Notifications
Clear all

MAFIA's Transmogrify

6 Posts
3 Users
0 Likes
1,187 Views
 AT87
(@at87)
Posts: 3
New Member
Topic starter
 

I'm a graduate student in IT and I'm doing a paper on a couple of the tools in the MAFIA anti-forensics suite, namely Timestomp and Transmogrify. I have been able to download a package that includes Timestomp, SamJuicer, and Slacker but so far I've had no luck finding Transmogrify. Does anyone know why this may be the case or would anyone happen to know where I can download this tool? Thanks for any help/advice given!

 
Posted : 24/04/2015 11:14 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

That is an interesting question. You're right, there are many books mentioning Transmogrify as part of MAFIA and its integration into metasploit, but no trace of it afterwards.

It seems to be more of a techniques than an actual tool. Metasploit does include the pattern_create.rb script to generate user created patterns that can be used to replace the signatures of files or just use dd to strip header and footer of files to concatenate the generated pattern later to configure forensic tools. dcfldd can also be used to generate a random pattern of arbitrary length, but the user has more control over the pattern in pattern_create.rb since the pattern will need to be identified by the user and removed before the file becomes useable again. A tool would have a pattern that could be detected, so giving users the customization to enter their own pattern makes more sense.

 
Posted : 26/04/2015 8:20 pm
 AT87
(@at87)
Posts: 3
New Member
Topic starter
 

Thanks for the response. From what I gathered, Transmogrify just alters the header and file extensions so essentially this is easy to do by hand. For my study, since I couldn't find the tool, I simply downloaded a hex editor instead and changed the header and extension manually. I never found any indication that the tool's functionality goes beyond that, so I just altered a few files in this way and examined them in FTK (after making an E01 image of the VM I used).

 
Posted : 27/04/2015 2:19 am
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

I still find your research interesting and puzzling about that tool. The value of researching a tool is to find signature of the tool that can be used against investigation, so if it is out there, we should have some research on it. It is not the technology that hard to implement, but to prepare for those readily available tools. When we used to talk about anti-forensics, we always mentioned 42.zip, but I have not heard of that lately.

I think, you should still include another tool from metasploit that is used to circumvent anti-virus detection of malicious code, msfencode, and see if you can find a pattern in its multi-round encoding. Another interesting tool that would do the same, but using encryption is veil. Forensic tools are easier to fool than AV tools since forensic tools do not use any heuristics in identifying file types, but a simple signature checking.

Make sure to let this community know of any pattern or interesting artifacts you'll find as a result of your research.

 
Posted : 27/04/2015 8:41 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Apparently, it seems a lot like Keyser Soze
http//www.imdb.com/title/tt0114814/quotes?item=qt0480665

According to this (dated April 2008)
http//webcache.googleusercontent.com/search?q=cacheOVreKxlLy1sJhttp//me.abelcheung.org/2008/04/28/the-art-of-file-type-identification/

Metasploit has been known to announce the transmogrify software, which does exactly such pretentious act. For some reason, rumours are still floating everywhere, google cache used to point to old version of Metasploit Anti-forensics project, but nowhere can I see the real thing, nor does Metasploit mention anything remotely close now. Cease and desist letter from lawyers? Vaporware? Who knows.

but even a later cached page (August 2008)
https://web.archive.org/web/20080820024332/http//www.metasploit.net/research/projects/antiforensics/
shows no traces of it, though it was mentioned by Vinnie Liu back in 2005, in this reknown BlackHat presentation "Catch me if you can"
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf
but actually the technique is so simple that as said hardly a specific program is needed.

The 2007 article by Garfinkel
https://calhoun.nps.edu/bitstream/handle/10945/44248/Garfinkel_Anti-Forensics_2007.ICIW.AntiForensics.pdf?sequence=1
actually cites it as a "program", but at a careful re-reading, it seems really like simply citing the previous paper by Liu and Foster.
Like often happens with "scientific papers" something is cited without having actually seen or tested it, and at the third of fourth citation people start to believe it exists…. 😯

jaclaz

 
Posted : 27/04/2015 7:50 pm
 AT87
(@at87)
Posts: 3
New Member
Topic starter
 

Thanks for the post and research jaclaz. It definitely does seem like Keyser Soze! I appreciate the responses and help from this community, I can see why it's the number one forensics forum. I finished this report even without Transmogrify itself, and it wasn't too bad to duplicate this tool's functionality. Thanks again for all the help!

 
Posted : 28/04/2015 9:10 am
Share: