Anti-computer forensics
Encyclopedia
Anti-computer forensics (sometimes counter forensics) is a general term for a set of techniques used as countermeasures to forensic analysis
.
A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” Neither author takes into account using anti-forensics methods to ensure the privacy of one's personal data.
Some of the more common forms of data hiding include encryption, steganography
and other various forms of hardware/software based data concealment. Each of the different data hiding methods makes digital forensic examinations difficult. When the different data hiding methods are combined, they can make a successful forensic investigation nearly impossible.
as a “forensic analyst's nightmare”.
The majority of publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Through the use of modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key.
File level encryption encrypts only the file contents. This leaves important information such as file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from other locations, such as temporary files, swap file and deleted, unencrypted copies.
Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult. Some of these functions include the use of a keyfile
, full-volume encryption, and plausible deniability
. The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.
is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. “Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph).” Some experts have argued that the use of steganography techniques are not very widespread and therefore shouldn’t be given a lot of thought. Most experts will agree that steganography has the capability of disrupting the forensic process when used correctly.
According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication) outlined the importance of using a steganography program called Secrets of the Mujahedeen. According to Carr, the program was touted as giving the user the capability to avoid detection by current steganalysis
programs. It did this through the use of steganography in conjunction with file compression.
One of the more well known tools that is often used for data hiding is called Slacker (part of the Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space of other files, thereby hiding it from the forensic examination software. Another data hiding technique involves the use of bad sectors. To perform this technique, the user changes a particular sector from good to bad and then data is placed onto that particular cluster. The belief is that forensic examination tools will see these clusters as bad and continue on without any examination of their contents.
). The effectiveness of disk cleaning utilities as anti-forensic tools is often challenged as some believe they are not completely effective. Experts who don’t believe that disk cleaning utilities are acceptable for disk sanitization
base their opinions off current DOD policy, which states that the only acceptable form of sanitization is degaussing. (See National Industrial Security Program
.) Disk cleaning utilities are also criticized because they leave signatures that the file system was wiped, which in some cases is unacceptable. Some of the widely used disk cleaning utilities include DBAN
, srm, BCWipe Total WipeOut
, KillDisk, PC Inspector and CyberScrubs cyberCide. Another option which is approved by the NIST
and the NSA
is CMRR Secure Erase, which uses the Secure Erase command built into the ATA
specification.
, R-Wipe & Clean, Eraser, Aevita Wipe & Delete and CyberScrubs PrivacySuite.
A more commonly used technique to ensure data wiping is the physical destruction of the device. The NIST
recommends that “physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding and melting.”
One of the more widely known trail obfuscation tools is Timestomp (part of the Metasploit Framework). Timestomp gives the user the ability to modify file metadata pertaining to access, creation and modification times/dates. By using programs such as Timestomp, a user can render any number of files useless in a legal setting by directly calling in to question the files' credibility.
Another well known trail-obfuscation program is Transmogrify (also part of the Metasploit Framework). In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. If a forensic examination program or operating system
were to conduct a search for images on a machine, it would simply see a (.doc) file and skip over it.
During a typical forensic examination, the examiner would create an image of the computer's disks. This keeps the original computer (evidence) from being tainted by forensic tools. Hashes
are created by the forensic examination software to verify the integrity of the image. One of the recent anti-tool techniques targets the integrity of the hash that is created to verify the image. By affecting the integrity of the hash, any evidence that is collected during the subsequent investigation can be challenged.
or a sensor (such as a photodetector
) rigged with explosives for self-destruct
ion.
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
.
Definition
Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” Neither author takes into account using anti-forensics methods to ensure the privacy of one's personal data.
Sub-categories
Anti-forensics methods are often broken down into several sub-categories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools. Attacks against forensics tools directly has also been called computer forensics.Purpose and goals
Within the field of digital forensics there is much debate over the purpose and goals of anti-forensic methods. The common conception is that anti-forensic tools are purely malicious in intent and design. Others believe that these tools should be used to illustrate deficiencies in digital forensic procedures, digital forensic tools, and forensic examiner education. This sentiment was echoed at the 2005 Blackhat Conference by anti-forensic tool authors, James Foster and Vinnie Liu. They stated that by exposing these issues, forensic investigators will have to work harder to prove that collected evidence is both accurate and dependable. They believe that this will result in better tools and education for the forensic examiner.Data hiding
Data hiding is the process of making data difficult to find while also keeping it accessible for future use. “Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves.”Some of the more common forms of data hiding include encryption, steganography
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...
and other various forms of hardware/software based data concealment. Each of the different data hiding methods makes digital forensic examinations difficult. When the different data hiding methods are combined, they can make a successful forensic investigation nearly impossible.
Encryption
One of the more commonly used techniques to defeat computer forensics is data encryption. In a presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure Computing, Paul Henry, referred to encryptionEncryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
as a “forensic analyst's nightmare”.
The majority of publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Through the use of modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key.
File level encryption encrypts only the file contents. This leaves important information such as file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from other locations, such as temporary files, swap file and deleted, unencrypted copies.
Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult. Some of these functions include the use of a keyfile
Keyfile
A keyfile is a file on a computer which contains encryption or license keys.A common use is web server software running secure socket layer protocols. Server-specific keys issued by trusted authorities are merged into the keyfile along with the trusted root certificates...
, full-volume encryption, and plausible deniability
Plausible deniability
Plausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
. The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.
Steganography
SteganographySteganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity...
is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. “Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph).” Some experts have argued that the use of steganography techniques are not very widespread and therefore shouldn’t be given a lot of thought. Most experts will agree that steganography has the capability of disrupting the forensic process when used correctly.
According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication) outlined the importance of using a steganography program called Secrets of the Mujahedeen. According to Carr, the program was touted as giving the user the capability to avoid detection by current steganalysis
Steganalysis
Steganalysis is the art and science of detecting messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.- Overview :...
programs. It did this through the use of steganography in conjunction with file compression.
Other forms of data hiding
Other forms of data hiding involve the use of tools and techniques to hide data throughout various locations in a computer system. Some of these places can include “memory, slack space, hidden directories, bad blocks, alternate data streams, (and) hidden partitions.”One of the more well known tools that is often used for data hiding is called Slacker (part of the Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space of other files, thereby hiding it from the forensic examination software. Another data hiding technique involves the use of bad sectors. To perform this technique, the user changes a particular sector from good to bad and then data is placed onto that particular cluster. The belief is that forensic examination tools will see these clusters as bad and continue on without any examination of their contents.
Artifact wiping
The methods used in artifact wiping are tasked with permanently eliminating particular files or entire file systems. This can be accomplished through the use of a variety of methods that include disk cleaning utilities, file wiping utilities and disk degaussing/destruction techniques.Disk cleaning utilities
Disk cleaning utilities use a variety of methods to overwrite the existing data on disks (see data remanenceData remanence
Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
). The effectiveness of disk cleaning utilities as anti-forensic tools is often challenged as some believe they are not completely effective. Experts who don’t believe that disk cleaning utilities are acceptable for disk sanitization
Sanitization
Sanitization can refer to* Data sanitization, has two distinct meanings:** the use of anonymization and other techniques to "sanitize" data to purge it of personally-identifiable information in order to protect user privacy; such techniques include:*** NULLing out*** masking data*** data...
base their opinions off current DOD policy, which states that the only acceptable form of sanitization is degaussing. (See National Industrial Security Program
National Industrial Security Program
The National Industrial Security Program, or NISP, is the nominal authority for managing the needs of private industry to access classified information.The NISP was established in 1993 by Executive Order 12829...
.) Disk cleaning utilities are also criticized because they leave signatures that the file system was wiped, which in some cases is unacceptable. Some of the widely used disk cleaning utilities include DBAN
Darik's Boot and Nuke
Darik's Boot and Nuke is an open source project hosted on SourceForge. The program is designed to securely erase a hard disk until data is permanently removed and no longer recoverable, which is achieved by overwriting the data with random numbers generated by Mersenne twister or ISAAC...
, srm, BCWipe Total WipeOut
BCWipe
BCWipe is a commercial data erasure utility for Windows and UNIX, developed by Jetico Inc.-Features:*Delete with wiping - permanently delete selected files through right-click context menu...
, KillDisk, PC Inspector and CyberScrubs cyberCide. Another option which is approved by the NIST
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
and the NSA
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
is CMRR Secure Erase, which uses the Secure Erase command built into the ATA
AT Attachment
Parallel ATA , originally ATA, is an interface standard for the connection of storage devices such as hard disks, solid-state drives, floppy drives, and optical disc drives in computers. The standard is maintained by X3/INCITS committee...
specification.
File wiping utilities
File wiping utilities are used to delete individual files from an operating system. The advantage of file wiping utilities is that they can accomplish their task in a relatively short amount of time as opposed to disk cleaning utilities which take much longer. Another advantage of file wiping utilities is that they generally leave a much smaller signature than disk cleaning utilities. There are two primary disadvantages of file wiping utilities, first they require user involvement in the process and second some experts believe that file wiping programs don’t always correctly and completely wipe file information. Some of the widely used file wiping utilities include BCWipeBCWipe
BCWipe is a commercial data erasure utility for Windows and UNIX, developed by Jetico Inc.-Features:*Delete with wiping - permanently delete selected files through right-click context menu...
, R-Wipe & Clean, Eraser, Aevita Wipe & Delete and CyberScrubs PrivacySuite.
Disk degaussing / destruction techniques
Disk degaussing is a process by which a magnetic field is applied to a digital media device. The result is a device that is entirely clean of any previously stored data. Degaussing is rarely used as an anti-forensic method despite the fact that it is an effective means to ensure data has been wiped. This is attributed to the high cost of degaussing machines, which are difficult for the average consumer to afford.A more commonly used technique to ensure data wiping is the physical destruction of the device. The NIST
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
recommends that “physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding and melting.”
Trail obfuscation
The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools that include “log cleaners, spoofing, misinformation, backbone hopping, zombied accounts, trojan commands.”One of the more widely known trail obfuscation tools is Timestomp (part of the Metasploit Framework). Timestomp gives the user the ability to modify file metadata pertaining to access, creation and modification times/dates. By using programs such as Timestomp, a user can render any number of files useless in a legal setting by directly calling in to question the files' credibility.
Another well known trail-obfuscation program is Transmogrify (also part of the Metasploit Framework). In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. If a forensic examination program or operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
were to conduct a search for images on a machine, it would simply see a (.doc) file and skip over it.
Attacks against computer forensics
In the past anti-forensic tools have focused on attacking the forensic process by destroying data, hiding data, or altering data usage information. Anti-forensics has recently moved into a new realm where tools and techniques are focused on attacking forensic tools that perform the examinations. These new anti-forensic methods have benefited from a number of factors to include well documented forensic examination procedures, widely known forensic tool vulnerabilities and digital forensic examiners heavy reliance on their tools.During a typical forensic examination, the examiner would create an image of the computer's disks. This keeps the original computer (evidence) from being tainted by forensic tools. Hashes
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
are created by the forensic examination software to verify the integrity of the image. One of the recent anti-tool techniques targets the integrity of the hash that is created to verify the image. By affecting the integrity of the hash, any evidence that is collected during the subsequent investigation can be challenged.
Physical
Use of chassis intrusion detection feature in computer caseComputer case
A computer case is the enclosure that contains most of the components of a computer...
or a sensor (such as a photodetector
Photodetector
Photosensors or photodetectors are sensors of light or other electromagnetic energy. There are several varieties:*Active pixel sensors are image sensors consisting of an integrated circuit that contains an array of pixel sensors, each pixel containing a both a light sensor and an active amplifier...
) rigged with explosives for self-destruct
Self-destruct
A self-destruct is a mechanism which causes a device to destroy itself under a predefined set of circumstances.Self-destruct mechanisms are also found on devices and systems where malfunction could endanger large numbers of people...
ion.
Effectiveness of anti-forensics
Anti-forensic methods rely on several weaknesses in the forensic process including: the human element, dependency on tools, and the physical/logical limitations of computers. By reducing the forensic process's susceptibility to these weaknesses, an examiner can reduce the likelihood of anti-forensic methods successfully impacting an investigation. This may be accomplished by providing increased training for investigators, and corroborating results using multiple tools.See also
- Forensic disk controllerForensic disk controllerA forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common...
- Data remanenceData remanenceData remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
- Information privacy
- Cryptographic hash functionCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
- Degauss
- KeyfileKeyfileA keyfile is a file on a computer which contains encryption or license keys.A common use is web server software running secure socket layer protocols. Server-specific keys issued by trusted authorities are merged into the keyfile along with the trusted root certificates...
- EncryptionEncryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
- Plausible deniabilityPlausible deniabilityPlausible deniability is, at root, credible ability to deny a fact or allegation, or to deny previous knowledge of a fact. The term most often refers to the denial of blame in chains of command, where upper rungs quarantine the blame to the lower rungs, and the lower rungs are often inaccessible,...
- Metadata removal toolMetadata removal toolMetadata removal tool or Metadata scrubber is a type of privacy software built to protect the privacy of its users by removing potentially privacy-compromising metadata from files before they are shared with others Metadata removal tool or Metadata scrubber is a type of privacy software built to...
- DECAFDECAFDetect and Eliminate Computer Acquired Forensics is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world...
External links
- Evaluating Commercial Counter-Forensic Tools
- Counter-Forensic Tools: Analysis and Data Recovery
- http://www.informatik.uni-trier.de/~ley/db/conf/dfrws/dfrws2005.html
- http://www.dfrws.org/2006/proceedings/6-Harris.pdf
- Anti-Forensics Class Little over 3hr of video on the subject of anti-forensic techniques