Anti-Forensics Dist...
 
Notifications
Clear all

Anti-Forensics Distro

12 Posts
8 Users
0 Likes
599 Views
(@m1k3l3)
Posts: 4
New Member
Topic starter
 

Hello everyone,

I am building an anti-forensics distro Ubuntu-based (thesis university, not terrorism ).

Currently I have implemented
[Wiping] Secure-delete (I created an interface to simplify use)
[Encryption] True-crypt
[Virtualization] Virtual-box
[Network Security] Tor / firefox
[Steganography] Steg-Hide / SteGUI

To implement (such as software can I use?)
[Data Hiding] Filesystem Insertion?
[Create false evidence] Modified Timestamp file?
[Create false evidence] md5 collision?
[Network Anonymity] Attacks on wireless networks (air-crack?)
[Mail Encryption] NewPGP / Thunderbird? (Is a good choise?)
[Firewall] IPtable changes (how?)
[Antivirus] Really needed?

The aim of this project is not primarily a live, but a system installed, to test the effectiveness of forensic tools (CAINE) against my antiforensics distro(AFUBUNTU).

The anonymity software is to complete the work of a antiforensics distro, but isn't the main goal.

other suggestions for this project?

Thanks to all those who want to help me

 
Posted : 22/09/2009 5:37 pm
(@slidertx)
Posts: 1
New Member
 

Looks great

 
Posted : 22/09/2009 6:17 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

You might want to have a look at the back track distros, something that would crack sam tables would probably be useful but you may find it difficult fitting any useful rainbow tables on the disk. If I were going to add a SAM cracker to a distro I would add a link that would forward the LM table hash to the ophrack website (link inserted below). PS Don't forget to give creditaions to those who have helped you in the acknowlegment wink

http//www.objectif-securite.ch/products.php

 
Posted : 22/09/2009 6:54 pm
(@m1k3l3)
Posts: 4
New Member
Topic starter
 

Thanks for the reply, but I think you don't help me.

AFubuntu is a distro antiforenssic and SAM Cracker is a forensic tool, which frankly I do not care.

You might want to have a look at the back track distros, something that would crack sam tables would probably be useful but you may find it difficult fitting any useful rainbow tables on the disk. If I were going to add a SAM cracker to a distro I would add a link that would forward the LM table hash to the ophrack website (link inserted below). PS Don't forget to give creditaions to those who have helped you in the acknowlegment wink

http//www.objectif-securite.ch/products.php

 
Posted : 23/09/2009 12:01 am
(@itagent2000)
Posts: 31
Eminent Member
 

I think this community is the wrong for you. I can only speak for me myself, but I think many others of this forum think the same

We are happy to have some forensic knowledge, some tricks where we still can find evidence even the suspect has tried to cover his tracks.
Also we already have enough possibilities to verify our work and to test our forensic tools.

So at least I am not interested in publishing an Anti-Forensic-CD! This knowldege should not be sprided in a CD and so easy to get!

Of course, the Anti-Forensic-knowledge is public, too, but I think suspects who try to hide their tracks should do at least do their own researches on the internet and should not be given a ready solution from professional forensic specialists!

Chris

 
Posted : 23/09/2009 11:14 am
SleepParalysis
(@sleepparalysis)
Posts: 42
Eminent Member
 

Hello everyone,

I am building an anti-forensics distro Ubuntu-based (thesis university, not terrorism ).

Currently I have implemented
[Wiping] Secure-delete (I created an interface to simplify use)
[Encryption] True-crypt
[Virtualization] Virtual-box
[Network Security] Tor / firefox
[Steganography] Steg-Hide / SteGUI

To implement (such as software can I use?)
[Data Hiding] Filesystem Insertion?
[Create false evidence] Modified Timestamp file?
[Create false evidence] md5 collision?
[Network Anonymity] Attacks on wireless networks (air-crack?)
[Mail Encryption] NewPGP / Thunderbird? (Is a good choise?)
[Firewall] IPtable changes (how?)
[Antivirus] Really needed?

The aim of this project is not primarily a live, but a system installed, to test the effectiveness of forensic tools (CAINE) against my antiforensics distro(AFUBUNTU).

The anonymity software is to complete the work of a antiforensics distro, but isn't the main goal.

other suggestions for this project?

Thanks to all those who want to help me

This is a great idea. You might add in mac address spoofing (macchanger) for when accessing other networks so that IDS and other devices are logging a mac address not associated with any physical network devices on your system.

Full disk encryption with truecrypt and a secure passphrase is really the deal breaker I think. You're not going to do much forensic-wise against a system like this.

You can also modify the Truecrypt boot loader to take out any mention of "Truecrypt" to make it a bit harder to identify, like here

http//www.anti-forensics.com/modify-truecrypt-encryption-boot-loader-strings

 
Posted : 23/09/2009 10:27 pm
(@code_slave)
Posts: 61
Trusted Member
 

You might want to check out the "anti-anti-forensics" research for a balanced view.
I think I saw a paper in Blackhat 2009 recently related to work being done on detecting "anti-forensic" kit.

 
Posted : 25/09/2009 12:30 pm
(@m1k3l3)
Posts: 4
New Member
Topic starter
 

You might want to check out the "anti-anti-forensics" research for a balanced view.
I think I saw a paper in Blackhat 2009 recently related to work being done on detecting "anti-forensic" kit.

thanks for giving me this paper reported D

 
Posted : 26/09/2009 4:38 pm
(@code_slave)
Posts: 61
Trusted Member
 

not a problem…..
let the war begin , anti- forensics VRS anti-anti-anti forensics 😉

 
Posted : 26/09/2009 6:20 pm
(@dngroen)
Posts: 55
Trusted Member
 

Would you be willing to give me a copy?

I ask as I have a project coming and this would be a fantastic this to explore in a Forensic/Security context.

 
Posted : 28/09/2009 6:51 pm
Page 1 / 2
Share: