Paul A. Henry
MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI
2
What We Will Cover
• The Rules Are Changing
• Creating Reasonable Doubt - Vulnerabilities in Forensic Products
• Virtual Environments - Have You Got Your MoJo
• The Reality of Plausible Deniability
• Vista - Encryption For The Masses
• Steganography - Use and Detection
• Disk Wiping – The Tools Are Getting Scarily Good
• What Good are Known Good/Bad Signatures
• MetaSploit
• Slacker – Hide tons of data encrypted in slack
• Timestomp – So much for MAC
• Transmorgify – One Click Defense
• Samjuicer – No More DLL Injection
3
The Rules Are Changing
4
Reasonable Doubt?
5
Have You Got Your MoJo?
• Your USB Drive or IPOD is your PC
• Leaves no trace on the host
6
7
Keeping It Simple
8
With Out A Trace
• Create an XP bootable CD
• Boot from the CD and create an
encrypted environment on the HD
• No trace on the PC
• What’s next?
• How about Linux and a processor on a USB
9
Encryption
10
TrueCrypt
• Settings are not stored in the registry
• Uses a “key file” rather then a crypto key
• Which of the thousands of files on the image did the bad guy use as the key file?
• Uses LRW to replace CRW eliminating any possible detection of non
random data within an image
• Creates a virtual encrypted disk within a file and mounts it as a disk
• Can work in “Traveler” mode with BartPE to eliminate any traces of it’s
use within Windows
• New version 4.3a just released
• Vista Support
• Plausible deniability improved
• Sector size other then 512
• Traveler mode
• Multi Algorithm Cascade
12
Vista Encryption
• The fear
• TPM hardware
• Encryption key stored on removable USB drive
• The reality
• Not in all versions of Vista - only enterprise version
• Limited availability of motherboards with TPM chips
• High end versions of Vista not exactly flying off the shelves
• Be sure to seize those USB keys
13
Steganography
14
Free Steganography
• S-Tools
• 4t HIT Mail Privacy Lite
• Camouflage
15
Stegdetect
16
Evidence Eliminator
• http://www.evidence-
eliminator.com/register_reasons.d2w
• Just some reasons why you must buy
protection for yourself right now.Pelican
Bay State Prison (USA)"....putting a
prisoner in a cell with a known assaulter and
setting up alleged sex offenders for attack
are not uncommon...."Cocoran Prison
(California USA)"....Dillard, who weighed
120 pounds, fought back but Robertson was
too powerful. He said he pounded on the
cell door, banged at it in a way that the
guards surely must have heard, but nobody
ever came as he was raped...."The View
From Behind Prison Bars (USA)"....The
guard in the tower decided to blow one of
the inmates' heads off.... The suicides at
San Quentin are amazing. I never knew
doing time would subject me to watching
guys do swan dives off the fifth tier. One
guy ripped his jugular out with a can
Get total protection. Buy your opener. How about the inmate who was
license to Evidence Eliminator™. shot to death while dangling from the
$149 is less than 149 years. fence? They left his body there for four
Permanent protection for only hours.... we were forced to sleep in shifts to
$149.95(US) keep the cockroaches from crawling in our
mouths...."
17
The Bad Guys Are Not Paying For It
18
Other Disk Wiping Products
19
Wipes Deeper Then Ever
20
Defeat Forensics For Only $29.95
21
Other Popular Wiping Tools
• srm,
• dban,
• Necrofile,
• Tracks Eraser Pro
• Just Google disk wiping tools
• Results 1 - 100 of about 1,960,000 for disk wiping tools.
22
How Do They Measure Up?
23
Signatures
• Examining hashes is a quick way to determine if specific files are or are not on
the image that is being examined
• However altering a single byte will alter the hash but still leave a malicious
program executable
24
Signatures
25
Unreliable
26
EXE Packers
• A Packer can change the signature of any exe file and render a search for a
known MD5 useless
• The potentially malicious file will not be found with an antivirus scanner
27
Available Packers
• Alloy 4.14 • Petite22
• Aspack 21
• Pklite32
• Cexe NT only
• Diet
• Stoner_Compress
28
Binders
29
Downloadable Binders
Dropper Source Generator 0.1 Rat Packer
Attach RNS Exe Joiner
Asylum Binder 1.0 by Slim SaranWrap
Senna Spy One Exe Maker
BigJack Joiner
Senna Spy One Exe Maker 2000
Binder
Senna Spy One Exe Maker 2000 - 2.0a
Binding Suite
SilkRope 1.0
BladeJoiner 1.0 by Blade SilkRope 1.1
BladeJoiner 1.5 by Blade SilkRope 2.0
BladeJoiner 1.55 by Blade SilkRope2k
Blade-Bogart Joiner TOP 1.0 by DaRaT
Blade-Stoner Joiner TOP 2.0 by DaRaT
TOP 2.0 beta by DaRaT
Concealer
TOP 2.1 by DaRaT
EliteWrap
TOP 4.0 by DaRaT
Embedder 1.50
TOP GUI by DaRaT
Exe Bind 1.0 TOP GUI 2 by DaRaT
Exe Maker TrojanMan
FC Binder WeirdBinder by Weird
GoboWrap 1.0b X-Exejoiner and Icon changer by Lazarus
Infector 2.0 Zyon 1.0 multibinder
Infector 9.0 Sudden Discharge Compresso
Juntador Beta
MultiBinder
PE-intro adder
30
Metasploit Anti Forensics
31
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
doesn’t use
SetFileTime()
32
Timestomp
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
33
Timestomp – FTK Unmodified
34
Timestomp - FTK Modified
35
Timestomp – Encase Unmodified
36
Timestomp – Encase Modified
37
Timestomp – Explorer Unmodified
38
Timestomp – Explorer Modified
39
Slacker
Metasploit
AntiForensics
Project
www.metasploit.com/projects/antiforensics/
40
Slacker Example
41
Transmogrify – Coming Soon
• Transmogrify - First ever tool to Metasploit
defeat EnCase's file signature AntiForensics
capabilities by allowing you to mask
Project
and unmask your files as any file
www.metasploit.com/projects/antiforensics/
type. (Coming Soon)
42
Samjuicer
• SAM Juicer does what pwdump does without hitting the Metasploit
disk AntiForensics
• Pwdump – opens a share, drops binaries to the disk and starts a Project
service to inject itself in to LSASS www.metasploit.com/projects/antiforensics/
43
Future Work
• NTFS change journal modification Metasploit
AntiForensics
• Secure deletion Project
44
Advanced Anti-Forensics
• What if the malicious file never touched the disk?
• MOSDEF (mose-def) is short for “Most Definitely”
• MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking
• In short, after you've overflowed a process you can compile programs to run inside that process and report back to you
• www.immunitysec.com/resources-freesoftware.shtml
45
Linux Anti-Forensics
• Simply hide data where commercial forensic tools don’t necessarily look
• Rune fs
• Hide data in bad blocks inode
• Waffen fs
• Hide data in spoofed journal file
• KY fs
• Hide data in null directory entries
• Data mule fs
• Hide data in reserved space
46
Thank You
Paul A. Henry
MCP+I, MCSE, CFSA, CFSO, CCSA, CCSE, CISM, CISA, CISSP-ISSAP , CIFI