Rise Of AntiForensi...
 
Notifications
Clear all

Rise Of AntiForensics Tools - Article & Member Feedback

10 Posts
8 Users
0 Likes
931 Views
(@mindsmith)
Posts: 174
Estimable Member
Topic starter
 

CSO Magazine Article - The Rise Of AntiForensics http//www.csoonline.com/read/060107/fea_antiforensics.html

It would seem reading this article that we are fighting a loosing battle, but beyond the exceptional cases i'm interested to know from members beyond the poll

QHave you suspected the use of such tools in cases, but been unable to prove it? Alternatively if the reverse is true QHow successful have they been in proving the use of such tools in any cases?

QWhat additional checks can one do to either overcome the use of tools such as Timestomp, etc?

QHas anyone produced any AntiForensics detection checklist or process to determine if certain popular AF tools may have been used; ie. what indicators can one look for other than the obvious ones such as all files were created in 2009?

I'm to get a clearer picture of how prevalent the of such tools really is, and what additional controls one may include in their standrad investigation processes to detect or determine if such tools were used?

Of late I have encountered a coupel of cases where I belive that proprietary crypto was used to secure files and am still trying find a sound process for dealing with such, and a control to include in all cases where their is a high probabality that proprietary crypto may be used.

Thanks & Regards,

 
Posted : 18/07/2007 1:07 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> It would seem reading this article that we are fighting a loosing battle,

I'm not sure I can agree. I've read the article several times, and I'm working on a presentation to address similar issues to a group of LEs.

I would agree that this appears to be a loosing battle IF an examiner bases their investigation solely on file MAC times, and little else. There are other places you can start your examination and develop leads, intel, and even evidence…all of which are unaffected by Timestomp.

The article, I believe, acts as a wake-up call for the vast majority of the "community" that has not developed their skills beyond the point of impact of the tools listed. My main concern at that point is that anyone in the "community" who is still rooted in DOS-era based forensics, or "Nintendo" forensics is going do nothing but run in circles in a panic…rather than expanding their knowledge base beyond their current level.

> QHave you suspected the use of such tools in cases, but been unable to
> prove it?

I haven't encountered anything beyond simple emptying the Recycle Bin. I have had examinations where others felt that due to a lack of 'evidence', that AF or wiping tools had been used, but analysis of other areas of the system showed that their base assumption…that the intruder had been on the system for a long period of time…was incorrect.

> QWhat additional checks can one do to either overcome the use of tools
> such as Timestomp, etc?

There are other significant sources of information on a system (particularly a Windows system) that include timestamps and aren't affected by Timestomp. What you look for really depends on the state of the system when you encounter it. Memory analysis, Registry analysis, etc., all serve to overcome the apparent show-stoppers in the article.

> QHas anyone produced any AntiForensics detection checklist or process
> to determine if certain popular AF tools may have been used;

I think that these are along the lines of P2P and IM artifacts…the vast majority of folks within the community, those actively using this sort of info, do not retain or post it anywhere that is accessible to others.

> I'm to get a clearer picture of how prevalent the of such tools really is,
> and what additional controls one may include in their standrad
> investigation processes to detect or determine if such tools were used?

Good idea, but there are simply too few folks in the "community" doing this kind of research.

> Of late I have encountered a coupel of cases where I belive that
> proprietary crypto was used to secure files and am still trying find a
> sound process for dealing with such, and a control to include in all cases
> where their is a high probabality that proprietary crypto may be used.

I'm not sure what you're referring to when you say "dealing with such"….dealing with how? ID'ing the crypto? I'd suggest examining the system for crypto tools, as well as interviewing the suspect (if at all possible). Also, if there were some way for you to share information, you may find that others have run into the same or a similar situation.

Harlan

 
Posted : 18/07/2007 4:30 pm
(@ivalen)
Posts: 30
Eminent Member
 

This is a FUD article in my opinion.

75% of all cases I investigate are employee misuse, and little if any obfuscation is used by the employee to cover their tracks. I laugh when they use system wipers.

