March 24th, 2006 10:23 AM
Wiping or erasing disk is only the first step of a complete anti-forensics attempt. The next step you would need to write some random but convincing data onto the same disk that looks like the real data before it's tampered. Any other step(s)? Be creative...
Erasing disk alone will only raise the flag and make them believe that you really hide something. Erasing disk alone is useful for cases like when a company/organization wants to sell used PCs or disks that had some (confidential) data in them.
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
March 24th, 2006 10:34 AM
well, from my point of view, never mention Anti-Forensic unless u understand what is Forensic actually are, and how it works. Where in order to perform forensic investigation, you might require knowledge like Pen Test, Reverse Engineering, programming, behavioral profiling, Honeypot, Convert Channeletc..
If as the topic stated: - 'Anti-Forensic tools' is something you look forward, than the actual skill/knowledge. Then at least you might need to know how all those Forensic tools work in-and-out, in order for you to evade or bypass them. Tools like EnCase Enterprise, ProDiscover IR, OnLineDFS, NetDetector, NetIntercept, CS_MARS, SuperView are the most common tools that professional will use to perform the investigation with. If you can't avoid being trace or penetrate these tools, don't even mention anti-forensic.
Another method, you might need to build your very own rootkit to cover your back, and i really mean YOUR OWN~! Modified/tuned it payload, attitute, sequence & signature, to alter the kernel and return false info to system calls, rendering unless most tools that incident responders have traditionally used to examine a live system for signs of compromise. Programs like Hacker Defender might perform similar stuff, but still detectable!!
Next thing you need to concern is those NG-Digital Forensic technique. Forensic Investigator also will improve & upgrade their skill & method, where they notice that "Anti-Forensic" are trying to beat their ass. They will migate to more higer level way of perform forensic. So in order for you to competitive back, you also need to know how to break stuff like Digital Evidence Bag(DEB) or finding weakness at Advanced Forensic Format (AFF) file(e.g.aimage..).
Perhaps you also can try out Metasploit Anti-Forensic Investigation Arsenal (MAFIA) from Metasploit project, which i think its only some basic tools for Anti-Forensic. MAFIA include tools like 'Timestomp' - allows modify all four NTFS timestamp values: modified, accessed, created, and entry modified. 'Slacker' - allows to hide files within the slack space of the NTFS file system. 'Sam Juicer' - A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk. 'Transmogrify' - First ever tool to defeat EnCase's file signaturing capabilities by allowing you to mask and unmask your files as any file type.
Hope this info can help~
--=|2 be da happy children 0f da Mother Nature, 2 be da Best among da Best!|=--
Any Sufficiently AdvanceD TechnologG is InDistinguishable from MagiC. - Arthur C. Clarke
March 24th, 2006 11:00 AM
Sky_Angus well done!
You have introduced a whole new concept here. We were telling VAIO about retrospective forensics on a PC, and you have raised the subject of live forensic analysis of an ongoing attack.
That is a very valid issue, and I don't think that it was considered in the original question, which is why some of us asked for more details on the scope of the paper.
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
March 24th, 2006 12:46 PM
If you are the target of the forensic investigation there are only three tools you require to ensure your safety from successful prosecution:-
1. A remote access trojan that connects at startup to a host in an unfriendly foreign country.
2. A highly competent forensics expert.
3. A relatively competent lawyer.
The RAT that always makes a connection to a machine that cannot be investigated places significant doubt about the identity of the perpetrator of the crime(s). Your forensics expert can refute or show improper handling of etc. any evidence that the prosecution thinks they can still bring against you and the relatively competent lawyer is the icing on the cake that has the judge dismiss the charges if you even get into the courtroom.
Other than a system such as that then the magnitude of your crime dictates how much effort you put into hiding your activity - But, the magnitude of your crime also dictates the the amount of effort and money the government, (deep pockets), will put into uncovering the evidence of your crime. Even these disk wipers that run multiple passes writing random 1's and 0's are not foolproof. The surface of the disk can be investigated with an electron microscope and the orientation of the media can indicate what was written there some time ago. Even Nihil's "overwrite with a new image", while possibly making an investigator decide that there is no evidence there and move on, can be read and easily reconstructed.
Now, if your crime is that you are a 16 year old who has been downloading MP3's left and right then Nihil's solution is more than enough because the RIAA doesn't have the brains to look under the lid and if they did it would cost them too much. But rest assured if you are a terrorist or the head of a child porn ring you will be able to hide nothing from them....
One final thought.... If you are committing crimes that would bring down the entire weight of a government upon you, you can be sure of one thing if you are committing said crimes by use of the internet.... All your anti-forensics tools are utterly useless... You won't even be arrested until they have built their case against you from the traffic they are sniffing at your ISP... The corroborative evidence would sink you... no matter how clean your box might appear.... period.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 24th, 2006 03:38 PM
Many governments secretly sanction the use of antiforensics and countersurveillance and have been in the state of developing tools, standards and protocols for some time, it's not something you hear much about amidst the hype about securing your users and leave the appropriate hooks to conduct forensic investigations. The Royal Canadian Mounted Police have a PDF that details secure harddrive information removal and destruction (here ).
Antiforensics has been In extreme cases, C4 explosives rigged to a fake power buttons on the computer asset has been cause for concern for law enforcement and military, especially in the case of anti-terrorism. That's why the likes of the RCMP, FBI and British SAS actually take along bomb sniffing dogs when they are going to cease computer equipment from suspected terrorist cells. Damn scary stuff, glad I only deal with call center reps behaving badly
A number of techniques such as compaction , multiple deletions, shredding, cryptographic and stegnographic methods (BMP hermetic, MP3 bit stuffing) can be used. Most of these have been discussed here by some folks and is covered by the link that you sent for MetaSploit (more notable is M.A.F.I.A. that was mentioned as well).
Here are some other tools:
Deletion: Tracks Eraser Pro , srm , dban , Necrofile, DiskScrub
Encryption/Hiding: Steganos Security Suite, dm-crypt, Cryptainer, Outguess,
ID Hiding: IP spoofing, anonymizer proxies, VPN with RDP, VNC or SSH tunneling, stolen authentication credentials
Extreme Destruction: Explosives, Incinerator, Acid, Microwave
I'd like to see you finished paper, post it when you're done...
March 24th, 2006 04:17 PM
Great comments from everyone. Keep em comin
My paper is due Tuesday so maybe i will post it up here after that. I'm doing this for my digital forensics class BTW. It's pretty exciting. But like i said i am working with a partner on the paper and she hardly ever pulls her weight on projects so i am not guaranteeing the first half of the paper to be informative in any way. lol. But if it is anything like the last paper, i might have to end up doing the whole thing myself again. And then i would be more proud of it. I hate group projects when the partner sucks. If she bails out on me this time i'm gonna have to do something about it.
Anyways... thanks for all the great input.