Anti-Forensics tools

[nihil]

Well,

I think that you need to go a bit deeper. If I find a PC with a blank hard drive and nothing works, I know what has happened and I know that you are hiding something. That is when it goes to the "clean room" and the rat hunt begins. The only limitation will be my determination and my budget.

The only true "anti forensics" is to pulverise the thing and dissolve the powder in a vat of acid. Then pour the acid down the drain (sorry, tree huggers )

So, the first anti-forensic "move" is to persuade the investigator that there is no need to use forensics...............................the more machines that they have to look at, the easier this is.

So something like "Norton Ghost" or a similar hard drive cloning/mirroring program is actually a potential tool. What you would do is format the drive and then use the cloning/mirroring software to superimpose an apparently innocent system image. That would throw most investigators off, as they wouldn't see anything to excite their interest and attention. Also, you would have overwritten the drive with valid data.

Please realise that once you have overwritten data, it is gone..........no software program will get it back for you............it is the "clean room" scenario and you are going to have to look at B]"track overlay"[/B] and "magnetic remnance"

Another potentially ignored anti-forensics tool is on the dark side of the web. Make sure that your box has a good few Trojans and Back Doors on it.............that will probably invalidate any forensic evidence that may be found, as it cannot be proven who put it there.

Then look at USB Drives, R/W CDs and DVDs..............................You simply load your OS and applications onto these, boot from them, and take them away with you afterwards. The only evidence you will leave behind is in the RAM sticks............and that needs the "clean room". A similar scenario is the removable drive..............so long as there is one in the bay, and it looks plausible, who is to know how many others there are out there?

I ask you guys for your opinion on a broad open topic and you still want more specific details

You are obviously very young and naiive. Wait until you get to deal with lawyers, accountants, doctors and the like...................it is called "being professional"; we don't do general questions........... and we charge like hell

I wrote this tutorial a while back: http://www.antionline.com/showthread...hreadid=248897

I was looking at a different angle, but the second section (electronic security) might give you some ideas?

[rapier57]

Yeah, I tried drive washing once. But the drive wouldn't work again when I took it out of the dishwasher.

I do know that Secret Service agents are very careful about not letting any suspects touch anything once they have entered the house/building/room. They have come across a few people who have set up encryption/destruction programs in case of a bust. Most don't, though. It is possible that the time and effort is too high, and the risk of accidentally setting it off is too great.

Don't ask.

[VAIO]

Originally posted here by nihil
You are obviously very young and naiive. Wait until you get to deal with lawyers, accountants, doctors and the like...................it is called "being professional"; we don't do general questions........... and we charge like hell

Are you kidding? I asked for everyone's opinion and gave a very broad spectrum. There is a time and place for details and documentation and protocol, yes. But this question is not one of those times.

[nihil]

Hmmmm,

Another thought, is the "hidden drive" concept. This software creates a virtual drive or partition that you need passwords to activate (the example I have needs 4 independent ones) and encrypts the data as well. You need to activate the software to get the virtual drive to show up.

Your average law enforcement type wouldn't even know it was there

[alleyCat]

I'm in favour of giant magnets... for last ditch effort to erase all traces of information... of course sledgehammer would be more spectacular...

[nihil]

Are you kidding? I asked for everyone's opinion and gave a very broad spectrum. There is a time and place for details and documentation and protocol, yes. But this question is not one of those times.

Please take this advice as it is intended.............as a general principle it is a good idea to set a few limits and parameters, as they keep people focussed.

You are trying to write a paper?................you have chosen the "tools" section?..........well "tools" are specific to jobs, so you have to be more specific in your questions. It is as simple and as complicated as that.............or do you normally eat your burgers with a monkey wrench?

[zencoder]

May as well ask about "super-sneeky-hacker-f***-you-fed" tactics.

If you want a resonable response...I don't think you can honestly reach state #1 that nihil mentions above. Unles you overwrite a disk with multiple passes of random bits, you can't be certain what informaiton is left on a disk. Even if you use some fancy tool to ferret all the data that you may have left behind, if you're talking about a Windows machine you can't be certain what has been written or left behind in the slack space of sectors or fragments of a pagefile.

