Defeating Anti-Forensics

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Chi-square

Attacker performs probability analysis to test whether the stego object and original data are the same or not

Trial Obfuscation

Attackers use this method to confuse or deceive forensic investigators by misleading them through log tempering, modification of various file headers, timestamp modification, etc. in order to prevent a proper investigation

Known-cover Attack

Attackers use this when they have knowledge of both the stego-object and the original cover-medium. This will enable a comparison between both the mediums in order to detect the changes in the format of the medium and find the hidden message.

Disk Formatting

Formatting of a hard drive does not erase the data present on the disk but wipes its address tables and unlinks all the files in the file system. Later, a new file tree is set up to use with OS. After formatting a hard disk, the forensic investigator can recover data from a formatted drive.

Digital File Signature

Located in the first 20 bytes of a file

Cleartext Passwords

Passwords are sent and stored in plaintext without any alteration

Obfuscated Passwords

Passwords are stored or communicated after a transformation

Shift+Delete - Windows

Performing this operation bypasses the Recycle Bin

Quick Recovery

Software that recovers files that have been lost, deleted, corrupted, or even deteriorated. The application searches, scans, and recovers files that are encrypted and password protected and restores them.

Anti-Forensics

The use of various techniques by cyber-criminals to destroy or hide traces of illegal activities and hinder forensic investigation processes. a set of techniques that attackers or perpetrators use in order to avert or sidetrack the forensic investigation process or try to make it much harder

ADS (Alternate Data Stream)

a NTFS file system feature that helps users find a file using alternate metadata information such as author title. It allows files to have more than one stream of data, which are invisible to Windows Explorer and require special tools to view. contains metadata such as access timestamps, file attributes, etc

Brute-Force Attack

a cryptanalytic attack used to decrypt any encrypted data (which may be referred to as a cipher). testing all possible keys in an attempt to recover the plaintext, which is the base for producing a particular ciphertext

Recover My Files

a data recovery software that recovers deleted files/data from Windows Recycle Bin and files lost due to formatting or corruption of a hard drive, virus or Trojan infection, and unexpected system shutdown or software failure.

VirtualLab

a data recovery software that works with all Windows OSs from Windows 98 to Windows 10, 8, 7, FAT 12/16/32, and NTFS file systems. It can restore the deleted files from lost/damaged partitions, formatted disks, deleted emails, hard drives and RAID systems, and photos and flash memory cards.

GNU DDrescue

a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying to rescue the good parts first in case of read errors. The basic operation is fully automatic.

Dictionary Attack

a dictionary file is loaded into the cracking application that runs against user accounts. The program uses every word present in the dictionary to find the password. They are more useful than a brute-force attack.

Autopsy

a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer

Scalpel

a file carving tool that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is file system independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.

AppleXsoft File Recovery

a file recovery tool for Mac. The tool scans and recovers files from the hard disk and external storage devices. It supports RAID recovery. The tool includes few advanced tools such as RAID Reconstructor, Mail Recovery, Hex Viewer, SMART, Bad Block Diagnostics, Imaging tools, and Disk Copy.

Winrtgen

a graphical rainbow tables generator that helps attackers create rainbow tables from which they can crack the hashed password.

RainbowCrack

a hash cracker that uses a time-memory tradeoff algorithm to crack hashes. It pre-computes all possible plaintext-ciphertext pairs in advance and stores them in the "rainbow table" file. It may take a long time to pre-compute the table, but once the pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute-force cracker.

INFO2

a hidden file found in Recycle Bin. When a user deletes a file or folder, Windows stores all the details of the file, such as its name and the path where it was stored.the master database file and is very crucial for the recovery of data. It contains various details of deleted files such as their original file name, original file size, date and time of deletion, unique identifying number, and the drive number in which the file was stored.

Medusa

a login brute-forcer for network services that allows remote authentication also.

Rainbow Table

a lookup table used for recovering a plaintext password from a cipher text. It consists of all possible plaintext combinations for encrypted passwords created using a specific hash algorithm. contains word lists such as dictionary files and brute-force lists along with their computed hash values

Cain & Abel

a password recovery tool for Microsoft OSes. It allows recovery of passwords via network sniffing, cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks. It covers some security aspects/weaknesses present in a protocol's standards, caching mechanisms, and authentication methods. This offers a simplified recovery of passwords and credentials from various sources. It uses Arp Poison Routing (APR) to sniff switched LANs and perform man-in-the-middle attacks. The sniffer in this tool is also capable of analyzing encrypted protocols, such as HTTP and SSH-1, and contains filters to capture credentials from a wide range of authentication mechanisms.

