Anti-Forensics Dist...
 
Notifications
Clear all

Anti-Forensics Distro  

  RSS
m1k3l3
(@m1k3l3)
New Member

Hello everyone,

I am building an anti-forensics distro Ubuntu-based (thesis university, not terrorism ).

Currently I have implemented
[Wiping] Secure-delete (I created an interface to simplify use)
[Encryption] True-crypt
[Virtualization] Virtual-box
[Network Security] Tor / firefox
[Steganography] Steg-Hide / SteGUI

To implement (such as software can I use?)
[Data Hiding] Filesystem Insertion?
[Create false evidence] Modified Timestamp file?
[Create false evidence] md5 collision?
[Network Anonymity] Attacks on wireless networks (air-crack?)
[Mail Encryption] NewPGP / Thunderbird? (Is a good choise?)
[Firewall] IPtable changes (how?)
[Antivirus] Really needed?

The aim of this project is not primarily a live, but a system installed, to test the effectiveness of forensic tools (CAINE) against my antiforensics distro(AFUBUNTU).

The anonymity software is to complete the work of a antiforensics distro, but isn't the main goal.

other suggestions for this project?

Thanks to all those who want to help me

Quote
Posted : 22/09/2009 6:37 pm
slidertx
(@slidertx)
New Member

Looks great

ReplyQuote
Posted : 22/09/2009 7:17 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

You might want to have a look at the back track distros, something that would crack sam tables would probably be useful but you may find it difficult fitting any useful rainbow tables on the disk. If I were going to add a SAM cracker to a distro I would add a link that would forward the LM table hash to the ophrack website (link inserted below). PS Don't forget to give creditaions to those who have helped you in the acknowlegment wink

http//www.objectif-securite.ch/products.php

ReplyQuote
Posted : 22/09/2009 7:54 pm
m1k3l3
(@m1k3l3)
New Member

Thanks for the reply, but I think you don't help me.

AFubuntu is a distro antiforenssic and SAM Cracker is a forensic tool, which frankly I do not care.

You might want to have a look at the back track distros, something that would crack sam tables would probably be useful but you may find it difficult fitting any useful rainbow tables on the disk. If I were going to add a SAM cracker to a distro I would add a link that would forward the LM table hash to the ophrack website (link inserted below). PS Don't forget to give creditaions to those who have helped you in the acknowlegment wink

http//www.objectif-securite.ch/products.php

ReplyQuote
Posted : 23/09/2009 1:01 am
itagent2000
(@itagent2000)
Junior Member

I think this community is the wrong for you. I can only speak for me myself, but I think many others of this forum think the same

We are happy to have some forensic knowledge, some tricks where we still can find evidence even the suspect has tried to cover his tracks.
Also we already have enough possibilities to verify our work and to test our forensic tools.

So at least I am not interested in publishing an Anti-Forensic-CD! This knowldege should not be sprided in a CD and so easy to get!

Of course, the Anti-Forensic-knowledge is public, too, but I think suspects who try to hide their tracks should do at least do their own researches on the internet and should not be given a ready solution from professional forensic specialists!

Chris

ReplyQuote
Posted : 23/09/2009 12:14 pm
SleepParalysis
(@sleepparalysis)
Junior Member

Hello everyone,

I am building an anti-forensics distro Ubuntu-based (thesis university, not terrorism ).

Currently I have implemented
[Wiping] Secure-delete (I created an interface to simplify use)
[Encryption] True-crypt
[Virtualization] Virtual-box
[Network Security] Tor / firefox
[Steganography] Steg-Hide / SteGUI

To implement (such as software can I use?)
[Data Hiding] Filesystem Insertion?
[Create false evidence] Modified Timestamp file?
[Create false evidence] md5 collision?
[Network Anonymity] Attacks on wireless networks (air-crack?)
[Mail Encryption] NewPGP / Thunderbird? (Is a good choise?)
[Firewall] IPtable changes (how?)
[Antivirus] Really needed?

The aim of this project is not primarily a live, but a system installed, to test the effectiveness of forensic tools (CAINE) against my antiforensics distro(AFUBUNTU).

The anonymity software is to complete the work of a antiforensics distro, but isn't the main goal.

other suggestions for this project?

Thanks to all those who want to help me

This is a great idea. You might add in mac address spoofing (macchanger) for when accessing other networks so that IDS and other devices are logging a mac address not associated with any physical network devices on your system.

Full disk encryption with truecrypt and a secure passphrase is really the deal breaker I think. You're not going to do much forensic-wise against a system like this.

You can also modify the Truecrypt boot loader to take out any mention of "Truecrypt" to make it a bit harder to identify, like here

http//www.anti-forensics.com/modify-truecrypt-encryption-boot-loader-strings

ReplyQuote
Posted : 23/09/2009 11:27 pm
code_slave
(@code_slave)
Member

You might want to check out the "anti-anti-forensics" research for a balanced view.
I think I saw a paper in Blackhat 2009 recently related to work being done on detecting "anti-forensic" kit.

ReplyQuote
Posted : 25/09/2009 1:30 pm
m1k3l3
(@m1k3l3)
New Member

You might want to check out the "anti-anti-forensics" research for a balanced view.
I think I saw a paper in Blackhat 2009 recently related to work being done on detecting "anti-forensic" kit.

thanks for giving me this paper reported D

ReplyQuote
Posted : 26/09/2009 5:38 pm
code_slave
(@code_slave)
Member

not a problem…..
let the war begin , anti- forensics VRS anti-anti-anti forensics 😉

ReplyQuote
Posted : 26/09/2009 7:20 pm
dngroen
(@dngroen)
Member

Would you be willing to give me a copy?

I ask as I have a project coming and this would be a fantastic this to explore in a Forensic/Security context.

ReplyQuote
Posted : 28/09/2009 7:51 pm
m1k3l3
(@m1k3l3)
New Member

Currently it is still not ready, within 15 days I think I can create something "complete" and measurable.

If you leave me your contact MSN / Mail / Skype we can talk.

ReplyQuote
Posted : 29/09/2009 4:15 am
s1lang
(@s1lang)
Member

I'll keep an eye out for this

ReplyQuote
Posted : 30/09/2009 3:51 pm
Share: