Module 5: Defeating Anti-Forensics Techniques
Program Packers
- A program used to compress or encrypt the executable programs - Hide attack tools from being detected through reverse-engineering by modifying the original entry point of the executable - Some of the widely used tools are UPX, BurnEye, Exe Stealth Packer, Smart Packer Pro, etc - These programs that require a password to be run are considered to be strong, whereas, those that do not require a password are vulnerable to static analysis
DNS Monitoring
- Attacker sends packets across a network with the destination IP address coming from an inactive subnet and source IP address coming from a rarely used network - When network monitoring tools come across such packets, they might make a reverse DNS request in an attempt to resolve the hostname of the source IP address - If the attacker is able to monitor the DNS server and identify the reverse DNS request, he/she can conclude packets are being monitored
Overwriting Metadata
- Attackers can use tools to wipe the contents of media, that action itself might draw the attention of investigators, therefore the attackers cover their tracks by overwriting the metadata (i.e. access times), rendering the construction of timeline difficult - Ex: timestomp, part of the metasploit framework is used to change MACE attributes of a file - Another way to confuse the investigator is by accessing the computer in a way such that no metadata is generated - Ex: mounting a partition as read-only, or accessing it through the raw device, prevents file metadata from being updated - Setting windows registry key "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 disables updating accessed timestamp
Artifact Wiping Methods
- Disk Wiping utilities- Involves erasing data from the disk by deleting its links to memory blocks and overwriting the memory contents - File Wiping utilities- Deletes individual files and file table entries from an OS - Disk Degaussing/destruction utilities- physical destruction of device - Disk formatting- wipes its address tables and unlinks all the files, does not erase data present
Detecting File Extension Mismatch
- Every digital file contains a signature that is located in the first 20 bytes of the file - Tools such as Hex Editor Neo, Hex Workshop, etc. can be used to get the hex view of the file and identify the file signature by examining first 20 bytes of the file - In signature analysis, the file header and its extension mismatch can be identified - Autopsy, use "Extension Mismatch Detected" module to identify whether an attempt has been made to tamper the file extension of the known file types
Detecting hosts in "promiscuous mode"
- Many network forensics tools use an Ethernet interface in promiscuous mode to capture all packets on the LAN - Often, these tools are not configured in such a way that they do not transmit on the network that is being examined - Thus, they can be detected by the way they respond to pings, ARPs, and malformed IP packets
Data Encryption
- One of the commonly used techniques to defeat forensics investigation process - Intruders use strong encryption algorithms to encrypt data of investigative value, which renders it virtually unreadable without the designated key - Additionally, most encryption programs are capable of performing additional functions, including use of a key file, full-volume encryption, and plausible deniability; that makes the investigator's job more difficult - Cryptanalysis can be used to decrypt encrypted data
Detecting Overwritten Data/Metadata
- To detect timestamp forgery on NTFS file system, the forensic investigator can employ forensic tools such as analyzeMFT to compare $STANDARD INFORMATION and $FILENAME attributes -- analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem, and produce an output in CSV or bodyfile format - When the $FILE_NAME creation date and $STANDARD_INFORMATION creation date (for any file) does not match, it indicates that the file has been time stomped
Detecting USB devices
- To enumerate the devices that are connected to the system, use the following PS command: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBDTORE\*\*\ | Select FriendlyName - In windows registry these entries are located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_[VendorName]&Prod_[ProductName]&Rev_1.00\[serialNo]
Unpacking Program Packers
- To unpack/extract the original program executable file from the packer, the investigator should identify the tool used to pack the executable file - Exeinfo PE tool can analyze the code to identify the packer tool - Ex: If UPX is the utility used to pack the program - To unpack the program packer, use the UPX utility command: upx.exe -d -o [unpacked_file_name] [packer_file_name]
Anti-Forensics Countermeasures
- Train and educate the forensic investigator about anti-forensics - Validate the results of examination using multiple tools - Impose strict laws against illegal use of anti-forensics tools - Understand the anti-forensic techniques and their weaknesses - Use latest and updated CFTs and test them for vulnerabilities - Save data in secure locations - Use intelligent decompression libraries to defend against compression bombs - Replace weak file heuristics with stronger ones