John the Ripper

a password recovery tool that cracks passwords and supports Unix, Windows, DOS, and OpenVMS. It detects weak Unix passwords, several crypt (3) password hash types most commonly found on various Unix systems, Windows LM hashes, etc.

Hash Suite

a password recovery tool that recovers the lost password. The tool generates different candidate passwords (keys), hashes them, and compares the computed hashes with the stored hashes. The tool offers different ways to generate candidate passwords.

Disk Degaussing

a process by which a strong magnetic field is applied to storage device, resulting in an entirely clean device of any previously stored data. Physical destruction of the device is one of the most widely used techniques to ensure data wiping.

DiskDigger

a program that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. This tool can be used to recover documents or photos accidentally deleted from the computer or from a reformatted camera memory card or can be used to check the files that are on an old USB drive

$BitMap File

a record of all used and unused clusters in a NTFS file system. , when a user deletes a file, the OS just marks the file entry as unallocated but does not delete the actual file contents. The clusters allocated to the deleted file are marked as free in this

Password Hashes

a signature of the original password generated using a one-way algorithm. Done with algorithms (MD5, SHA, etc.), which are not reversible

File Carving

a technique that is used to recover deleted/lost files and fragments of files from the hard disk when file system metadata is missing.

BIOS (basic input/output system)

a type of boot loader, refers to the firmware code that runs when the users switch on the system. The main function is to identify and initialize system component hardware such as the hard disk, video display card, and other motherboard components. A password protects the computer system from unauthorized access. There are 3 types of passwords: System, Admin, and HDD

Encryption

an effective way to secure data that involves the process of translating data into a secret code that only authorized personnel can access. To read the file, users require a secret key or a password that can decrypt the file. Due to its effectiveness and ease of usage, most attackers prefer to use these techniques for anti-forensics.

Rainbow Attack

an implementation of the cryptanalytic time-memory tradeoff technique based on rainbow tables.

Disk Doctors Windows Data Recovery Software

can recover accidentally deleted files, including files emptied from the Recycle Bin and from Windows Explorer with Shift + Delete. This tool also allows one to recover data from a reformatted partition (to any file system), and from a corrupted, deleted, or missing partition

Syllable Attack

combines both a brute-force attack and a dictionary attack and is often used to crack those passwords which do not consist of an actual word but a mix of characters and syllables)

Program Packers

compress the files using various algorithms. Hence, unless the investigators know the tool that has been used to pack the file and have a tool to unpack it, they will not be able to access it. the attacker can hide the evidence files into containers, thereby making them hard to detect.

Known-message Attack

in order for this to happen, it has to be assumed that both the message and the stego-medium are accessible. Using this attack, one can detect the technique used to hide the message.

Known-stego Attack

in this attack, the attacker knows the steganography algorithm as well as original and stego-object. Therefore, the attacker can extract the hidden information using the information at hand.

Timestomp

one of the most widely used trail obfuscation tools that allow deletion or modification of timestamp-related information on files.

Chosen-stego Attack

possible when the analyst has knowledge about the stego-object and steganography tool or algorithm used to hide the message.

321soft Data Recovery

recovers deleted, inaccessible, and lost files from Mac's hard drive. It can recover files lost due to deletion, formatting of the drive, partition errors, corrupted file system, hard disks, solid state drives (SSDs), memory cards, USB sticks, CD/DVD discs, and various other storage devices.

Data Rescue PC

recovers files from a crashed or virus-corrupted hard drive. Data Rescue PC recovers an external drive or secondary drive. It scans the drive for the files and copies them to the second drive.

Total Recall

recovers lost data from hard drives, RAID, photos, deleted files, iPods, and even removable disks connected via FireWire or USB.

Steller Phoenix Windows Data Recovery

recovers lost, deleted, or inaccessible data from Windows OS HDDs and other storage media. The tool helps to recover data lost due to hard drive corruption, formatting, and virus attack.

