Notifications
Clear all

anti-forensics

24 Posts
7 Users
0 Likes
2,029 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Hi all,

Im doing a bit of research into anti-forensics and I guess Im just after asking everyone's thoughts on anything and everything on this area…

Whats peoples experience of AF?
DO we need a AF tool mark database - i think we do and i want to propose this. But what should it include?
Developing an anti forensics tool examination framework - what stages are needed?

Just a few thoughts, seems like an under-researched /considered area.

 
Posted : 18/10/2018 12:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not what you asked, but the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").

See also this old discussion (before it went astray with preservation duty and spoliation)
http//www.forensicfocus.com/Forums/viewtopic/t=5410/

jaclaz

 
Posted : 18/10/2018 1:57 pm
(@athulin)
Posts: 1156
Noble Member
 

Whats peoples experience of AF?

Anti-forensics, whatever it is, must be intentional. Very liitle I've seen fall into that category. Mass access of files on a sales file share … perhaps they hid some other type of access? But DBANing a laptop on the last day of employment … intentional, yes, but not necessarly with intent to conceal anything forbidden or malicious. Yet, to some it was more suspicios to find zeroed sectors, and somehow argue that that initself must be an indicator of having something dangerous to hide.

Don't let LE define the term. To them … well, some of them, … smartphone encryption is AF.

DO we need a AF tool mark database - i think we do and i want to propose this.

I don't think so. I think we need something more than that, but it may be a reasonable place to start. The main problem is the label 'AF'. You could just as well label it 'Criminal tool mark database', and see users believe that to be true just because it is present in the database, it's significant evidence of something.

But what should it include?

What question should it answer? And what kind of answers should it give?

Direct traces? 'What tool overwrites file names with "123123123.123"?' What tool adds illegal directories pointing 'up' in file systems, causing many forensic file examination tool to go for a spin instead of doing their job? Where can I buy weird-looking USB-connected gadgets that look like mass memory or wireless adapters, but don't do anything except confuse any FA who try to examine them? (a.k.a. denial-of-service devices).

Indirect traces? unique or significant sector hashes from known implementations of those tools?

Implementations of AES-512? To hide *everything*?

Big-endian or mixed-endian computers? Sources of Olivetti Minidisc – because noone but noone can image one? (Yes, I exaggerate … a little.)

Smartphones? (see above.)

I can't help thinking that a database of such things would possibly be considered as a AF resource of the first order. (Perhaps the name and the logo needs to be done first …)

Just a few thoughts, seems like an under-researched /considered area.

Well, I don't think any other forensic area has that sub-area. Anyone doing research on AF in toxicology or forensic pathology? The spooks?

I once had an AF indicator, vouched for by an experienced FA. Blank timestamps in Encase were proof of intentional hiding of time information, thus anti-forensics.

So perhaps an AF database could be useful as a source of further under-researched areas. That would be useful, too.

 
Posted : 18/10/2018 3:44 pm
(@xandstorm)
Posts: 56
Trusted Member
 

Recently I have seen a demo of a piece of Alfa status AF software that changed both the file extention as well as the file signature of bitmap photo image files. The tool could do that batch wise.

In "rest" / locked device state, the file signatures / extentions are changed to something different but upon unlocking the device the file signatures / extentions can be changed back to their original state by an access mechanism, either password or biometrical.

I have no idea on purpose or actual usability of such a tool but I would definately call this AF and apparently someone is investing time and money in it's further development.

PS Just to be exact here, I was not given access to the software myself so I can not confirm authenticity.

 
Posted : 18/10/2018 8:10 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

There have been many online forums over the years where predominantly paedophiles post advice on how to avoid detection and how to hide what you've been up to in the event your computer is seized and examined.

In terms of how I have responded to the challenge, I used to use hashsets consisting of the MD5 of the installation executable of most common privacy programs and the installed executable of the most common programs. That way I could get a quick heads up if they have the installer and/or the installed program.

I stopped keeping this up to date because it proved to be less valuable over time. Since Edward Snowden it is the developers who appear to be leading the charge on 'anti-forensics'. It means less use of a privacy program to secure other programs, (or a device), and a move to the programs and devices having their own security.