State #2 is easy. Full wipe/format multiple times, or Big F***ing Magnets (cancer causing hiroshima magnets). Hydrochloric acid and a hammer work well, too.

[phishphreek]

Originally posted here by Aspman
Do these have to be demonstrated and/or documented methods of preventing investigation?

I can think of things like, booby trapped USPs that trip a disk wipe when power goes off.
Badly trained police is a wide shot but it definitely affect the quality of forensic evidence.

Virtual machines? What if someone carried out their illegal acts from within a VMWare virtual computer?

Most forensics data is discredited in court not through the data itself but through the handling of the evidence by the investigating organisation.

Great idea! LoL I've been doing my "research" in vmware for a long time now. *none* of those sessions are recoverable....

However, it seems as if the vmware player does have a bit of spyware in it. Snort picks it up as spyware as it phones home. Simple ACLs to block that though...

[HTRegz]

Originally posted here by zencoder
May as well ask about "super-sneeky-hacker-f***-you-fed" tactics.

If you want a resonable response...I don't think you can honestly reach state #1 that nihil mentions above. Unles you overwrite a disk with multiple passes of random bits, you can't be certain what informaiton is left on a disk. Even if you use some fancy tool to ferret all the data that you may have left behind, if you're talking about a Windows machine you can't be certain what has been written or left behind in the slack space of sectors or fragments of a pagefile.

State #2 is easy. Full wipe/format multiple times, or Big F***ing Magnets (cancer causing hiroshima magnets). Hydrochloric acid and a hammer work well, too.

Hey Hey,

I've never tried recovery on it... but for nihil's #1 what about things like PGP's Free Space Wipe... Randomly Overwrites all your free space X number of times.. What I tend to do is defrag or delete my page file, defrag my drives (C: alphabetically since Windows reads DLLs alphabetically when loading them, and the rest by file access so the most recently accessed files (the ones I most likely use the most) are grouped)... and then run PGP's Free Space Wipe (usually three passes of random data) on them... when you consider that anything important/incriminating has been encrypted while stored and deleted using something like http://www.sys-shield.com/fileshredder.htm... I'd have to say that I feel reasonably comfortable that no one is recoverying anything I've deleted.. but then again I could be wrong and it could be totally recoverable.

Peace,
HT

[nihil]

VAIO both zencoder and HTRegz raise interesting aspects that I feel you may want to include.

Your Windows PC stores data in sectors and blocks and writes to them accordingly. So if your blocks are 16Kb and you write an 18Kb file, it will use two block of 16Kb the second of which will have 14Kb of slack space in it. This will still contain the previous data.

Similarly the nodes will contain clues as to what used to be there, even if the original data is gone.

for nihil's #1 what about things like PGP's Free Space Wipe.

Those cleaning tools will overwrite the free space, slack space and the nodes (assuming it is a professional quality application).

A good quality erasing tool will overwrite with 0, 1 and random 0s and 1s. It will also do this in a series of random passes . That bit is important, because if the forensic investigator knows the overwriting sequence it is trivial to decompose it.

My methodology would be to use both these tools, format, then ghost/mirror an image of a perfectly innocent system on top, and defragment it.

The investigator will then find what they would expect to find rather than stuff that had obviously been deliberately erased That will make them go away unless they KNOW that there is something of interest on the drive.

This is not as far fetched as you might think. All you would do is boot your machine, create your ghost image on CD/DVD, do your naughty stuff, then go through the cleaning process and ghost the image back again.

This will take a very long time, so using removable media or drives is far more efficient.

I can tell you from my experience in the Defense Sector that we use removable hard drives and that anything that was on the "secure network" is pulverised then incinerated or dissolved. Electronic methods are not trusted, other than for non classified material on the general network.

Incidentally, you will doubtless come across Peter Gutmann and be told that his method overwrites with 32 passes. It doesn't the true number is 17 or 19 depending on the type of hard drive. The 32 is for applications that cannot figure out what sort of hard drive they are dealing with, and I don't think that I would trust one of those.