Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #29 Information/Data Hiding and Counter-forensics November 5, 2007
Outline l Review of Lectures l Discussion of the papers on Information/Data Hiding and Counter/Anti forensics
Review of Lectures l Papers on Evidence Correlation l Forensic feature extraction and cross-drive analysis l md5bloom: Forensic file system hashing revisited (OPTIONAL) l Identifying almost identical files using context triggered piecewise hashing (OPTIONAL) l A correlation method for establishing provenance of timestamps in digital evidence l Honeypot example (Grad student presentation)
Papers to discuss l Data Hiding in Journaling File Systems l Evaluating Commercial Counter-Forensic Tools l Automatically Creating Realistic Targets for Digital Forensics Investigation -
Abstract of Paper 1 l Data hiding is one technique by which system perpetrators store information while reducing the risk of being detected by system administrators. The first major section of this article structures and compares existing data hiding methods for UNIX file systems in terms of usability and countermeasures. It discusses variant techniques related to advanced file systems. The second section proposes a new technique that stores substantial amounts of data inside journaling file systems in a robust fashion with low detectability, which is demonstrated by means of a proof-of-concept implementation for the ext3 journaling file system.
Outline l Introduction l Known Hiding Techniques l New Scheme: Deliberate FS Inconsistencies l Directions
Introduction l Several detection avoidance techniques - Trojanizing system binaries or kernel, often referred to as introducing “backdoors” - Purging of system audit and process accounting logs - Data/Information hiding l Data hiding used to hide incriminating data - Sniffer or password collector log files or contraband such as pirated copies of programs or media files.
Known Hiding Techniques l Media Management Layer l File System Layer l Application Layer
Media Management Layer l Using unused media - Usability for the attacker l an attacker has to reduce the size of one of the partitions on the medium - Countermeasures l Regular checking of partition size l Mounting on nonempty directories - Usability for the attacker l The data to be hidden is stored in files in a directory. The attacker mounts an existing filesystem – or a newly created one, using loopback mounting – onto this directory - Countermeasures l Detecting the use of existing partition mounts has to rely on auditing the (remote) system log for subsequent unmount and mount operations
File System Layer l File System Category - data structures may not use an entire logical disk block. l Data unit category: Slack space - file system organizing storage media sectors into individually adressable data units, referred to as “logical disk blocks.” Slack space is defined as the unused part of a file's last data l Metadata category: Use reserved inodes - data structures commonly referred to in UNIX file systems as “inodes” organize per-file metadata such as timestamps, ownership, access rights etc. An attacker may use inodes which the operating system itself will not use
File System Layer l Metadata category: Extended file attributes - UNIX file systems recently have introduced additional file attributes for data storage. They are easy to use for the attacker and easy to detect for the system administrator using commands provided by the operating system. l File name category: special file names -, a file system stores and processes data to assign human- recognizable names to files and directories. Human perception can be deceived in the file name category through creating filenames consisting of space characters or spaces and dots l File name category: removal of open files l Metadata/file name category: Hide in deleted inodes plus trojan fsck
File System Layer l File name category: removal of open files - attackers have been known to hide both program and data files by removing them while the program in question was still running. Upon deletion of an open file the operating system immediately removes the filename from the directory but delays removal of metadata and content until all referring file descriptors have been closed. l Metadata/file name category: Hide in deleted inodes plus trojan fsck - The fundamental idea is to use a trojanized version of the file system checking program (fsck). At boot time the trojanized fsck/rc script combo “undeletes” and spawns the malicious software, for example a sniffer, then “removes” the sniffer executable and the sniffer log file again.
Applications Layer l Obfuscated Loopback Filesystems - A simple, but effective method to obfuscate the real purpose of the image file is to use the offset option of the loopback mount command l Unused spaces in application file formats - file formats contain unused sections, for example the comment field in a jpeg image format. Space is quite limited and largely depends on the number of available application files. l Steganography - steganography is a research field, but from the file system centric or “lower level” point of view space is being offered largely depends on the number and size of “host files.”
