Module 5: Defeating Anti-Forensics Techniques

Program Packers

- A program used to compress or encrypt the executable programs - Hide attack tools from being detected through reverse-engineering by modifying the original entry point of the executable - Some of the widely used tools are UPX, BurnEye, Exe Stealth Packer, Smart Packer Pro, etc - These programs that require a password to be run are considered to be strong, whereas, those that do not require a password are vulnerable to static analysis

DNS Monitoring

- Attacker sends packets across a network with the destination IP address coming from an inactive subnet and source IP address coming from a rarely used network - When network monitoring tools come across such packets, they might make a reverse DNS request in an attempt to resolve the hostname of the source IP address - If the attacker is able to monitor the DNS server and identify the reverse DNS request, he/she can conclude packets are being monitored

Overwriting Metadata

- Attackers can use tools to wipe the contents of media, that action itself might draw the attention of investigators, therefore the attackers cover their tracks by overwriting the metadata (i.e. access times), rendering the construction of timeline difficult - Ex: timestomp, part of the metasploit framework is used to change MACE attributes of a file - Another way to confuse the investigator is by accessing the computer in a way such that no metadata is generated - Ex: mounting a partition as read-only, or accessing it through the raw device, prevents file metadata from being updated - Setting windows registry key "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 disables updating accessed timestamp

Artifact Wiping Methods

- Disk Wiping utilities- Involves erasing data from the disk by deleting its links to memory blocks and overwriting the memory contents - File Wiping utilities- Deletes individual files and file table entries from an OS - Disk Degaussing/destruction utilities- physical destruction of device - Disk formatting- wipes its address tables and unlinks all the files, does not erase data present

Detecting File Extension Mismatch

- Every digital file contains a signature that is located in the first 20 bytes of the file - Tools such as Hex Editor Neo, Hex Workshop, etc. can be used to get the hex view of the file and identify the file signature by examining first 20 bytes of the file - In signature analysis, the file header and its extension mismatch can be identified - Autopsy, use "Extension Mismatch Detected" module to identify whether an attempt has been made to tamper the file extension of the known file types

Detecting hosts in "promiscuous mode"

- Many network forensics tools use an Ethernet interface in promiscuous mode to capture all packets on the LAN - Often, these tools are not configured in such a way that they do not transmit on the network that is being examined - Thus, they can be detected by the way they respond to pings, ARPs, and malformed IP packets

Data Encryption

- One of the commonly used techniques to defeat forensics investigation process - Intruders use strong encryption algorithms to encrypt data of investigative value, which renders it virtually unreadable without the designated key - Additionally, most encryption programs are capable of performing additional functions, including use of a key file, full-volume encryption, and plausible deniability; that makes the investigator's job more difficult - Cryptanalysis can be used to decrypt encrypted data

Detecting Overwritten Data/Metadata

- To detect timestamp forgery on NTFS file system, the forensic investigator can employ forensic tools such as analyzeMFT to compare $STANDARD INFORMATION and $FILENAME attributes -- analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem, and produce an output in CSV or bodyfile format - When the $FILE_NAME creation date and $STANDARD_INFORMATION creation date (for any file) does not match, it indicates that the file has been time stomped

Detecting USB devices

- To enumerate the devices that are connected to the system, use the following PS command: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBDTORE\*\*\ | Select FriendlyName - In windows registry these entries are located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_[VendorName]&Prod_[ProductName]&Rev_1.00\[serialNo]

Unpacking Program Packers

- To unpack/extract the original program executable file from the packer, the investigator should identify the tool used to pack the executable file - Exeinfo PE tool can analyze the code to identify the packer tool - Ex: If UPX is the utility used to pack the program - To unpack the program packer, use the UPX utility command: upx.exe -d -o [unpacked_file_name] [packer_file_name]

Anti-Forensics Countermeasures

- Train and educate the forensic investigator about anti-forensics - Validate the results of examination using multiple tools - Impose strict laws against illegal use of anti-forensics tools - Understand the anti-forensic techniques and their weaknesses - Use latest and updated CFTs and test them for vulnerabilities - Save data in secure locations - Use intelligent decompression libraries to defend against compression bombs - Replace weak file heuristics with stronger ones

Anti-Forensics Techniques that Minimize Footprint

- Use of fake and stolen identities - Running OSes from live CDs/DVDs/USB - Use of Virtual Machine - Use of Cloud services - Memory injection and syscall proxying - Userland execve technique

Using Stream Detector

-A forensic tool that identifies all hidden files such as images, videos, text, and executables within Alternate Data Streams present on NTFS drives -Can detect the hidden streams on actual file directory and lists hidden stream file name, stream type, size of the stream, etc. -This tool can be used to detect and extract hidden streams, delete the file and unwanted streams

Winrtgen

-A graphical Rainbow Tables Generator -Supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes

SSD File Carving on APFS

-Acquire the disk image of APFS from a TRIM disabled SSD in a forensic manner -Examine the forensically acquired evidence file to recover deleted data -Tools AppleXsoft File Recovery for Mac Disk Doctors Mac Data Recovery R-Studio for Mac Data Rescue 4 Stellar Phoenix Mac Data Recovery 321Soft Data Recovery Disk Drill for Mac Mac Data Recovery Guru Cisdem DataRecovery 3 TestDisk for Mac

Password Cracking Using Cain & Abel

-Allows recovery of various kind of passwords by sniffing the network, and cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks -Covers some security aspects/weaknesses present in a protocol's standards, authentication methods and caching mechanisms -The program does not exploit any software vulnerabilities or bugs that could not be fixed with minimum effort

Trail Obfuscation

-Anti-forensic technique used to confuse, disorient, and divert the forensic examination process -Attackers mislead investigators via log tampering, false e-mail header generation, timestamp modification, and various file headers' modification Some techniques include: -Log cleaners -Spoofing -Misinformation -Zombie accounts -Trojan commands

Alternate Data Streams

-Attackers use this to hide data in Windows NTFS and cannot be revealed through command line or Windows Explorer - Allows attacker to hide any number of streams into one single file without modifying the file size, functionality, etc, except the file date - the file date can be modified using anti-forensics tools like TimeStomp - In some cases, these hidden __ can be used to remotely exploit a web server

Password Types

-Cleartext Passwords - transmitted and stored without any encryption -Obfuscated Passwords - passwords are stored or communicated after encrypting, can be decrypted by applying a reverse algorithm -Password Hashes - signatures of the original password, one-way algorithm that cannot be reversed

Password Cracking Using Rainbow Crack

-Cracks hashes with rainbow tables -Uses time-memory tradeoff algorithm to crack hashes -May take a long time to pre-compute the table, but once the pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute-force cracker

Anti-Forensic Techniques

-Data/File Deletion -Password Protection -Steganography -Data Hiding in File System Structures -Trail Obfuscation -Artifact Wiping -Overwriting Data/Metadata -Encryption -Program Packers -Minimizing Footprint

Password Cracking Using PwDump7

-Extracts LM and NTLM password hashes of local user accounts from the database -Dumps the password hashes (OWFs) from NT's SAM database -It is also capable of dumping protected files -Requires admin privileges on the remote system

Goals of Anti-Forensics

-Interrupt and prevent information collection -Make difficult the investigator's task of finding evidence -Hide traces of crime or illegal activity -Compromise the accuracy of a forensics report or testimony -Delete evidence that an anti-forensics tool has been run

Storage location of Recycle Bin

-Location on FAT file systems On older FAT , it is located in Drive:\RECYCLED -Location on NTFS file systems On windows 2000, NT, and XP it is located in Drive:\RECYCLER\<SID> On Windows Vista and later, it is located in Drive:\$Recycle.Bin\<SID>

Timestomp

-One of the most widely used trail obfuscation tools that allow deletion or modification of timestamp-related information on files -Metasploit framework tool

$I File Metadata

-Original file name -Original file size -The data and time the file was deleted -Unique identifying number -The drive number in which the file was stored

Steganalysis Methods/Attacks

-Steg-only - only the stego object is available for anlaysis -Known-stego - has the stego algoruthm and both the cover medium and the stego-object -Known-message - access to hidden message and stego-oject -Chosen-message - generates stego objects from a known message to identify steg algorithms -Chosen-stego - access to the stego-object and algorithm -Chi-square - probability analysis to test whether the stego object and original data are the same -Distinguishing statistical - analyzes embedded algorithm used to detect distinguishing statistical changes -Blind classifier - fed with the original data to learn the resemblance

Challenge of Steganalysis

-Suspect information stream may or may not have encoded hidden data -Efficient and accurate detection of hidden content within digital images is difficult -The message might have been encrypted before inserting into a file or signal -Some of the suspect signals or files may have irrelevant data or noise encoded into them

3 types of passwords in BIOS Setup

-System password -Admin password -HDD password Note: bypassing BIOS password can unlock System and Admin password but not the HDD password

Recovering Deleted Partitions

-The MBR partition table contains the records of the primary and extended partitions of a disk -When a partition is deleted from a disk, the entries with respective to deleted partition are removed by the computer form the MBR partition table -Investigators use tools such as R-Studio and EaseUS Data Recovery Wizard to scan the disk for lost partitions and recover them -These automated tools perform full disk scan, looks for deleted partition information and reconstruct the partition table entry for deleted partition