I find an analysis of the data can often show whether a user has been attempting to hide what they've been up to, but so often this isn't treated as an aggravating factor come sentencing anyway.

Whilst there are still programs out there that can do various types of obfuscation, the devices/programs/apps tend to offer simpler options to the user to delete/hide/alter data to prevent someone else accessing it.

I don't know if any of this helps build a picture of what the landscape is but I thought I would mention it.

Steve

 
Posted : 19/10/2018 12:50 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Not what you asked, but the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").

See also this old discussion (before it went astray with preservation duty and spoliation)
http//www.forensicfocus.com/Forums/viewtopic/t=5410/

jaclaz

Great point, something which had completely passed me by. Now this is a challenge as I guess AF is determined by the motivation of the user (to a point). Hmmm that is an issue.

Anti-forensics, whatever it is, must be intentional.

Agreed. An example I was using is private browsing. I guess its not AF, unless u are doing something you want to be deleted/no stored etc. By default, the tool is not AF i guess.

Don't let LE define the term.

Agreed, i guess in this context, anything that removes any form of activity would be termed AF. But this isnt the case in reality. Privacy and genuine motivation are also in play.

I can't help thinking that a database of such things would possibly be considered as a AF resource of the first order. (Perhaps the name and the logo needs to be done first …)

Yes, this is tricky. I was doing a bit of initial coverage looking into thing like the traditional 'CCLeaner' and there are a number of filesystem 'marks' that raise evidential interest. These marks when interpret shed light on the usage of the tool. These marks may be of value to an invetsigator.

All be it CCLeaner should maybe not be called AF, because it serves a legit purpose - motive comes in again i guess as you have all previously said.

So perhaps an AF database could be useful as a source of further under-researched areas. That would be useful, too.

Im hoping to start the debate around this.

Recently I have seen a demo of a piece of Alfa status AF software that changed both the file extention as well as the file signature of bitmap photo image files. The tool could do that batch wise.

In "rest" / locked device state, the file signatures / extentions are changed to something different but upon unlocking the device the file signatures / extentions can be changed back to their original state by an access mechanism, either password or biometrical.

I have no idea on purpose or actual usability of such a tool but I would definately call this AF and apparently someone is investing time and money in it's further development.

PS Just to be exact here, I was not given access to the software myself so I can not confirm authenticity.

Wow, now this sounds very interesting. Not heard of anything like that.

There have been many online forums over the years where predominantly paedophiles post advice on how to avoid detection and how to hide what you've been up to in the event your computer is seized and examined

I guess AF is also knowledge transfer!

I find an analysis of the data can often show whether a user has been attempting to hide what they've been up to, but so often this isn't treated as an aggravating factor come sentencing anyway.

I think this is a bigger issue now whether maybe less content may be present, we maybe should be looking at these toolmarks. Im thinking of contexts where someone is subject to device supervision/surveillance.

 
Posted : 20/10/2018 8:33 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").

Excellent points.

Over the years, some questions I've been asked by customers and fellow analysts alike have tip-toed up to the AF line. For example, let's say there's an Application Prefetch file (XP, Win7) that indicates that the Defrag utility was run on a system, *after* an order of preservation was issued. The customer wants to know if the user executed Defrag…however, invariably, what you have to illustrate to the customer is the built-in Windows functionality (sched task, etc.).

As stated, it all goes back to intent. Working the sorts of cases referred to as "APT" illustrates this to a great extent. Clearing of (Windows) Event Logs, deletion of files, removal of applications, and general modification of host systems is often referred to as "defensive evasion" but can fall within the realm of AF.

Even ransomware can fall under that heading; after all, VSCs are intentionally disabled and deleted, in a number of cases.

 
Posted : 20/10/2018 11:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For example, let's say there's an Application Prefetch file (XP, Win7) that indicates that the Defrag utility was run on a system, *after* an order of preservation was issued.

Oh, no please ) , let's not ALSO derail this topic with this order of preservation stuff and defrag, we already had the (already) referenced one
https://www.forensicfocus.com/Forums/viewtopic/t=5410/

Here we are talking about what can be considered Anti-Forensics and how this can be called and proved as such.

