1 / 29

Anti-Forensics

Anti-Forensics. Professor Drew Hamilton Alex Applegate Auburn University References used: Paul Henry http://www.techsec.com/pdf/Tuesday/Tuesday%20Keynote%20-%20Anti-Forensics%20-%20Henry.pdf. Mac versus PC. Cracking Passwords. Ready-to-use Free Software Phillippe Oechslin – Rainbow Tables

gabriel-puckett
Download Presentation

Anti-Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anti-Forensics Professor Drew Hamilton Alex Applegate Auburn University References used: Paul Henry http://www.techsec.com/pdf/Tuesday/Tuesday%20Keynote%20-%20Anti-Forensics%20-%20Henry.pdf

  2. Mac versus PC

  3. Cracking Passwords • Ready-to-use Free Software • Phillippe Oechslin – Rainbow Tables • Easy and cheap to develop advanced capability. • Bootable live CDs/USB key – Local OS does not matter.

  4. Password Cracking • Capable of cracking Windows XP passwords of up to 14 characters, including numbers and special characters in under 2 minutes with no special hardware • Attacks against both Windows and Unix systems • Able to generate custom dictionaries via rainbow tables • GPU calculation acceleration using nVidia GeForce GTX 470 (Fermi) • 480 processor cores under current hardware • Expandable to 3072 processor cores • Custom parallel processing code using CUDA and OpenACC

  5. Trend Manipulation • Whatever became of The Orchids? • What if you create 50,000 Virtual Machines, 50,000 dummy accounts and 50,000 “likes” for the Orchids?

  6. Reasonable Doubt? (Paul Henry) • Encase and Sleuth kit Vulnerabilities • http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf • Evidentiary Implications of Potential Security Weaknesses in Forensic Software • “As with other forensic techniques, computer forensic tools are not magic; they are complex software tools that like all software may be subject to certain attacks. • Yet because these tools play such a critical role in our legal system, it is important that they be as accurate, reliable, and secure against tampering as possible. • Vulnerabilities would not only call into question the admissibility of forensic images, but could also create a risk that if undetected tampering occurs, courts may come to the wrong decisions in cases that affect lives and property.” • http://www.isecpartners.com/files/Ridder-Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Software.pdf

  7. Bootable Media • Create a bootable DVD • Lion, Ubuntu, Windows 7 repair disk • Encrypted environment on the HD • No trace on the PC • Custom encryption possible • TrueCrypt is free

  8. Have You Got Your Mojo (pac)? • MojoPac makes your USB Drive or IPOD your PC • Leaves no trace on the host • Free download • www.mojopac.com

  9. Windows Encryption & TPM • Bitlocker requires TPM hardware • Encryption key stored on removable USB drive • Not in all versions of Windows 7 / Vista - only enterprise/ultimate versions • Limited availability of motherboards with TPM chips • How good are TPMs? • Banned in Russia, China, Belarus and Kazakhstan

  10. Encryption (Paul Henry) • Encryption is a forensic analysis's nightmare • It is only a matter of time before the bad guys adopt current technology encryption • Current offerings provide for multiple levels of “Plausible Deniability” • Create a hidden encryptedvolume within an encrypted volume • Bad guy gives up the password to the first level only • Second level remains hidden and looks like random data within the volume (undetectable) • Total Downloads 3,487,388, 1 Day Download 5,547

  11. Expanding USB Vulnerabilities Remote attack by adding 3G modem to keyboard

  12. Signals Intelligence: Onion Routing

  13. The Onion Router (TOR) • Developed by the US Navy to protect information exchange across open channels • Not formally designed to be anti-forensic • Defeats external traffic analysis • Operates similar to a VPN, but strips out header data other than the previous node and the next node

  14. The Onion Router (TOR) Source: The Onion Router Project Website http://www.torproject.org

  15. The Defiler’s Toolkit • First public anti-forensic tool (2002) • Developed by “The Grugq” • Targeted specifically to counter The Coroner’s Toolkit and only extensively tested for ext2/3 file systems. • Works from the basis of File Insertion and Subversion Technique (FISTing) – “Inserting data into places it doesn’t belong”

  16. The Defiler’s Toolkit • Six Components • Four data hiding systems • Kill Your File System (KY FS) – Stores data in superblocks / directory structures • Waffen FS – Stores data in the ext3 journal file (of an ext2fs system) • Data Mule FS – Stores data in inode reserved space • Rune FS – Stores data in Bad Blocks • Two data wiping applications • Necrofile – finds unallocated inodes and wipes them • Klismafile – finds and zeroizes data in slack space

  17. Metasploit Anti-Forensic Investigation Arsenal (MAFIA) • Developed by Vinnie Liu and distributed with Metasploit 2.2 (2004) • Windows Specific • Four Components • TimeStomp: MAC Time modification tool • Slacker: Tool to hide data in slack space • SAM Juicer: Password file extractor • Transmogrify: File Signature Modifier • Slacker and Transmogrify were never reliable and apparently discontinued. Transmogrify was never released

  18. Meterpreter • Central component in the Metasploit Framework • Serves as a payload injected by any of a number of exploits • Opens a covert communication channel with shell command capabilities • Resides exclusively in memory, never touches the disk

  19. Meterpreter (cont’d) • An artifact left in upper memory by Meterpreter

  20. www.evidenceeliminator.comregister_reasons.d2w • • Just some reasons why you must buy • protection for yourself right now. • Pelican Bay State Prison (USA)"....putting a prisoner in a cell with a known assaulter and setting up alleged sex offenders for attack are not uncommon.... • "Cocoran Prison (California USA)"....Dillard, who weighed 120 pounds, fought back but Robertson was too powerful. He said he pounded on the cell door, banged at it in a way that the guards surely must have heard, but nobody ever came as he was raped.... • "The View From Behind Prison Bars (USA)"....The guard in the tower decided to blow one of the inmates' heads off.... The suicides at San Quentin are amazing. I never knew doing time would subject me to watching guys do swan dives off the fifth tier... we were forced to sleep in shifts to keep the cockroaches from crawling in our mouths...." Get total protection. Buy your license to Evidence Eliminator™. $149 is less than 149 years. Permanent protection for only $149.95(US)

  21. Who Pays For Software?

  22. Disk Wiping Products

  23. Signatures • Examining hashes is a quick way to determine if specific files are or are not on the image that is being examined • Altering a single byte will alter the hash but still leave a malicious program executable

  24. Some Hash Utilities are Unreliable

  25. Packers & Binders (Paul Henry) • A Packer can change the hash of any executable file and render a search for a known MD5 useless • The potentially malicious file will not be found with an antivirus scanner • Binders combine two or more executable in to a single executable file • Allows the bad guy to attach a Trojan, Key logger or other malicious program to a common exe file • The resulting MD5 will not match a known bad database • 37 different free binders are downloadable at http://www.trojanfrance.com/index.php?dir=Binders/

  26. Magnetic Remanance

  27. Expanding Forensic Outreach

  28. New Targets for Digital Forensics

  29. Conclusion

More Related