Anti-Forensics Overview
©iStockphoto/Marc Dietrich
Anti-forensic techniques are actions which goal is to prevent proper forensic investigation process or make it much harder. These actions are aimed at reducing quantity and quality of digital evidence. These are deliberate actions of computer users , but also developers who write programs secured prior to methods of computer forensics. For the anti-forensic techniques, we can include activities such as e.g: intentional deletion of data by overwrite them with new data or protection tools against forensics analysis.
Anti-forensic techniques can be used to increase security, for example, erasing and overwriting data, so that they cannot be read by unauthorized persons. These techniques can however be misused by perpetrators of computer crimes in order to protect against disclosure of their actions. Users of anti-forensic tools can also become computer users who want to remove evidence of their criminal activities, such as hackers, terrorists, pedophiles, counterfeiters. Anti-forensic tools can be used by dishonest employees, who will be using it to destroy any data indicating that they could steal value company data, gaining unauthorized access to computer system or capture secure information and passwords.
.
.We can defined antiforensics according to wiki: One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”
.
Anti-Forensics Goals
Liu and Brown identify four primary goals for anti-forensics:
- Avoiding detection that compromising event has taken place.
Encryption - one of antiforensics methods
- Disrupting and preventing from collection of information.
- Increasing the time that an examiner needs to spend on a case.
- Casting doubt on a forensic report or testimony (Liu and Brown, 2006).
Other goals might include:
- Subverting the forensic tool (e.g., using the forensic tool itself to attack the organization in which it is running).
- Leaving no evidence that an anti-forensic tool has been run.
.
Sample techniques:
Data Destruction
- Wiping – Securely deleting data, so that it cannot be restored even with forensic software. It can be done by special software like “eraser” or build in operation system function (e.g. secure erase in Mac OS X)
- Changing MAC attributes – changing or deleting file attributes to avoid time line analysis, freely available software to make this is called timestomp.
PortableApps.com
Data Contaception
In short Data Contraception means using software that is not creating hardly any evidences:
Syscall Proxying – is a technique where a local program transparently proxies a process’s system call to a remote server. Method was invented by Maximiliano Caceres.
Memory resident compiler/assemblers – are used when an attacker wants to send remote code fragments from a remote device to the compiler/assembler residing in the memory of the local (compromised) device. This technique allows tools to be compiled for the compromised platform, but, more importantly, to be compiled on the fly in memory (inside a hijacked process) so as not to leave a trace on the local disk.
Remote library injection occurs when a library is loaded into memory without any disk activity. In Remote Library Injection
Direct Kernel Object Manipulation (DKOM) – is a method that allows an attacker to use drivers or loadable kernel modules to modify the memory associated with kernel objects. One of the technical aspects that makes this technique possible is that Microsoft and other OS vendors typically only use two rings of privilege of the four available on Intel architecture. This leaves no separation between the kernel and third-party drivers. In practice, this means that the driver or LKM has access to kernel memory allowing any number of privileged activities including stealthy behavior.
Portable apps – Portable software is able to run without the need to install files to the system. Some of popular software sets are U3 and portableapps.com.
Live Distros. are full abilities operation systems that are boot from CDROM or flash drive. Typically all system files residing in temporary memory, such as a RAM disk and do not need hard drive to work properly.
Data Hiding
- Cryptography – conversion of data into a scrambled code. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key.
- Program packers – similar to cryptography, it can hide evidence files into containers which makes it difficult to detect, that is why one of the first steps during forensic analysis is mounting compound files (including archives).
- Compression bombs – There is method of delaying investigation by creating “zip bombs” which causes crashing of forensic software.
- Steganography – is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion
References
- Modern Anti-Forensics, A Systems Disruption Approach – sebug.net/paper/Meeting-Documents/…/Modern%20Anti%20Forensics.pdf
- http://www.forensicswiki.org/wiki/Anti-forensic_techniques
- Anti – Forensics, Paul A. Henry, Secure Computing, 2007
- Aaron Smitha, Describing and Categorizing Disk-Avoiding Anti-Forensics Tools, College of Technology, Purdue University, West Lafayette, IN, USA
Category Article Antiforensic posts, Computer forensics posts