Seagate File Recovery Software

recovers the files and rescue service plans for storage devices. The tool recovers files from desktops, laptops, and external hard drives as well as tablets, and on-chip memory in smartphones.

Steganography

refers to the art of hiding data "behind" other data without the target's knowledge, thereby hiding the existence of the message itself. Attackers use this to hide their secret information/communication within normal messages containing text or other data.

Artifact Wiping

refers to the process of deleting or destroying the evidence files permanently using file-wiping and disk-cleaning utilities and disk degaussing/destruction techniques. The attacker permanently eliminates particular files or the file system itself.

Advanced Disk Recovery

scans the entire system for deleted files and folders and recovers them. It scans the hard drives, partitions, external devices, and even CDs and DVDs for recoverable files. It provides two types of scans: the Quick Scan that uses MFT and the Deep Scan that uses file signatures. Once the scan is complete, one can either preview the files/folders or recover them to a preferred location

Orion File Recovery Software

searches for deleted files on the hard drive, or any external or portable drive connected to the computer. Files that are not overwritten can either be recovered or permanently deleted to prevent future recovery.

MBR partition table

stores the records of the primary and extended partitions available on the disk. Therefore, whenever a partition is deleted from the disk, the entries pertaining to the partitions are removed

E5h

the OS replaces the first letter of a deleted file name with a hex byte code. a special tag that indicates a deleted file. The FAT file system marks the corresponding clusters of that file as unused, although they are not empty.

Unallocated Space

the hard disk space that does not contain any file information but stores file data without the details of its location.

Stego-only Attack

the steganalyst or the attacker does not have access to any information except the stego-medium or stego-object. In this attack, the staganalyst needs to try every possible steganography algorithm and related attack to recover the hidden information.

EaseUS Data Recovery Wizard

used to perform format recovery and unformat and recover deleted files emptied from Recycle Bin or data lost due to partition loss or damage, software crash, virus infection, unexpected shutdown, or any other unknown reasons under Windows 10, 8, 7, 2000/XP/Vista/2003/2008 R2 SP1/Windows 7 SP1. This software supports hardware RAID and hard drive, USB drive, SD card, memory card, etc.

rm Command - Linux

users can delete files using this command, wherein the inode pointing to the file is deleted but the file remains on the disk

Rule-Based Attack

when they know some credible information about the password such as rules of setting the password, algorithms involved, or the strings and characters used in its creation.

Handy Recovery

data recovery software designed to restore files accidentally deleted from hard disks and memory cards. The program can recover files damaged by virus attacks, power failures, and software faults, or files from deleted and formatted partitions. If a program does not use the Recycle Bin when deleting files, Handy Recovery can restore such files. It can also recover files moved from the Recycle Bin after it has been emptied. It can also restore the full branch of a folder tree containing selected files and folders. Along with the main file data, the program can recover alternate data streams, which are used on the NTFS file system to store additional information about files.

R-Studio for Windows

data recovery software. It can recover files from FAT12/16/32/exFAT, NTFS, NTFS5 (created or updated by Windows 10, 8, 7, 2000/XP/2003/Vista). It functions on local and network disks, formatted, damaged, or deleted partitions

File-wiping

delete individual files from an OS in a short span and leave a much smaller signature when compared with the disk-cleaning utilities. However, some experts believe that many of these tools are not effective, as they do not accurately or completely wipe out the data and also require user involvement.

BitLocker

encrypts an entire volume

Encrypting File System (EFS)

encrypts individual files and directories

Disk-wiping

erasing data from the disk by deleting its links to memory blocks and overwriting the memory contents. In this process, the application overwrites the contents of MBR, partition table and other sectors of the hard drive with characters such as null character or any random character several times (using data wiping standards).


Kaugnay na mga set ng pag-aaral

Chapter 32, 32-1, 32-2, 32-3 Mammals Key Concepts

View Set

Poverty Line, Social Studies, Quizlet

View Set

NCLEX RN-PassPoint Pracetice Exam Case Study Questions

View Set

Real Estate University | S3 | Chapter 3

View Set

hbs blood/heart, hbs 4.3-4.4 blood vessels/heart

View Set

Chapter 4 (Life Policies)- Life Insurance Policies - Provisions, Options and Riders

View Set

WORLD REGIONAL GEOGRAPHY Chapter 8 Subsaharan Africa - Study Questions

View Set