20% are intrusion incidents, and I've yet to see concerted efforts to manipulate the filesystem once the malware is installed. So far the most convoluted approach is for the Stage1 infector to copy itself, execute the copy and download Stage2. Stage1 is then deleted. Sometimes MAC times are manipulated, but that's where malware analysis comes in. In all cases so far, there has been enough noise leftover on the filesystem/in the memory for a conclusion to be drawn.

The remaining 5% are e-discovery.

 
Posted : 18/07/2007 5:39 pm
Dawson
(@dawson)
Posts: 16
Active Member
 

I've run into it only a handful of times over the past several years. Most cases the system wipe programs don't catch everything so you may not have it all but you have enough. I only had one case where the hard drive was completely wiped. In that case I was able to send it the a lab in Dallas where they took it apart, realigned the heads, and presto, most of the data was restored. In short, these wipe programs may make things a little more difficult but they don't stop us completely. I'm more concerned about encryption advances than these data eliminator ones.

-Dawson
www.computer-forensic-resources.com

 
Posted : 21/07/2007 2:43 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

Dawson,

Tell us more. Conventional wisdom seems to be that a single pass wipe is sufficient to protect data from Guttman style recovery. From what your saying, that isn't the case.

Were you able to determine what type of wiping program was used?

What percent of the data were recoverable?

Was anything more needed other than head re-alignment?

 
Posted : 21/07/2007 5:58 pm
Dawson
(@dawson)
Posts: 16
Active Member
 

The way it was explained to me, the overwrite only hits a portion of each sector. What lies outside of the head remains so by a combination of adjusting the head and examining the sectors where data is know to be, the examiner was able to make the head read the data and thereby restore it. Most of the data was recovered though it wasn't in the cleanest form. It was also explained to me that the reason why government wipe standards use three wipes is to try to guard against this. Each time the head makes a read/write there is a chance the heads will be just a little bit off so that then increases the chance that the data that was outside the head during the previous wipe will get hit.

-Dawson
www.computer-forensic-resources.com

 
Posted : 22/07/2007 2:52 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

I share some of Dennis's surprise (to put it mildly!) For those interested Peter Gutmann's 1996 paper on secure deletion can be found here. Responses to that paper are numerous and can be easily Googled.

 
Posted : 22/07/2007 2:08 pm
(@lecraw789)
Posts: 4
New Member
 

I've run into it only a handful of times over the past several years. Most cases the system wipe programs don't catch everything so you may not have it all but you have enough. I only had one case where the hard drive was completely wiped. In that case I was able to send it the a lab in Dallas where they took it apart, realigned the heads, and presto, most of the data was restored. In short, these wipe programs may make things a little more difficult but they don't stop us completely. I'm more concerned about encryption advances than these data eliminator ones.

-Dawson
www.computer-forensic-resources.com

Dawson,

Can you please share the name of the lab in Dallas that you sent the hard drive to?

Thank you.

 
Posted : 24/07/2007 3:42 am
(@aidan_jewell)
Posts: 17
Active Member
 

I don't know whether it's bad luck on my part, but recently I've been running into a fair few cases of suspects having used/installed wiping utilities and/or encryption utilities on their machines.

Thankfully, not every suspect who has these programs manages to use them efficiently, so I often find interesting nuggets of information to get an idea of what these programs were used for. It's also handy when they use some of the freeware wiping utilities that leave log files by default 😉

I haven't, to the best of my knowledge, encountered Timestomp in a case, but I do try to keep an eye out for any anti-forensics related evidence during a case (registry entries, cached web pages/searches etc).

 
Posted : 24/07/2007 1:12 pm
(@mindsmith)
Posts: 174
Estimable Member
Topic starter
 

Hi,
many thanks for your comments & insight, much appreciated. Harlan thanks for your detailed answers. Was trying to gauge if what I am seeing here in my region tallies up with what other are seeing too, and how accurately the CSO article represents what's happening worldwide.

Thanks & Regards,

 
Posted : 24/07/2007 5:25 pm
Share: