Anti- Forensics – Part 1. Executive Summary.
This document is a general summary on the most widely used techniques currently to hide or to make unrecoverable digital tracks of a crime in magnetic media. The practice of collecting as much information and documentation about a crime, computer related or not, falls under the name of “Computer Forensics,” a term that precisely identifies the discipline that studies the techniques and methodologies required for collection, analysis and presentation of unequivocal “evidences” usable in legal proceedings. On the other hand, we can also find anti- investigation techniques which aim to make the job performed by automated tools and flesh- and- blood investigators very difficult and/or unreliable.
Usually, in the light of modern operating systems and how they manage data, events, and information, these “evidences” are generally pretty easy to find, especially when the suspect does not expect an action against him. However, for computer related crimes, there are many techniques that can be used to increase the difficulty level of the analysis of media found once the suspect has been identified.
To extract a snapshot of a running computer’s. With the right tools and. Anti-Forensics: The Rootkit Connection Below. Examiners need to actively search for evidence of the use of ANTI-forensic techniques. Anti-Forensics and digital evidence. Official Full-Text Publication: Computer Anti-forensics Methods and Their Impact on Computer Forensic Investigation on ResearchGate, the professional network for.
What Anti- Forensics is About. As already mentioned, anti- forensics aims to make investigations on digital media more difficult and therefore, more expensive. Usually, it is possible to distinguish anti- forensic techniques in specific categories, each of which is particularly meant to attack one or more steps that will be performed by analysts during their activity. All forensic analysts in fact, from either private or public laboratories, like that of police for example, will take specific steps during each phase of the analysis of a new case. Knowing these steps, generally summarized as “Identification,” “Acquisition,” “Analysis” and “Reporting,” is the first measure to better understand the benefits and limitations of each anti- forensic technique. As in many other branches of information security, a good level of security is achieved through a stratified model for solving a problem.
This means that attacking only one of these steps taken by the investigators often do not lead to the desired result Furthermore, an expert analyst, in the best of cases, will still be able to demonstrate that they were able to deal with some evidence, even without knowing the content of that evidence. Instead, attacking the identification, acquisition and analysis phases of evidence- gathering will make quite sure of the contrary.
Free IT forensics and computer forensics software. Forensic Control - IT forensics and computer forensics investigators in cases of computer misuse or dispute. Identifying Anti-forensics: Timestomping. Anti-Forensics Considering a career in Computer Forensics? Linux Anti-Forensics – Hide Where The Tools Don’t Look. Anti-Forensics - LayerOne - Paul Henry.
These are the general anti- forensic categories discussed within this document: Data Hiding, Obfuscation and Encryption. Data Forgery. Data Deletionand Physical Destruction. Analysis Prevention. Online Anonymity. Note that not all anti- forensic methods are covered by this document, due to space reasons or because some are very easy to detect. Details on some of these techniques have been deliberately omitted, always for space reasons and because of the large amount of information already present online.– Data Hiding, Obfuscation and Encryption. Obviously, the great advantage of hiding data is to maintain the availability of these when there is need.
Anti Forensics Tools Computer Network
Regardless of the operating system, using the physical disk for data hiding is a widely used technique, but those related to the OS or the file system in use are quite common. In the use of physical disk for data hiding, these techniques are made feasible due to some options implemented during their production that are intended to facilitate their compatibility and their diffusion, while other concealment methods take advantage of the data management property of the operating system and/or file system. At this stage, we are going to attack, as we can imagine, the first phase of an investigation: “Identification.”If evidence cannot be found, in fact, it will be neither analyzed nor reported.– Unused Space in MBRMost hard drives have, at the beginning, some space reserved for MBR (Master Boot Record). This contains the necessary code to begin loading an OS and also contains the partition tables. The MBR also defines the location and size of each partition, up to a maximum four.
The MBR only requires a single sector. From this and the first partition, we can find 6. For a classic DOS- style partition table, the first partition needs to start here.
Anti Forensics Tools Computers
This results in 6. Although the size of data that we can “hide” in this area is limited, an expert investigator will definitely look at its contents to search for compromising material. HPA Area. The most common technique to hide data at the hardware level is to use the HPA (Host Protected Area) area of disk. This is generally an area not accessible by the OS and is usually used only for recovery operations.