HDD File Carving on Windows

-The forensic image file is acquired using tools such as FTK imager and DD utility and examined using Autopsy -Autopsy recovers the deleted data from the evidence file

SSD File Carving on Linux System

-The forensically acquired image from TRIM disabled SSD should be examined using file carving tools such as Autopsy, R-Studio, etc -In autopsy, the carved data from the forensic evidence file is displayed under the appropriate data source with heading "$CarvedFiles"

Recycle Bin Forensics

-The original files pertaining to the $I files are not visible in the Recycle Bin folder when, --$I file is corrupt or damaged --The attacker/insider deletes $I files from the Recycle Bin -During forensic investigation, the investigator should check for the $R files in the Recycle Bin directory to counter the anti-forensic technique used by the attacker -If the metadata files related to the original files are not present in the folder, then the investigator can use 'copy' command to recover the deleted files ($R files) --Command: copy <$R* (or file name)> <Destination Directory>

Methods to bypass/reset BIOS password

-Using a manufacturer's backdoor password to the BIOS -Using password cracking software -Resetting the CMOS using jumpers or solder beads -Removing the CMOS battery for at least 10 min

File Carving on Linux

-When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten with new data -If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space -The second extended file system (ext2) is designed in such a way that it shows several places where data can be hidden -It is required to note that if an executable erases itself, its contents can be retrieved from a /proc memory image --The command cp /proc/$PID/exe/tmp/file creates a copy of a file in /tmp -Tools that can be used to recover deleted files from Linux Stellar Phoenix Linux Data Recovery Ddrescue R-Studio for Linux Data Recovery for Linux Kernel for Linux Data Recovery Autopsy Scalpel Mondo Rescue Foremost TestDisk PhotoRec

SSD File Carving on Windows

-When a forensic investigator performs file carving on a forensic image file acquired from a TRIM enabled SSD, it is not possible to recover deleted data from the disk -Tools such as Autopsy, Ease US Data Recovery, etc. can be used to carve data from the disk -When autopsy is employed to perform file carving on an evidence file, the software lists the file names but the deleted data cannot be recovered -When performing data acquisition, the investigator should check status of the SSD's TRIM feature -If TRIM is disabled SSD's the forensic investigator can perform file carving to recover lost data from the drive

Bypassing Windows User Password by Booting Live CD/USB

-When the user account of a Windows machine is locked, the investigator should bypass the password to get access to the machine -In such case, boot the machine from the Live CD/USB (here, CAINE LIVE CD/DVD is used) to get access to the machine's hard disk and its contents

File Carving on Windows

-Windows tracks its files/folders on a hard drive using the pointers that tells the system where the file begins and ends -When a file is deleted from the hard drive, the pointer to the file gets deleted but the contents of the file remains on the disk -In other words, the deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with new data -File carving in SSDs is different from HDDs since file deleted from the TRIM (enabled by default) enabled SSDs cannot be recovered -Data recovery tools such as Autopsy, Recover My Files, Ease US Recovery wizard, R-Studio for Windows, etc can be used for recovering deleted files/folders from Windows

Steg Detection Tools

-zsteg -StegoVeritas -Stegextract -StegoHunt -Steganography Studio -Virtual Steganography Laboratory (VSL)

Rainbow Table

A precomputed table that contains word lists in the form of dictionary files and brute force lists and their hash values

Steganography

A technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data

Artifact Wiping

Anti-forensics technique that involves deleting or destroying evidence files permanently using various tools and techniques.

Lazesoft Recover My Password Tool

Creates a bootable CD/USB that can be used to reset/unlock Windows user password when the login credentials of the account are lost Steps: -Boot machine to the USB boot drive and select "Lazesoft Recovery Suite to load the utility" -Click on "Password Recovery" -Select "Reset Windows Password" -Click "Next" -Select Windows Installation to be unlocked from the list, for example, Microsoft Windows 10 x64 Edition -Click "Next" to get the User account list -Select the "User Account" to be unlocked -Click "Next" -Click "Reset/Unlock" Button to unlock the selected User account password -Now, click "Reboot" option to restart the machine and the OS loads without prompting for a user password

Password Cracking Techniques

Dictionary - dictionary file run against user accounts Brute Force - every possible combination Rule-Based - some information about password is known (algorithm/length/complexity), combination attack

Password Cracking Using L0phtCrack and Ophcrack

L0phtCrack: -A password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and network monitoring and decoding -Helps recover lost Microsoft Windows passwords by using dictionary, hybrid attacks, rainbow tables, and brute-force attacks Ophcrack: -A windows password cracker based on rainbow tables -Comes with a GUI and runs on multiple platforms

