Presentation is loading. Please wait.

Presentation is loading. Please wait.

“The game is afoot.” - Sherlock Holmes

Published byKerry Reed Modified over 5 years ago

Similar presentations

Presentation on theme: "“The game is afoot.” - Sherlock Holmes"— Presentation transcript:

1 “The game is afoot.” - Sherlock Holmes
Anti-Forensics “The game is afoot.” - Sherlock Holmes

2 In This Lecture Anti-Forensics Definition Techniques Time based
Obfuscation & Encryption Forging Memory Wrap-up

3 Anti-Forensics Anti-forensics describes the set of techniques used as countermeasures against forensic analysis. "Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct." -Rogers, D. M. (2005). Anti- Forensic Presentation given to Lockheed Martin. San Diego. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” - Berinato, S. (2007). The Rise of Anti Forensics. Retrieved April 19, 2008, from CSO Online:

4 Anti-Forensics Forensic examination relies on the analyst and their tools. Depends on analyst’s alertness, training, experience, perception, and familiarity with tools. Tools have varying degrees of efficiency and robustness. Physical and logical limitation. Availability of specialty examination hardware. Time and funding available for analysis. Anti-forensics exploits weaknesses in all aspect of the investigation to prevent, hinder, or delay effective forensic analysis.

5 Anti-Forensics Anti-forensics is designed to slow down or stop investigations. Actual goal will depend on the need. Some criminal actors want to remove all identifying evidence. May lead to “noisy” anti-forensics. Obvious that data and artifacts have been destroyed. Sometimes only important to slow analysis down. Buying a few hours to days may be enough to allow them to achieve objectives. Maybe the criminals need just enough reasonable doubt for a court of law. Anti-forensics doesn’t require making analysis impossible. It just requires making analysis difficult enough that you won’t finish it.

6 Timestomping Timestomping is a technique that modifies the MACE (modify, access, create, MFT entry modify) times of a file. Done to render files or file changes inconspicuous during examination. Frequently combined with file name masquerading. Metasploit has a module for this: security.com/metasploit- unleashed/timestomp/

7 Timestomping Also, some forensics tools crash when given invalid values.

8 Timestomping Depending on subtilty can be easy to detect.
Harder to reconstruct - often can only prove that time stomping occured but cannot recover original timestamps. On NTFS $STANDARD_INFORMATION attribute ($SIA) includes MACE timestamps updated by Windows as file is used. $FILE_NAME attribute ($FNA) includes MACE timestamps typically not updated by Windows. Usually corresponds to file’s original date of creation, modification, or renaming. Compare $SIA and $FNA timestamps for discrepancies.

9 Timestomping Change system time
Rather than muck about with changing time stamp, just change system time and date. Let the OS write the incorrect values using normal procedures. Mitigation: Look in event logs for system time changes. Further reading: unleashed/timestomp/

10 Transmogrifying Modify file header, particularly the magic number, so it can no longer be associated with any known file type. File header & magic number restored only when file needed to be used and reverted afterwards. Deceives signature-based scans of the file system.

11 Encryption Malware is encrypted to hide its signature and frustrate reverse engineering. Data is encrypted to mask exfiltration or prevent determination of what has been exfiltrated. Use SSL and SSH. Tor or VPNs

12 Steganography The hiding of a secret message within an ordinary message. Ex. Hiding communications inside PNG files. Typically done by replacing the lowest order bits with message data. Steghide embeds text into JPEG, MBP, MP3, WAV, and AU files. Ancient (2003) tool called Hydan used redundancy in the x86 instruction set to encode data in the binary itself. Defines sets of functionally equivalent instructions. Encodes information in machine code by using the appropriate instructions from each set.

13 Obfuscation & Encryption ctd.
Junk Data Appending junk data to strings. Inserting random data inside strings to prevent signature matches. Non-standard data encoding Modified base64 Custom protocols Attack file parsers Create shortcuts that point to parent directory. Try and break parser with recursive loop. Use random symbols or ascii characters within file names and system log files. Ex. File$.zip

14 Hiding in Unusual Locations
Hide data in slack space Defcon presentation on hiding data in NTFS access control lists: TrueCrypt creates a hidden “file system within a file system”. Host Protected Area - section of the disk designated to be inaccessible to the OS and usually used for recovery operations. Device Configuration Overlay Per the ATA-6 standard: “"allows system vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure all HDDs to have the same number of sectors. “ Ex. Make an 80GB drive appear 50GB to both OS and BIOS.

15 Obfuscations & Encryption
Mitigations Scan for sufficiently anomalous data. Look for uncommon data flows in terms of density, timing, and destination. Carve all parts of the file system Further reading:

16 Data Destruction Secure data deletion
Overwrite data such that it cannot be recovered with forensic methods. Data deletion Sometimes a traditional delete is sufficient. Ex: Delete all log files on a system. Mitigations: Store log backups on a remote machine

17 Prevent Data Creation Turn off logging. Disable antivirus / firewall.
Set HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAc cessUpdate to “1” thereby disabling updating of last-accessed timestamp.

18 Data Forgery Creation of false evidence to hide or mask the true evidence on a system. Can be considered counterfeit evidence. Use of another user’s account to create false information. Creation or removal of files unimportant to the attacker’s task. Launching a second attack to hide the first. Consider, NotPetya appeared to be a ransomware strain belonging to the Petya family, but its actual purpose was to permanently destroy system data.

19 Memory Anti-Forensics
Active area of research. Memory forensics is finicky, as you have probably noticed by now. Relies on API calls and debugging structures not necessarily required for day to day operation of the system. Room to alter or overwrite these without immediately crashing the system. An interesting overview: Anti-forensics and Memory Analysis. Cohen, M (2014). memory-analysis.html

20 Anti-Forensics Wrap Up
Every frustrated analyst is tempted to blame anti-forensics. If you suspect anti-forensics, create a hypothesis as to the anti- forensic technique used. Then investigate to either prove or disprove it.

21 Further Reading MITRE ATT&CK database; Defense Evasion techniques: Forensics Wiki ; Anti-forensic techniques: Anti-Forensics. Heuchan, A. Stevenson University Forensics Journal (2017). rensic-journal-2017.pdf Anti-Forensics. Infosec Institute (2013).

22 Questions?

23 Final Thoughts World needs cybersecurity professionals.
Whether you go into forensics or not, we hope you’ve learned something useful this semester. You’ve been a great class, and we appreciate your patience with our growing pains. Good Luck!

Download ppt "“The game is afoot.” - Sherlock Holmes"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
File System Analysis.

File System Analysis.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
File Management Systems

File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Objectives Learn what a file system does

Objectives Learn what a file system does
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:

Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.

1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.

Similar presentations

Ads by Google