No order of preservation order issued, nor it having been (allegedly) infringed by using defrag.

I will give you some more fitting examples, I have not anything to hide, yet, I
1) routinely run defrag on my volumes
2) largely use browsers in "portable" editions, very often with javascript disabled AND deleting all temporary files and cookies
3) regularly empty Windows logs
4) periodically clean and compact Registry

each of these activities (taken one by one) is of course "legitimate" on its own and even all of them together represent, or at least I intend them as nothing but. a minimal "good housekeeping" and certainly not as anti forensics.

Should tomorrow my disk drives be examined (and "nothing" of value for the investigation be found), I wouldn't want to be accused (falsely BTW) of having performed anti-forensics activities only because the Digital Investigator found nothing BUT some evidence of defragging, log deletion, no cookies or navigation information, and a compacted "clean" Registry because this or that article tagged these "normal" activities as "anti forensics".

jaclaz

 
Posted : 20/10/2018 11:42 am
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

As stated, it all goes back to intent. Working the sorts of cases referred to as "APT" illustrates this to a great extent. Clearing of (Windows) Event Logs, deletion of files, removal of applications, and general modification of host systems is often referred to as "defensive evasion" but can fall within the realm of AF.

good point, I guess 'by default' some of this content will be disabled or preconfigured. Althought changing defaults is not AF per se, it might be an indicator. But making those assumptions is dangerous i suppose!

Im actually wondering whether AF is the correct term. Whilst it is for certain intentional acts with the correct tools, it doesn't cover the entirety of the area.

I will give you some more fitting examples, I have not anything to hide, yet, I
1) routinely run defrag on my volumes
2) largely use browsers in "portable" editions, very often with javascript disabled AND deleting all temporary files and cookies
3) regularly empty Windows logs
4) periodically clean and compact Registry

This raises interesting points. Say your average joe computer user, if I examined this I would think something unusual was going on. I "assume" 😯 the average person knows little bout these functions or the benefit of them - certainly not all together i would think - BUT that would need substantial research to substantiate that claim.

I think i started with a narrow view….in my head i was considering the individual who is subject to device checks. Say they do something and use AF to cover up anything prior to a check. In this case AF detection would be valuable. It s a niche, closed scenario but possible and it intrigues me from an investigation perspective.

….From my perspective I always thought for example in file wipe usage, if the files gone its gone, case closed, bad times (silly i know). But actually with a bit more time spent I could be just as valuable to identify the circumstances of the tool usage. It may not even be possible in all cases.

Even if stuff is 'gone'. Rather than thinking 'it was never there', AF marks may actually alert you to something else. Im putting my AF discussion altogether as we speak so if anyone would like a look at the written work, just drop me a message.

 
Posted : 20/10/2018 12:57 pm
(@xandstorm)
Posts: 56
Trusted Member
 

Hi all,

AF is a very interesting topic indeed, and yes I do think it deserves much more attention then it does right now. But prior to being able to develop an AF toolkit, I think there should be some sort of definition.

There are many different and sometimes even contraditing definitions and descriptions out there so this should be the first step. For instance many definitions do not even mention the "malicious intent" factor which I think is the absolute essence of the whole subjet matter.

Something simple and abstract for starters like The manipulation of data from the perspective of malicious intent and with the objective to destroy, hide or obfuscate events conducted on / and or through electronic means / devices? With a litlle thinking a much better definition could be formulated for sure.

Besides, AF is not a means by itself, it will always be servicing another, oftentimes not electronic device related purpose. And that might create a problem for the average DF examiner, as their core expertise are digital artifacts while proving malicious intent, well not always.

For example a tablet that was used as a communication device within a human trafficking ring. Physically hinding that device in the wall of a house, I consider that an AF activity.

In essence I think that proving malicious intent is much broader then the electronic device in custody with the DF examiner and therefore requires a different / additional expertise that not all DF examiners have under their belt.

Saludos.

 
Posted : 20/10/2018 3:33 pm
Page 1 / 3
Share: