Anti - Forensics

Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI

Vice President, Technology Evangelism

Secure Computing

11/15/2007 ©2006 Secure Computing Corporation. All Rights Reserved.

1
Before We Get Started

• What is the one thing to date that law enforcement / forensic

investigators have always been been able to count on?
•Criminals by their very nature are (fill in expletive of choice)
•Mohammed Atif Siddique sentenced to eight years for possession of terrorism-
related items. During his trial the jury had been told by Michael Dickson, a forensics
analyst for the National Hi-Tech Crime Unit, that Siddique's laptop computer had
contained material placed in a Windows folder where it would be difficult for an
inexperienced user to find.The folder in question was c:windowsoptions, which is
usually present on OEM Windows systems and is used for installation purposes. It is
not widely frequented by most computer users, but it's not secret either. Siddique
seems not to have encrypted the material, which was described as videos, pictures
and sound files "concerned with radical Islamic politics", and which included footage
of Osama Bin Laden and the World Trade Center attack.
•When police arrested Siddique in April of last year, over 100 police officers were
involved in an operation which broke down the door of his family home with a
battering ram, closed off roads, and searched adjacent houses and shops. Over 60
officers were involved in the investigation, along with 12 translators and experts from
the National High Tech Crime Unit. "Some 34 computers and hard drives were
examined. More than 5,000 computer discs and DVDs were removed, along with 25
mobile phones and another 19 SIM cards. Almost 700 documents were taken from
the computers and more than 1,000 statements taken."

2
What We Will Cover
• The Rules Are Changing
• Creating Reasonable Doubt - Vulnerabilities in Forensic Products
• Virtual Environments - Have You Got Your MoJo
• The Reality of Plausible Deniability
• Vista - Encryption For The Masses
• Steganography - Use and Detection
• Disk Wiping – The Tools Are Getting Scarily Good
• What Good are Known Good/Bad Signatures
• MetaSploit
• Slacker – Hide tons of data encrypted in slack
• Timestomp – So much for MAC
• Transmorgify – One Click Defense
• Samjuicer – No More DLL Injection

• Advanced Anti-Forensics – Everything in RAM

• Linux Anti-Forensics – Where The Tools Don’t Look

3
The Rules Are Changing

• Admitting computer evidence in the future - a stricter standard?

• Lorraine v Markel - Authentication of electronic evidence
• Magistrate Judge Grimm refused to allow either party to offer e-mails in evidence to support their summary
judgment motions. He found they failed to meet any of the standards for admission under the Federal Rules of
Evidence. The emails were not authenticated but simply attached to the parties motions as exhibits, as has been
a common practice.

• In re: Vinhnee, 2005 WL 3609376

• A recent decision by a Ninth Circuit Bankruptcy Appellate Panel rejected the prevailing standard
for authenticating electronically stored records and imposed stringent requirements that may help
defend against computerized evidence in a broad range of cases, including white-collar
prosecutions. Although decisions of the Panel, which consists of three bankruptcy judges, are
binding precedent only for bankruptcy courts in the Ninth Circuit, Vinhnee’s persuasive analysis
has the potential to change the use of electronic evidence in other courts.
• The trial court turned away the credit card company even though the defendant (debtor) did not even show up or
enter any argument, having the company suffer "the ignominy of losing even though its opponent did not show
up."

4
Reasonable Doubt?

• Encase and Sleuth kit Vulnerabilities

• http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-
Paper.v1_1.BH2007.pdf

• Evidentiary Implications of Potential Security Weaknesses in

Forensic Software
• “As with other forensic techniques, computer forensic tools are not magic;
they are complex software tools that like all software may be subject to
certain attacks. Yet because these tools play such a critical role in our legal
system, it is important that they be as accurate, reliable, and secure against
tampering as possible. Vulnerabilities would not only call into question the
admissibility of forensic images, but could also create a risk that if
undetected tampering occurs, courts may come to the wrong decisions in
cases that affect lives and property.”
• http://www.isecpartners.com/files/Ridder-
Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Software.pdf

5
Have You Got Your MoJo?
• Your USB Drive or IPOD is your PC
• Leaves no trace on the host

6
7
Keeping It Simple

8
With Out A Trace
• Create an XP bootable CD
• Boot from the CD and create an
encrypted environment on the HD
• No trace on the PC
• What’s next?
• How about Linux and a processor on a USB

9
Encryption

• Encryption is a forensic analysis's nightmare

• It is only a matter of time before the bad guys adopt current
technology encryption
• Current offerings provide for multiple levels of “Plausible Deniability”
• Create a hidden encrypted volume within an encrypted volume
• Bad guy gives up the password to the first level only
• Second level remains hidden and looks like random data within the volume
(undetectable)

10
TrueCrypt
• Settings are not stored in the registry
• Uses a “key file” rather then a crypto key
• Which of the thousands of files on the image did the bad guy use as the key file?
• Uses LRW to replace CRW eliminating any possible detection of non
random data within an image
• Creates a virtual encrypted disk within a file and mounts it as a disk
• Can work in “Traveler” mode with BartPE to eliminate any traces of it’s
use within Windows
• New version 4.3a just released
• Vista Support
• Plausible deniability improved
• Sector size other then 512
• Traveler mode
• Multi Algorithm Cascade

Total Number of Downloads 3,487,388

Number of Downloads Yesterday 5,547 11
Free On The Fly Encryption
• FreOTFE
• TrueCrypt
• Cryptainer LE
• CryptoExpert 2004 Lite
• CompuSec
• E4M Disk Encrytion
• Scramdisk Encryption

12
Vista Encryption

• The fear
• TPM hardware
• Encryption key stored on removable USB drive

• The reality
• Not in all versions of Vista - only enterprise version
• Limited availability of motherboards with TPM chips
• High end versions of Vista not exactly flying off the shelves
• Be sure to seize those USB keys

13
Steganography

• Hiding data in graphic or audio files

14
Free Steganography
• S-Tools
• 4t HIT Mail Privacy Lite
• Camouflage

15
Stegdetect

• Automated detection of data within an image

• Works against:
• Jsteg
• Jphide
• Invisible secrets
• Outguess
• F5
• appendixX and Comouflage

16
Evidence Eliminator
• http://www.evidence-
• Just some reasons why you must buy
Get total protection. Buy your
license to Evidence Eliminator™.
$149 is less than 149 years.
Permanent protection for only
$149.95(US)
eliminator.com/register_reasons.d2w
protection for yourself right now.Pelican
Bay State Prison (USA)"....putting a
prisoner in a cell with a known assaulter and
setting up alleged sex offenders for attack
are not uncommon...."Cocoran Prison
(California USA)"....Dillard, who weighed
120 pounds, fought back but Robertson was
too powerful. He said he pounded on the
cell door, banged at it in a way that the
guards surely must have heard, but nobody
ever came as he was raped...."The View
From Behind Prison Bars (USA)"....The
guard in the tower decided to blow one of
the inmates' heads off.... The suicides at
San Quentin are amazing. I never knew
doing time would subject me to watching
guys do swan dives off the fifth tier. One
guy ripped his jugular out with a can
opener. How about the inmate who was
shot to death while dangling from the
fence? They left his body there for four
hours.... we were forced to sleep in shifts to
keep the cockroaches from crawling in our
mouths...."
17
The Bad Guys Are Not Paying For It

18
Other Disk Wiping Products

19
Wipes Deeper Then Ever

20
Defeat Forensics For Only $29.95

21
Other Popular Wiping Tools

• srm,
• dban,
• Necrofile,
• Tracks Eraser Pro
• Just Google disk wiping tools
• Results 1 - 100 of about 1,960,000 for disk wiping tools.

22
How Do They Measure Up?

Evaluating Commercial Counter-Forensic Tools, Matthew Geiger

23
Signatures
• Examining hashes is a quick way to determine if specific files are or are not on
the image that is being examined
• However altering a single byte will alter the hash but still leave a malicious
program executable

24
Signatures

25
Unreliable

26
EXE Packers
• A Packer can change the signature of any exe file and render a search for a
known MD5 useless
• The potentially malicious file will not be found with an antivirus scanner

27
Available Packers
• Alloy 4.14 • Petite22
• Aspack 21
• Pklite32
• Cexe NT only
• Diet
• Stoner_Compress

• Lzexe 1.00a • Gui for several packers

• Pack 1.0 • UPX101
• Pecompact 1.20 • wWinlite
• Pecompact 1.23
• WWpack 3.05b3
• Petite21
• ProTools

28
Binders

• Binders combine two or more executable in to a single executable file

• Allows the bad guy to attach a Trojan, Key logger or other malicious
program to a common exe file
• The resulting MD5 will not match a known bad database
• 37 different free binders are downloadable at
http://www.trojanfrance.com/index.php?dir=Binders/

29
Downloadable Binders
Dropper Source Generator 0.1 Rat Packer
Attach RNS Exe Joiner
Asylum Binder 1.0 by Slim SaranWrap
Senna Spy One Exe Maker
BigJack Joiner
Senna Spy One Exe Maker 2000
Binder
Senna Spy One Exe Maker 2000 - 2.0a
Binding Suite
SilkRope 1.0
BladeJoiner 1.0 by Blade SilkRope 1.1
BladeJoiner 1.5 by Blade SilkRope 2.0
BladeJoiner 1.55 by Blade SilkRope2k
Blade-Bogart Joiner TOP 1.0 by DaRaT
Blade-Stoner Joiner TOP 2.0 by DaRaT
TOP 2.0 beta by DaRaT
Concealer
TOP 2.1 by DaRaT
EliteWrap
TOP 4.0 by DaRaT
Embedder 1.50
TOP GUI by DaRaT
Exe Bind 1.0 TOP GUI 2 by DaRaT
Exe Maker TrojanMan
FC Binder WeirdBinder by Weird
GoboWrap 1.0b X-Exejoiner and Icon changer by Lazarus
Infector 2.0 Zyon 1.0 multibinder
Infector 9.0 Sudden Discharge Compresso

Juntador Beta
MultiBinder
PE-intro adder

30
Metasploit Anti Forensics

31
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/

uses the following Windows system calls:

NtQueryInformationFile()
NtSetInformationFile()

doesn’t use
SetFileTime()

32
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/

33
Timestomp – FTK Unmodified

34
Timestomp - FTK Modified

35
Timestomp – Encase Unmodified

36
Timestomp – Encase Modified

37
Timestomp – Explorer Unmodified

38
Timestomp – Explorer Modified

39
Slacker
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/

40
Slacker Example

41
Transmogrify – Coming Soon
• Transmogrify - First ever tool to Metasploit
defeat EnCase's file signature AntiForensics
capabilities by allowing you to mask
Project
and unmask your files as any file
www.metasploit.com/projects/antiforensics/
type. (Coming Soon)

• Well they have been saying that

since 2005 and it is still not here…

42
Samjuicer
• SAM Juicer does what pwdump does without hitting the Metasploit
disk AntiForensics
• Pwdump – opens a share, drops binaries to the disk and starts a Project
service to inject itself in to LSASS www.metasploit.com/projects/antiforensics/

• Reuses a transport channel that the Metaspoit framework

uses, remotely and directly injects itself into the LSASS
and sucks down the encrypted password files without
leaving a file, touching the registry or starting a service.
• Not having files or services starting makes protection technologies
that rely on that 'signature' to prevent the attack rather impotent.

43
Future Work
• NTFS change journal modification Metasploit
AntiForensics
• Secure deletion Project

• Documentation of anti-forensic techniques

www.metasploit.com/projects/antiforensics/

• Browser log manipulation Vincent Liu

Partner in Stach & Liu
• File meta-data modification vliu@stachliu.com
• NTFS extended attributes www.stachliu.com

44
Advanced Anti-Forensics
• What if the malicious file never touched the disk?
• MOSDEF (mose-def) is short for “Most Definitely”

• MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking

• In short, after you've overflowed a process you can compile programs to run inside that process and report back to you

• www.immunitysec.com/resources-freesoftware.shtml

45
Linux Anti-Forensics
• Simply hide data where commercial forensic tools don’t necessarily look
• Rune fs
• Hide data in bad blocks inode

• Waffen fs
• Hide data in spoofed journal file

• KY fs
• Hide data in null directory entries

• Data mule fs
• Hide data in reserved space

46
 Thank You
Paul A. Henry
MCP+I, MCSE, CFSA, CFSO, CCSA, CCSE, CISM, CISA, CISSP-ISSAP , CIFI

Vice President, Technology Evangelism

Secure Computing
Paul_henry@securecomputing.com

11/15/2007 ©2006 Secure Computing Corporation. All Rights Reserved.

47