Application Password Cracking Tools

Office Password Cracking: -Software Stellar Phoenix Office Password Recovery -Online Password Recovery -Office Password Genius -Office Password Recovery Lastic -SmartKey Office Password Recovery PDF Cracking Software: -PDF password recovery -PDF password genius -Smartkey PDF Password Recovery -Tenorshare PDF Password Recovery -Guaranteed PDF Decrypter ZIP Password Cracking Software: -Accent ZIP Password Recovery -ZIP Password Genius -SmartKey ZIP Password Recovery -KRyLack ZIP password recovery -Stellar Phoenix Zip Password Recovery RAR Cracking Software: -Accent RAR Password Recovery -RAR Password Genius -cRARk 5.1 -SmartKey RAR Password Recovery -KRyLack RAR Password Recovery

Other Password Cracking Tools

Offline NT Password & Registry Editor Password Unlocker Bundle ProActive System Password Recovery John the Riper Wfuzz Active@ Password Changer Passware Kit Standard Windows Password Unlocker LSASecretsView LCP Password Cracker Kon-Boot Windows Password Recovery Tool Hash Suite Windows Password Breaker Windows Password Recovery Password Recovery Bundle iSunshare Windows Password Geniu THC-Hydra Medusa

Overwriting Data

Overwriting programs (disk sanitizers) work in 3 modes: -Overwrite entire media -Overwrite individual files -Overwrite deleted files on the media

Windows File Recovery Tools

Recover My Files EaseUS Data Recovery Wizard DiskDigger Handy Recovery Quick Recovery Stellar Phoenix Windows Data Recovery Total Recall Advanced Disk Recovery Windows Data Recovery Software R-Studio Orion File Recovery Software Data Rescue PC Recover4all Professional Recuva Active@ File Recovery Pandora Recovery Ontrack EasyRecovery Seagate File Recovery Software Wise Data Recovery Glary Undelete Disk Drill PhotoRec DDR Professional Recovery Software File Scavenger GetDataBack UndeletePlus VirtualLab Active@ UNDELETE WinUndelete R-Undelete

Removing the CMOS battery

Step 1: Shut down the system and disconnect the power plug Step 2: open the CPU cabinet and locate the CMOS battery (silver circular battery) on the motherboard Step 3: Remove the CMOS battery from the socket and keep it out for 20 to 30 minutes, this flushes out the CMOS memory that stores BIOS passwords and other configurations Step 4: Replace the battery and start the system normally Note: sometimes, manufacturers use capacitors to provide backup power to the CMOS battery, if the attempt fails keep the battery out for 24 hours

Detecting Alternate Data Streams

Step 1: cd to the directory to search then execute gci -recurse | % { gi $_.FullName -stream *} | where stream -ne ':$Data' Step 2: investigate directory where ADS files were found Step 3: notepad filename.extension:streamname.extension

Resetting CMOS using Jumpers

Step 1: shut down the system and unplug the power cord Step 2: move the jumper from its default position so that it is across pins 2 and 3; this clears the BIOS/CMOS settings Step 3: Now, turn on the machine to verify that the password has been reset Step 4: If password is cleared, turn off the computer and return the jumper to its original position

Detecting Steganography

Text file: -Alterations are made to the character positions for hiding data -Alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces Image file: -Detected by looking for changes in size, file format, metadata, and color palette pointing to the existence of the hidden data -Statistical analysis method is used for image scanning Audio file: -Statistical analysis method can be used to detect audio steganography as it involves LSB modifications -The inaudible frequencies can be scanned for hidden information -The odd distortions and patterns in the audio graph indicate the existence of the secret data Video file: -Detection of the secret data in video files includes a combination of methods used in image and audio files

Cryptanalysis

The process of decrypting a message without knowing the cipher or key used to encrypt it.

Bypassing Passwords on Powered-Off Computers

What an investigator can do on a powered-off machine: -Bypass BIOS password -Bypass User Password by booting Live CD/USB

What happens when a file is deleted in Windows

When a user deletes a file, the OS does not actually delete the file, but marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use. FAT- the OS replaces the first letter of the deleted filename with E5H. Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered. NTFS- marks the index field in the MFT with a special code. The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered Recycle Bin- place to store files that are marked for deletion. The exceptions are large files and files from removable media.

$Bitmap file

a record of all used and unused clusters

Anti-Forensics

a set of techniques aimed at complicating or preventing a proper forensics investigation process

File header

a signature (also known as a magic number), which is a constant numeric or text value that determines a file format

File Carving

a technique used to recover files or fragments of files when corrupted, missing or purposely deleted.