Anti-Forensics Techniques that Minimize Footprint
- Use of fake and stolen identities - Running OSes from live CDs/DVDs/USB - Use of Virtual Machine - Use of Cloud services - Memory injection and syscall proxying - Userland execve technique
Using Stream Detector
-A forensic tool that identifies all hidden files such as images, videos, text, and executables within Alternate Data Streams present on NTFS drives -Can detect the hidden streams on actual file directory and lists hidden stream file name, stream type, size of the stream, etc. -This tool can be used to detect and extract hidden streams, delete the file and unwanted streams
Winrtgen
-A graphical Rainbow Tables Generator -Supports LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384), and SHA-2 (512) hashes
SSD File Carving on APFS
-Acquire the disk image of APFS from a TRIM disabled SSD in a forensic manner -Examine the forensically acquired evidence file to recover deleted data -Tools AppleXsoft File Recovery for Mac Disk Doctors Mac Data Recovery R-Studio for Mac Data Rescue 4 Stellar Phoenix Mac Data Recovery 321Soft Data Recovery Disk Drill for Mac Mac Data Recovery Guru Cisdem DataRecovery 3 TestDisk for Mac
Password Cracking Using Cain & Abel
-Allows recovery of various kind of passwords by sniffing the network, and cracking encrypted passwords using dictionary, brute-force, and cryptanalysis attacks -Covers some security aspects/weaknesses present in a protocol's standards, authentication methods and caching mechanisms -The program does not exploit any software vulnerabilities or bugs that could not be fixed with minimum effort
Trail Obfuscation
-Anti-forensic technique used to confuse, disorient, and divert the forensic examination process -Attackers mislead investigators via log tampering, false e-mail header generation, timestamp modification, and various file headers' modification Some techniques include: -Log cleaners -Spoofing -Misinformation -Zombie accounts -Trojan commands
Alternate Data Streams
-Attackers use this to hide data in Windows NTFS and cannot be revealed through command line or Windows Explorer - Allows attacker to hide any number of streams into one single file without modifying the file size, functionality, etc, except the file date - the file date can be modified using anti-forensics tools like TimeStomp - In some cases, these hidden __ can be used to remotely exploit a web server
Password Types
-Cleartext Passwords - transmitted and stored without any encryption -Obfuscated Passwords - passwords are stored or communicated after encrypting, can be decrypted by applying a reverse algorithm -Password Hashes - signatures of the original password, one-way algorithm that cannot be reversed
Password Cracking Using Rainbow Crack
-Cracks hashes with rainbow tables -Uses time-memory tradeoff algorithm to crack hashes -May take a long time to pre-compute the table, but once the pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute-force cracker
Anti-Forensic Techniques
-Data/File Deletion -Password Protection -Steganography -Data Hiding in File System Structures -Trail Obfuscation -Artifact Wiping -Overwriting Data/Metadata -Encryption -Program Packers -Minimizing Footprint
Password Cracking Using PwDump7
-Extracts LM and NTLM password hashes of local user accounts from the database -Dumps the password hashes (OWFs) from NT's SAM database -It is also capable of dumping protected files -Requires admin privileges on the remote system
Goals of Anti-Forensics
-Interrupt and prevent information collection -Make difficult the investigator's task of finding evidence -Hide traces of crime or illegal activity -Compromise the accuracy of a forensics report or testimony -Delete evidence that an anti-forensics tool has been run
Storage location of Recycle Bin
-Location on FAT file systems On older FAT , it is located in Drive:\RECYCLED -Location on NTFS file systems On windows 2000, NT, and XP it is located in Drive:\RECYCLER\<SID> On Windows Vista and later, it is located in Drive:\$Recycle.Bin\<SID>
Timestomp
-One of the most widely used trail obfuscation tools that allow deletion or modification of timestamp-related information on files -Metasploit framework tool
$I File Metadata
-Original file name -Original file size -The data and time the file was deleted -Unique identifying number -The drive number in which the file was stored
Steganalysis Methods/Attacks
-Steg-only - only the stego object is available for anlaysis -Known-stego - has the stego algoruthm and both the cover medium and the stego-object -Known-message - access to hidden message and stego-oject -Chosen-message - generates stego objects from a known message to identify steg algorithms -Chosen-stego - access to the stego-object and algorithm -Chi-square - probability analysis to test whether the stego object and original data are the same -Distinguishing statistical - analyzes embedded algorithm used to detect distinguishing statistical changes -Blind classifier - fed with the original data to learn the resemblance
Challenge of Steganalysis