New Scheme: Deliberate FS Inconsistencies l The new data hiding scheme that is proposed works by introducing deliberate file system inconsistencies. l It relies on a fundamental property of journaling file systems. l Because the journal records all recent file system modifications, the time required for the file system consistency check at boot time can be drastically reduced: l Instead of checking consistency amongst all categories of file system data, the modifications recorded in the journal are “replayed” to check whether all of them were executed successfully. l If, due to a system crash. not all recorded modifications were performed, the journal allows for a very efficient “roll back” to a clean file system state
Directions l Need to analyze how effective the new technique is? If so, we need to develop countermeasures l Need to develop additional techniques l Does this not give ideas to the attacker? l Classified research?
Abstract of Paper 2 l Digital forensic analysts may find their task complicated by any of more than a dozen commercial software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators. In this paper, we review the performance of six counter-forensic tools and highlight operational shortfalls that could permit the recovery of significant evidentiary data. In addition, each tool creates a distinct operational fingerprint that an analyst may use to identify the application used and, thus, guide the search for residual data. These operational fingerprints may also help demonstrate the use of a tool in cases where such action has legal ramifications.
Outline l Introduction l Testing Method l Counter-forensics tool testing l Analysis results l Directions
Introduction l Many counter-forensic commercial tools claim to expunge all traces of information about specific computer usage, including documents and other files created, records of websites visited, images viewed and files downloaded. l To do this, counter-forensic tools must locate activity records scattered across the file system and erase them irretrievably, while leaving the rest of the operating system intact. l The technical challenge of finding and eliminating this data is complex l Rigorous testing and evaluation of these counter forensic tools are needed. l This paper attempts to do this
Testing Method l Test System - The testing platform was a desktop machine with 128MB of RAM and Windows XP Professional installed on a 2.5GB partition. l Activity record - Test activity on the system breaks down into two general categories: browsing and document creation and management. The activity covered a span of eight days. l Counter-forensics tool testing - Tested six software packages: Window Washer 5.5, Windows & Internet Cleaner Professional 3.60, CyberScrub Professional 3.5, SecureClean 4, Evidence Eliminator 5.0 and Acronis Privacy Expert 7.0.
Analysis l All the counter-forensic tools failed to eradicate some potentially sensitive information – either data specifically targeted for wiping by the user or records that contained information the tool was designed to eliminate. l Some shortfalls were more serious than others. In one case, the tool failed to wipe, or overwrite, any of the files it deleted. l Paper describes a summary table with the areas of weakness and representative examples of data recovery. l These classifications are subjective
Directions l Is the approach described realistic? Does it work in a teal world environment l Are the assumptions valid? l Are there better approaches for testing and analysis
Abstract of Paper 3 l The need for computer forensics education continues to grow, as digital evidence is present in more crimes, whether the crimes directly involve computers or not. An essential component of training in computer forensics is hands-on, realistic laboratory assignments. Authors are developing FALCON (Frame-work for Laboratory Exercises Conducted Over Networks), an extensible framework that addresses the problem of creating, running, and evaluating detailed, realistic computer laboratory assignments in computer forensics. FALCON includes a component that enables instructors to set up scenarios on virtual target machines for the students to investigate. Existing tools for both “live” and “dead” machine investigations can be integrated into FALCON. In addition, FAL-CON logs all student activity for automated assessment of student performance.
Outline l Introduction l Falcon Architecture l Results l Directions
Introduction l Introduction l Falcon Architecture l Results l Directions
Architecture l Lab creation tool - The FALCON Lab Creation Tool (LCT) will automatically configure a set of target machines for a lab exercise based on a specification that the instructor provides. l Lab environment execution - The FALCON Lab Execution Environment (LEE) provides students with an inter-active environment, allowing them to conduct a forensic investigation. l Lab evaluation tool - The FALCON Lab Evaluation Tool (LET) takes the audit log file generated by the LEE and analyzes it for certain patterns, providing metrics for objective lab assessment.
Results The students were only told that the company, an ice cube company, was having problems with “penguin pornography,” which was defined in the assignment as any depiction of a penguin without a hat. The assignment was meant to parallel a child pornography investigation, while keeping the tone light. The students were given 11 questions to answer about details of the case (who did it, what did they do, how did they do it, what is the supplier’s site, what is the password to the site, etc.). The questions asked in the assignment appear below. The complete assignment is available at
Directions l Need projects for university students l Create an environment where professors can place their assignments in a common repository l Will discuss at the next DFRWS workshop