� ISSA Meeting

http://issa-kentuckiana.org/

� Louisville Infosec

http://www.louisvilleinfosec.com/

� Phreaknic/Notacon/Outerz0ne

http://phreaknic.info

http://notacon.org/

http://www.outerz0ne.org/ Helping with the free classes

� Got old hardware you would like to donate?

� Is there a subject you would like to teach?

� Let others know about upcoming classes, and the videos of previous classes. Thanks

� Scott Moulton

http://www.myharddrivedied.com/

� Tyler �Trip� Pitchford

� Folks at Binrev and Pauldotcom

� Louisville ISSA

� John for the extra camera Questions?

42



Printable version of this article