±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35886
New Yesterday: 2 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

anti-forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

tootypeg
Senior Member
 

anti-forensics

Post Posted: Oct 18, 18 12:27

Hi all,

Im doing a bit of research into anti-forensics and I guess Im just after asking everyone's thoughts on anything and everything on this area...

Whats peoples experience of AF?
DO we need a AF tool mark database - i think we do and i want to propose this. But what should it include?
Developing an anti forensics tool examination framework - what stages are needed?

Just a few thoughts, seems like an under-researched /considered area.  
 
  

jaclaz
Senior Member
 

Re: anti-forensics

Post Posted: Oct 18, 18 13:57

Not what you asked, but the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").

See also this old discussion (before it went astray with preservation duty and spoliation):
www.forensicfocus.com/...ic/t=5410/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: anti-forensics

Post Posted: Oct 18, 18 15:44

- tootypeg
Whats peoples experience of AF?


Anti-forensics, whatever it is, must be intentional. Very liitle I've seen fall into that category. Mass access of files on a sales file share ... perhaps they hid some other type of access? But DBANing a laptop on the last day of employment ... intentional, yes, but not necessarly with intent to conceal anything forbidden or malicious. Yet, to some it was more suspicios to find zeroed sectors, and somehow argue that that initself must be an indicator of having something dangerous to hide.

Don't let LE define the term. To them ... well, some of them, ... smartphone encryption is AF.

DO we need a AF tool mark database - i think we do and i want to propose this.

I don't think so. I think we need something more than that, but it may be a reasonable place to start. The main problem is the label 'AF'. You could just as well label it 'Criminal tool mark database', and see users believe that to be true just because it is present in the database, it's significant evidence of something.

But what should it include?


What question should it answer? And what kind of answers should it give?

Direct traces? 'What tool overwrites file names with "123123123.123"?' What tool adds illegal directories pointing 'up' in file systems, causing many forensic file examination tool to go for a spin instead of doing their job? Where can I buy weird-looking USB-connected gadgets that look like mass memory or wireless adapters, but don't do anything except confuse any FA who try to examine them? (a.k.a. denial-of-service devices).

Indirect traces? unique or significant sector hashes from known implementations of those tools?

Implementations of AES-512? To hide *everything*?

Big-endian or mixed-endian computers? Sources of Olivetti Minidisc -- because noone but noone can image one? (Yes, I exaggerate ... a little.)

Smartphones? (see above.)

I can't help thinking that a database of such things would possibly be considered as a AF resource of the first order. (Perhaps the name and the logo needs to be done first ...)

Just a few thoughts, seems like an under-researched /considered area.


Well, I don't think any other forensic area has that sub-area. Anyone doing research on AF in toxicology or forensic pathology? The spooks?

I once had an AF indicator, vouched for by an experienced FA. Blank timestamps in Encase were proof of intentional hiding of time information, thus anti-forensics.

So perhaps an AF database could be useful as a source of further under-researched areas. That would be useful, too.  
 
  

xandstorm
Member
 

Re: anti-forensics

Post Posted: Oct 18, 18 20:10

Recently I have seen a demo of a piece of Alfa status AF software that changed both the file extention as well as the file signature of bitmap photo image files. The tool could do that batch wise.

In "rest" / locked device state, the file signatures / extentions are changed to something different but upon unlocking the device the file signatures / extentions can be changed back to their original state by an access mechanism, either password or biometrical.

I have no idea on purpose or actual usability of such a tool but I would definately call this AF and apparently someone is investing time and money in it's further development.

PS Just to be exact here, I was not given access to the software myself so I can not confirm authenticity.  
 
  

steve862
Senior Member
 

Re: anti-forensics

Post Posted: Oct 19, 18 12:50

Hi,

There have been many online forums over the years where predominantly paedophiles post advice on how to avoid detection and how to hide what you've been up to in the event your computer is seized and examined.

In terms of how I have responded to the challenge, I used to use hashsets consisting of the MD5 of the installation executable of most common privacy programs and the installed executable of the most common programs. That way I could get a quick heads up if they have the installer and/or the installed program.

I stopped keeping this up to date because it proved to be less valuable over time. Since Edward Snowden it is the developers who appear to be leading the charge on 'anti-forensics'. It means less use of a privacy program to secure other programs, (or a device), and a move to the programs and devices having their own security.

