Hi to all, may be it's worth a reading even if there are other posts on this argument.
http//
It has impressed me (a newbie) and I'm willing to know your opinions as experts.
I think that tools like Metasploit in wrong hands can do lot of damage (w/o speaking about rootkits, botnets, etc.) and I'm curious about what can be done.
I'm not in the position to say what are the guidelines to follow for approaching this big problem, probably it has to be and guys like Keydet89, FarmerDude, Hogfly, and others can.
Anyway I'm available in collaborating to some kind of community project that can raise from discussions like this.
I apologize if I've proposed this argument in the wrong way or if I missed some other threads but I'm really worrying about this rising digital power of criminals.
Cheers
Rob
P.S. I won't answer quickly to possible replies of yours due to some family problems that will keep me far from a pc for some days
Hi Rob,
I've been interested in AF for a while now, and have done quite a bit of research on the subject. Right now, I don't see any problems with the tools presented in the article (which certainly tries to make it sound like a huge problem). Allow me to explain )
Firstly, it is my personal opinion that the Metasploit Anti-Forensics project is sufficiently badly written that many of the "hobby-level" people who might use it will give up and not bother using the applications.
In my experience Slacker was not able to retrieve data that it had hidden due to some coding flaws. The documentation also failed to mention there is a minimum size for the carrier file, which I found out by checking out the code itself (the carrier file must be greater than 1024 bytes to ensure that it is not stored as MFT-resident data). Contrary to the article, data hidden by Slacker doesn't "look like random noise to forensic tools" - tools like EnCase would highlight it in red on the hex view, although admittedly it would look uninteresting during an eyeball session if the XOR option had been used.
Timestomp isn't very scary because it only edits the time stamps in the $STANDARD_INFORMATION attribute of an MFT record. It can't edit the timestamps stored in the $FILE_NAME attribute because it has no driver to deal with NTFS flushing issues, so you can often recombine timelines somewhat using this. Also, time stamp editing has been around for years and hasn't caused a massive problem so far.
Transmogrify only works because some forensic tools (which shall remain nameless) are particularly weak at signature matching files. Rather than signaturing on the first few bytes of a file, it is trivial to develop file parsers that could validate each file on a more rigorous set of standards.
Data Mule and KY were actually developed by the Grugq (not Liu as it states in the article) and were quite neat at the time, but are very old and only work on older Ext file systems which are unlikely to be the target of most investigations.
The only real merit to the article in my opinion is the mention of diskless data storage - data stored and executed directly from memory. Admittedly this is more cutting edge, but again the breathless Liu states that you can't find things in memory because they "move around". I guess he hasn't heard about all the work currently going on in the memory forensics field.
The fact of the matter is that most of these techniques are either very noisy, or the process of hiding the data will show up in other places (the user interaction with the computer will leave event logs, registry changes and the like). Far better options are to just rootkit the system to hide files, which will probably be revealed in offline analysis, or to simply take the data and encrypt it using a nice heavy-weight scheme.
It boils down to forensic investigators needing to continue learning new techniques, not getting comfortable in the way they do things, putting time into research and the like. Stick with reading sites like this, the various blogs around and the output of excellent research at conferences such as DFRWS to see that it isn't all doom and gloom 😉
Cheers,
Tom