±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 1 Visitors: 159

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Rise Of AntiForensics Tools - Article & Member Feedback

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 

Have you encountered the use AntiForensics Tools in investigations?

4
66%

2
33%

 
Total Votes: 6

  

MindSmith
Senior Member
 

Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 18, 07 13:07

CSO Magazine Article - The Rise Of AntiForensics www.csoonline.com/read...nsics.html

It would seem reading this article that we are fighting a loosing battle, but beyond the exceptional cases i'm interested to know from members beyond the poll:

Q:Have you suspected the use of such tools in cases, but been unable to prove it? Alternatively if the reverse is true: Q:How successful have they been in proving the use of such tools in any cases?

Q:What additional checks can one do to either overcome the use of tools such as Timestomp, etc?

Q:Has anyone produced any AntiForensics detection checklist or process to determine if certain popular AF tools may have been used; ie. what indicators can one look for other than the obvious ones such as all files were created in 2009?

I'm to get a clearer picture of how prevalent the of such tools really is, and what additional controls one may include in their standrad investigation processes to detect or determine if such tools were used?

Of late I have encountered a coupel of cases where I belive that proprietary crypto was used to secure files and am still trying find a sound process for dealing with such, and a control to include in all cases where their is a high probabality that proprietary crypto may be used.

Thanks & Regards,
_________________
#include <std.disclaimer.H> 
 
  

keydet89
Senior Member
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 18, 07 16:30

> It would seem reading this article that we are fighting a loosing battle,

I'm not sure I can agree. I've read the article several times, and I'm working on a presentation to address similar issues to a group of LEs.

I would agree that this appears to be a loosing battle IF an examiner bases their investigation solely on file MAC times, and little else. There are other places you can start your examination and develop leads, intel, and even evidence...all of which are unaffected by Timestomp.

The article, I believe, acts as a wake-up call for the vast majority of the "community" that has not developed their skills beyond the point of impact of the tools listed. My main concern at that point is that anyone in the "community" who is still rooted in DOS-era based forensics, or "Nintendo" forensics is going do nothing but run in circles in a panic...rather than expanding their knowledge base beyond their current level.

> Q:Have you suspected the use of such tools in cases, but been unable to
> prove it?

I haven't encountered anything beyond simple emptying the Recycle Bin. I have had examinations where others felt that due to a lack of 'evidence', that AF or wiping tools had been used, but analysis of other areas of the system showed that their base assumption...that the intruder had been on the system for a long period of time...was incorrect.

> Q:What additional checks can one do to either overcome the use of tools
> such as Timestomp, etc?

There are other significant sources of information on a system (particularly a Windows system) that include timestamps and aren't affected by Timestomp. What you look for really depends on the state of the system when you encounter it. Memory analysis, Registry analysis, etc., all serve to overcome the apparent show-stoppers in the article.

> Q:Has anyone produced any AntiForensics detection checklist or process
> to determine if certain popular AF tools may have been used;

I think that these are along the lines of P2P and IM artifacts...the vast majority of folks within the community, those actively using this sort of info, do not retain or post it anywhere that is accessible to others.

> I'm to get a clearer picture of how prevalent the of such tools really is,
> and what additional controls one may include in their standrad
> investigation processes to detect or determine if such tools were used?

Good idea, but there are simply too few folks in the "community" doing this kind of research.

> Of late I have encountered a coupel of cases where I belive that
> proprietary crypto was used to secure files and am still trying find a
> sound process for dealing with such, and a control to include in all cases
> where their is a high probabality that proprietary crypto may be used.

I'm not sure what you're referring to when you say "dealing with such"....dealing with how? ID'ing the crypto? I'd suggest examining the system for crypto tools, as well as interviewing the suspect (if at all possible). Also, if there were some way for you to share information, you may find that others have run into the same or a similar situation.

Harlan  
 
  

Ivalen
Member
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 18, 07 17:39

This is a FUD article in my opinion.

75% of all cases I investigate are employee misuse, and little if any obfuscation is used by the employee to cover their tracks. I laugh when they use system wipers.

20% are intrusion incidents, and I've yet to see concerted efforts to manipulate the filesystem once the malware is installed. So far the most convoluted approach is for the Stage1 infector to copy itself, execute the copy and download Stage2. Stage1 is then deleted. Sometimes MAC times are manipulated, but that's where malware analysis comes in. In all cases so far, there has been enough noise leftover on the filesystem/in the memory for a conclusion to be drawn.

The remaining 5% are e-discovery.  
 
  

Dawson
Member
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 21, 07 14:43

I've run into it only a handful of times over the past several years. Most cases the system wipe programs don't catch everything so you may not have it all but you have enough. I only had one case where the hard drive was completely wiped. In that case I was able to send it the a lab in Dallas where they took it apart, realigned the heads, and presto, most of the data was restored. In short, these wipe programs may make things a little more difficult but they don't stop us completely. I'm more concerned about encryption advances than these data eliminator ones.

-Dawson
www.computer-forensic-resources.com  
 
  

ddow
Senior Member
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 21, 07 17:58

Dawson,

Tell us more. Conventional wisdom seems to be that a single pass wipe is sufficient to protect data from Guttman style recovery. From what your saying, that isn't the case.

Were you able to determine what type of wiping program was used?

What percent of the data were recoverable?

Was anything more needed other than head re-alignment?
_________________
Dennis 
 
  

Dawson
Member
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 22, 07 02:52

The way it was explained to me, the overwrite only hits a portion of each sector. What lies outside of the head remains so by a combination of adjusting the head and examining the sectors where data is know to be, the examiner was able to make the head read the data and thereby restore it. Most of the data was recovered though it wasn't in the cleanest form. It was also explained to me that the reason why government wipe standards use three wipes is to try to guard against this. Each time the head makes a read/write there is a chance the heads will be just a little bit off so that then increases the chance that the data that was outside the head during the previous wipe will get hit.

-Dawson
www.computer-forensic-resources.com  
 
  

jamie
Site Admin
 

Re: Rise Of AntiForensics Tools - Article & Member Feedback

Post Posted: Jul 22, 07 14:08

I share some of Dennis's surprise (to put it mildly!) For those interested Peter Gutmann's 1996 paper on secure deletion can be found here. Responses to that paper are numerous and can be easily Googled.  
 

Page 1 of 2
Page 1, 2  Next