I find an analysis of the data can often show whether a user has been attempting to hide what they've been up to, but so often this isn't treated as an aggravating factor come sentencing anyway.

Whilst there are still programs out there that can do various types of obfuscation, the devices/programs/apps tend to offer simpler options to the user to delete/hide/alter data to prevent someone else accessing it.

I don't know if any of this helps build a picture of what the landscape is but I thought I would mention it.

Steve
_________________
Forensic Computer Examiner, London, UK 
 
  

tootypeg
Senior Member
 

Re: anti-forensics

Post Posted: Oct 20, 18 08:33

- jaclaz
Not what you asked, but the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").

See also this old discussion (before it went astray with preservation duty and spoliation):
www.forensicfocus.com/...ic/t=5410/

jaclaz


Great point, something which had completely passed me by. Now this is a challenge as I guess AF is determined by the motivation of the user (to a point). Hmmm that is an issue.


Anti-forensics, whatever it is, must be intentional.


Agreed. An example I was using is private browsing. I guess its not AF, unless u are doing something you want to be deleted/no stored etc. By default, the tool is not AF i guess.

Don't let LE define the term.


Agreed, i guess in this context, anything that removes any form of activity would be termed AF. But this isnt the case in reality. Privacy and genuine motivation are also in play.

I can't help thinking that a database of such things would possibly be considered as a AF resource of the first order. (Perhaps the name and the logo needs to be done first ...)


Yes, this is tricky. I was doing a bit of initial coverage looking into thing like the traditional 'CCLeaner' and there are a number of filesystem 'marks' that raise evidential interest. These marks when interpret shed light on the usage of the tool. These marks may be of value to an invetsigator.

All be it CCLeaner should maybe not be called AF, because it serves a legit purpose - motive comes in again i guess as you have all previously said.

So perhaps an AF database could be useful as a source of further under-researched areas. That would be useful, too.


Im hoping to start the debate around this.

Recently I have seen a demo of a piece of Alfa status AF software that changed both the file extention as well as the file signature of bitmap photo image files. The tool could do that batch wise.

In "rest" / locked device state, the file signatures / extentions are changed to something different but upon unlocking the device the file signatures / extentions can be changed back to their original state by an access mechanism, either password or biometrical.

I have no idea on purpose or actual usability of such a tool but I would definately call this AF and apparently someone is investing time and money in it's further development.

PS Just to be exact here, I was not given access to the software myself so I can not confirm authenticity.


Wow, now this sounds very interesting. Not heard of anything like that.

There have been many online forums over the years where predominantly paedophiles post advice on how to avoid detection and how to hide what you've been up to in the event your computer is seized and examined


I guess AF is also knowledge transfer!


I find an analysis of the data can often show whether a user has been attempting to hide what they've been up to, but so often this isn't treated as an aggravating factor come sentencing anyway.


I think this is a bigger issue now whether maybe less content may be present, we maybe should be looking at these toolmarks. Im thinking of contexts where someone is subject to device supervision/surveillance.  
 
  

keydet89
Senior Member
 

Re: anti-forensics

Post Posted: Oct 20, 18 11:10

- jaclaz
...the first question to ask (IMHO) is how you can call (and prove) that something is "anti forensics" (as opposed to "diligent attempts to protect one's privacy", "normal system/filesystem maintenance" or even "excessive tin foil hattism").


Excellent points.

Over the years, some questions I've been asked by customers and fellow analysts alike have tip-toed up to the AF line. For example, let's say there's an Application Prefetch file (XP, Win7) that indicates that the Defrag utility was run on a system, *after* an order of preservation was issued. The customer wants to know if the user executed Defrag...however, invariably, what you have to illustrate to the customer is the built-in Windows functionality (sched task, etc.).

As stated, it all goes back to intent. Working the sorts of cases referred to as "APT" illustrates this to a great extent. Clearing of (Windows) Event Logs, deletion of files, removal of applications, and general modification of host systems is often referred to as "defensive evasion" but can fall within the realm of AF.

Even ransomware can fall under that heading; after all, VSCs are intentionally disabled and deleted, in a number of cases.  
 

Page 1 of 4
Page 1, 2, 3, 4  Next