-Suspect information stream may or may not have encoded hidden data -Efficient and accurate detection of hidden content within digital images is difficult -The message might have been encrypted before inserting into a file or signal -Some of the suspect signals or files may have irrelevant data or noise encoded into them
3 types of passwords in BIOS Setup
-System password -Admin password -HDD password Note: bypassing BIOS password can unlock System and Admin password but not the HDD password
Recovering Deleted Partitions
-The MBR partition table contains the records of the primary and extended partitions of a disk -When a partition is deleted from a disk, the entries with respective to deleted partition are removed by the computer form the MBR partition table -Investigators use tools such as R-Studio and EaseUS Data Recovery Wizard to scan the disk for lost partitions and recover them -These automated tools perform full disk scan, looks for deleted partition information and reconstruct the partition table entry for deleted partition
HDD File Carving on Windows
-The forensic image file is acquired using tools such as FTK imager and DD utility and examined using Autopsy -Autopsy recovers the deleted data from the evidence file
SSD File Carving on Linux System
-The forensically acquired image from TRIM disabled SSD should be examined using file carving tools such as Autopsy, R-Studio, etc -In autopsy, the carved data from the forensic evidence file is displayed under the appropriate data source with heading "$CarvedFiles"
Recycle Bin Forensics
-The original files pertaining to the $I files are not visible in the Recycle Bin folder when, --$I file is corrupt or damaged --The attacker/insider deletes $I files from the Recycle Bin -During forensic investigation, the investigator should check for the $R files in the Recycle Bin directory to counter the anti-forensic technique used by the attacker -If the metadata files related to the original files are not present in the folder, then the investigator can use 'copy' command to recover the deleted files ($R files) --Command: copy <$R* (or file name)> <Destination Directory>
Methods to bypass/reset BIOS password
-Using a manufacturer's backdoor password to the BIOS -Using password cracking software -Resetting the CMOS using jumpers or solder beads -Removing the CMOS battery for at least 10 min
File Carving on Linux
-When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten with new data -If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space -The second extended file system (ext2) is designed in such a way that it shows several places where data can be hidden -It is required to note that if an executable erases itself, its contents can be retrieved from a /proc memory image --The command cp /proc/$PID/exe/tmp/file creates a copy of a file in /tmp -Tools that can be used to recover deleted files from Linux Stellar Phoenix Linux Data Recovery Ddrescue R-Studio for Linux Data Recovery for Linux Kernel for Linux Data Recovery Autopsy Scalpel Mondo Rescue Foremost TestDisk PhotoRec
SSD File Carving on Windows
-When a forensic investigator performs file carving on a forensic image file acquired from a TRIM enabled SSD, it is not possible to recover deleted data from the disk -Tools such as Autopsy, Ease US Data Recovery, etc. can be used to carve data from the disk -When autopsy is employed to perform file carving on an evidence file, the software lists the file names but the deleted data cannot be recovered -When performing data acquisition, the investigator should check status of the SSD's TRIM feature -If TRIM is disabled SSD's the forensic investigator can perform file carving to recover lost data from the drive
Bypassing Windows User Password by Booting Live CD/USB
-When the user account of a Windows machine is locked, the investigator should bypass the password to get access to the machine -In such case, boot the machine from the Live CD/USB (here, CAINE LIVE CD/DVD is used) to get access to the machine's hard disk and its contents
File Carving on Windows
-Windows tracks its files/folders on a hard drive using the pointers that tells the system where the file begins and ends -When a file is deleted from the hard drive, the pointer to the file gets deleted but the contents of the file remains on the disk -In other words, the deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with new data -File carving in SSDs is different from HDDs since file deleted from the TRIM (enabled by default) enabled SSDs cannot be recovered -Data recovery tools such as Autopsy, Recover My Files, Ease US Recovery wizard, R-Studio for Windows, etc can be used for recovering deleted files/folders from Windows
Steg Detection Tools
-zsteg -StegoVeritas -Stegextract -StegoHunt -Steganography Studio -Virtual Steganography Laboratory (VSL)
Rainbow Table
A precomputed table that contains word lists in the form of dictionary files and brute force lists and their hash values
Steganography
A technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data
Artifact Wiping
Anti-forensics technique that involves deleting or destroying evidence files permanently using various tools and techniques.
Lazesoft Recover My Password Tool
Creates a bootable CD/USB that can be used to reset/unlock Windows user password when the login credentials of the account are lost Steps: -Boot machine to the USB boot drive and select "Lazesoft Recovery Suite to load the utility" -Click on "Password Recovery" -Select "Reset Windows Password" -Click "Next" -Select Windows Installation to be unlocked from the list, for example, Microsoft Windows 10 x64 Edition -Click "Next" to get the User account list -Select the "User Account" to be unlocked -Click "Next" -Click "Reset/Unlock" Button to unlock the selected User account password -Now, click "Reboot" option to restart the machine and the OS loads without prompting for a user password
Password Cracking Techniques
Dictionary - dictionary file run against user accounts Brute Force - every possible combination Rule-Based - some information about password is known (algorithm/length/complexity), combination attack
Password Cracking Using L0phtCrack and Ophcrack
L0phtCrack: -A password auditing and recovery application packed with features such as scheduling, hash extraction from 64-bit Windows versions, and network monitoring and decoding -Helps recover lost Microsoft Windows passwords by using dictionary, hybrid attacks, rainbow tables, and brute-force attacks Ophcrack: -A windows password cracker based on rainbow tables -Comes with a GUI and runs on multiple platforms
Application Password Cracking Tools
Office Password Cracking: -Software Stellar Phoenix Office Password Recovery -Online Password Recovery -Office Password Genius -Office Password Recovery Lastic -SmartKey Office Password Recovery PDF Cracking Software: -PDF password recovery -PDF password genius -Smartkey PDF Password Recovery -Tenorshare PDF Password Recovery -Guaranteed PDF Decrypter ZIP Password Cracking Software: -Accent ZIP Password Recovery -ZIP Password Genius -SmartKey ZIP Password Recovery -KRyLack ZIP password recovery -Stellar Phoenix Zip Password Recovery RAR Cracking Software: -Accent RAR Password Recovery -RAR Password Genius -cRARk 5.1 -SmartKey RAR Password Recovery -KRyLack RAR Password Recovery
Other Password Cracking Tools
Offline NT Password & Registry Editor Password Unlocker Bundle ProActive System Password Recovery John the Riper Wfuzz Active@ Password Changer Passware Kit Standard Windows Password Unlocker LSASecretsView LCP Password Cracker Kon-Boot Windows Password Recovery Tool Hash Suite Windows Password Breaker Windows Password Recovery Password Recovery Bundle iSunshare Windows Password Geniu THC-Hydra Medusa
Overwriting Data
Overwriting programs (disk sanitizers) work in 3 modes: -Overwrite entire media -Overwrite individual files -Overwrite deleted files on the media
Windows File Recovery Tools
Recover My Files EaseUS Data Recovery Wizard DiskDigger Handy Recovery Quick Recovery Stellar Phoenix Windows Data Recovery Total Recall Advanced Disk Recovery Windows Data Recovery Software R-Studio Orion File Recovery Software Data Rescue PC Recover4all Professional Recuva Active@ File Recovery Pandora Recovery Ontrack EasyRecovery Seagate File Recovery Software Wise Data Recovery Glary Undelete Disk Drill PhotoRec DDR Professional Recovery Software File Scavenger GetDataBack UndeletePlus VirtualLab Active@ UNDELETE WinUndelete R-Undelete
Removing the CMOS battery
Step 1: Shut down the system and disconnect the power plug Step 2: open the CPU cabinet and locate the CMOS battery (silver circular battery) on the motherboard Step 3: Remove the CMOS battery from the socket and keep it out for 20 to 30 minutes, this flushes out the CMOS memory that stores BIOS passwords and other configurations Step 4: Replace the battery and start the system normally Note: sometimes, manufacturers use capacitors to provide backup power to the CMOS battery, if the attempt fails keep the battery out for 24 hours
Detecting Alternate Data Streams
Step 1: cd to the directory to search then execute gci -recurse | % { gi $_.FullName -stream *} | where stream -ne ':$Data' Step 2: investigate directory where ADS files were found Step 3: notepad filename.extension:streamname.extension
Resetting CMOS using Jumpers
Step 1: shut down the system and unplug the power cord Step 2: move the jumper from its default position so that it is across pins 2 and 3; this clears the BIOS/CMOS settings Step 3: Now, turn on the machine to verify that the password has been reset Step 4: If password is cleared, turn off the computer and return the jumper to its original position
Detecting Steganography
Text file: -Alterations are made to the character positions for hiding data -Alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces Image file: -Detected by looking for changes in size, file format, metadata, and color palette pointing to the existence of the hidden data -Statistical analysis method is used for image scanning Audio file: -Statistical analysis method can be used to detect audio steganography as it involves LSB modifications -The inaudible frequencies can be scanned for hidden information -The odd distortions and patterns in the audio graph indicate the existence of the secret data Video file: -Detection of the secret data in video files includes a combination of methods used in image and audio files
Cryptanalysis
The process of decrypting a message without knowing the cipher or key used to encrypt it.
Bypassing Passwords on Powered-Off Computers
What an investigator can do on a powered-off machine: -Bypass BIOS password -Bypass User Password by booting Live CD/USB
What happens when a file is deleted in Windows
When a user deletes a file, the OS does not actually delete the file, but marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use. FAT- the OS replaces the first letter of the deleted filename with E5H. Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered. NTFS- marks the index field in the MFT with a special code. The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered Recycle Bin- place to store files that are marked for deletion. The exceptions are large files and files from removable media.
$Bitmap file
a record of all used and unused clusters
Anti-Forensics
a set of techniques aimed at complicating or preventing a proper forensics investigation process
File header
a signature (also known as a magic number), which is a constant numeric or text value that determines a file format
File Carving
a technique used to recover files or fragments of files when corrupted, missing or purposely deleted.