This area is also invisible to certain forensic tools and is therefore ideal for hiding data that we do not want to be found easily. The following image shows a representation of HPA within a physical media.
The starting address of this area is represented by the next sector to the disk size given with the ATA command SET MAX ADDRESS * (SET MAX ADDRESS + 1 sector). Some forensic tools such as En.
Case, The Sleuth Kit, and ATA Forensic are easily able to counter the use of HPA for hiding data. For example, via the utility “disk.
It can also perform a momentary reset by using the “disk. If the value returned from these two commands is different, there is a high probability that an HPA area is in place. We can also proceed with its removal by using the SET. It was introduced as an optional feature in the standard of ATA- 6. This technique is stealthier than the use of HPA and is also less known. The following image shows a representation of DCO within a physical media.
The more effective way to detect DCO areas remains the use of ATA command DEVICE CONFIGURATION IDENTIFY, which is able to show the real size of a disk. Comparing the output of this command with that resulting from the command READ. It’s also important to note that “The ATA Forensic Tool” is also able to find hidden areas of this kind. Use of Slack Space. The “Slack Space,” in a nutshell, is the unused space between the end of a stored file, and the end of a given data unit, also known as cluster or block.
When a file is written into the disk, and it doesn’t occupy the entire cluster, the remaining space is called slack space. It’s very simple to imagine that this space can be used to store secret information. The image below shows a graphical representation of how the slack space can appear within a cluster: The use of this technique is quite widespread, and is more commonly known as “file slack.” However, there are many other places to hide data through the “slack space” technique, such as the so- called “Partition Slack.” A file system usually allocates data in clusters or blocks as already mentioned, where a cluster represents more consecutive sectors. If the total number of sectors in a partition is not a multiple of the cluster size, there will be some sectors at the end of the partition that cannot be accessed by the OS, and that could be used to hide data.
Another common technique is to mark some fully usable sectors as “bad” in such a way that these will no longer be accessible by the OS. By manipulating file system metadata that identifies “bad blocks” like $Bad. Clus in NTFS, it’s possible to obtain blocks that will contain hidden data. It’s also possible to get a similar result with a more low- level manipulation (see Primary Defect List, Grown Defect List and System Area).
Surely, another technique yet to be mentioned under this category is the use of additional clusters during the disk storage of a file. For example, if we use 1.
For this technique, files that do not change their size over time are usually used to avoid overwriting the hidden data. For this reason, therefore, OS files are often used to accomplish this operation. Alternate Data Stream and Extended File Attributes. The content of a file, in NTFS, is stored in the resident attribute $Data of MFT. By default, all data of a file is stored in a single $Data attribute of the MFT. In a nutshell, considering the immense amount of information on the web about ADS, a file may have more than one $Data attribute, offering a simple way to hide data in an NTFS file system. Similar to the Alternate Data Streams in NTFS, Linux supports a feature called “xattr” (Extended Attribute) that can also be used to associate more than one data stream to a file.
The common antagonistic practices to these hiding techniques include a special focus on less- used storage spaces, and generally base our results on several forensics tools, not just one. It may also be helpful to check the hardware parameters of the media offered by the manufacturer. Finally, it is also possible, with enough time, to perform a static analysis of the slack space.
Steganography / Background Noise. In information security, steganography is a form of security through obscurity. The steganographic algorithms, unlike cryptographics, aim to keep the “plausible” form of data that they are intended to protect, so that no suspicion will be raised regarding actual secret content. The steganographic technique currently most widespread is the Least Significant Bit or LSB. It is based on the fact that a high resolution image is not going to change its overall appearance if we change some minor bits inside it. For example, consider the 8- bit binary number 1.
Taking into account a bearing image, therefore, the idea is to break down the binary format of the message and put it on the LSBs of each pixel of the image. Steganography, obviously, may be used with many types of file formats, such as audio, video, binary and text.
Other steganographic techniques that should surely be mentioned are the Bit- Plane Complexity Segmentation (BPCS), the Chaos Based Spread Spectrum Image Steganography (CSSIS) and Permutation Steganography (PS). Going into the details of all steganographic algorithms however, is beyond the scope of this document and should be dealt with through a dedicated paper.