RESEARCH PAPER

ANTI FORENSICS AND DEFEATING ANTI FORENSICS MEASURES

HARPREET SINGH DARDI DFI-MUM-1-6

INTRODUCTION According to Locards principle, When a crime is committed, there is a cross transfer of evidence between the scene and the perpetrator (Saferstein, 1998). It means that one who commits crime will definitely bring something into the crime scene and leave with something from it and both of these elements can be used as forensic evidence. Same is the case with Digital Forensics where the crime scene occurs at the computer systems or other digital medias. Criminal will definitely leave one or the other traces of tools and techniques used by him to commit the crime and these traces can be used as forensic evidence for the court proceedings. The only thing that is to be focused upon is the proper examination of the suspect computer system or digital media by the investigators to ensure a correct outcome. Investigators need to apply locards principle to the cyber world in order to understand the relation between various aspects like time when the particular events took place, what actually happened , what was the source for the same etc. Then , connecting these free facts to prepare one single coherent statement could reveal the whole nature of the action. However criminals may use anti forensic methods to divert the normal investigation procedure and to confuse the investigators. This research paper focuses on various anti forensic methods and measures to defeat the same. Various types of anti forensic and forensic tools have been used here within to experiment with the security of forensic tools and strength of anti forensic tools.

COMPUTER FORENSICS AND ANTI FORENSICS The term Forensics is quite simple and specific using science and technology applications to investigate a crime. Computer Forensics is the branch of Digital Forensics pertaining to evidence found in computers and digital media. The main motive behind computer forensics is the examination of digital media in a forensically sound manner for collecting, analyzing and presenting evidence to the courts. Forensic Analysis plays an important role in cyber crime investigations as it helps the investigators to obtain certain relevant information such as boot configuration data, network packets etc.This information is then converted into permanent reports that is acceptable by the court of law. Certain Computer Forensic Tools are used by forensic examiners to collect information/data from computer systems or other digital media analyzing the collected data to uncover information that may not be immediately obvious generating a report that will be acceptable in legal proceedings Computer forensic tools (CFTs) broadly fall into two classes:

CFT

Persistent Data Tools

Volatile Data Tools

Persistent Data Tools: As clear from the name, these tools help in collecting the data that is stationary over the digital media. In other words, the data that remains when the computer system is turned off. E.g. The Sleuth Kit Volatile Data Tools: These tools help in collecting the data that is transitory and would be lost if not captured such as the packets travelling across the network. E.g. WinHex ANTI FORENSICS ( Against Forensics in layman language) is the collection of tools and techniques to confront forensics and to frustrate the investigator and the process of investigation.

Using anti forensic techniques and tools, investigators and forensic examiners are mislead from the ongoing investigation procedures.

GOALS OF ANTI FORENSICS

1. Making it impossible for the investigators to detect the event happened. 2. Preventing the investigator from detecting the evidence. 3. Investigator has to spend a huge of amount of time in order to find out what actually has happened and how it prolonged. 4. Casting doubt on the report generated. 5. Using anti forensic tools and techniques in such a way so as to make the forensic tool attack the suspect computer itself instead of retrieving the evidence. 6. Anti forensic tool should not leave any trace of its use. 7. The information collected should be disrupted in a way or other. 8. Investigator should not be able to distinguish between the actual evidence and other data. 9. The forensic tools used for data recovery or collection should reveal the wrong results which could further misguide the investigator in the investigation process. 10. The forensic tool can itself be used to attack the organization in which it is running. Anti Forensic Techniques are broadly divided into two categories:

AFT

Traditional AFT

Modern AFT

ANTI FORENSIC CATEGORIES

Anti Forensics is broadly divided into 4 categories.

DATA HIDING

ARTIFACT WIPING

TRIAL OBFUSCATION

ATTACKS AGAINST CFT TOOLS

1. DATA HIDING: This category of anti forensic method is used to hide the evidences from the investigator. This makes the case more complicated as examiners are unable to reveal the relevant content and will keep on analysing the non evident data. Most common techniques used for data hiding are Cryptography and Steganography. a) CRYPTOGRAPHY: is the science of converting readable text to unreadable form with the help of certain algorithms. In order to read the exact message, examiner has to decrypt it. For the process of decryption, he needs to know certain important elements like : Algorithm used to encrypt the text. Password used Software used Finding out these elements is the most chaotic task to be completed and may take an investigators ample time.

The transaction number is 900900900.

qANQR1DDDQQJAwKA cltao2NfX2DSUwHvn1Vu WLoY+9RDXKoxtn8UtB Q7kRLKKUZ1 PRYUopn/7+pKBcTgNXE pM+CnBL+cPoHkqbfwW vMcLT0S+vHhrp47oViX GLHUF/7j 5PrZjZQGmu7x After Encryption

Before Encryption

Tools currently available for cryptography are PGP, Crypo, GNU Privacy Guard, Disk Utility and many more.

b. STEGANOGRAPHY: is the art of hiding data behind an image or any other file. Only the intended recipient and the sender are able to see the message.

A normal human eye cannot distinguish between the normal and steganographic image above. Even the size remains the same. Tools currently available for Steganography are S-Tools, Steghide, Steganos and many more. 2. Artifact Wiping: The evidences can be permanently removed from the computer systems or digital media by the use of certain tools. One can permanently delete a single file or can wipe the whole system. The main concept behind wiping is that it overwrites each and every byte of data so many times that it becomes difficult for the tools to reveal what actually was present.

The tools available for Data wiping these days include TotalWipeOut, Kill Disk, BCWipe etc.

3. Trial Obfuscation: In order to divert or disorientate the investigation process, trial obfuscation is done. Varieties of techniques and tools can be used for the same. Trial Obfuscation includes deleting logs, spoofing the headers, changing file extensions, using Trojan commands over the computer system to divert investigators mind and many more. 4. Attacks against CFT Tools: These attacks are used to make the forensic tools inefficient. These techniques and tools focuses on each and every phase of the investigation process and hampers the CFTs performance by revealing wrong or limited results. There have been successful attacks on many of the major computer forensic tools like WinHex, FTK and many more. These attacks play with file system directories and other attributes to tamper the software functionalities.

EXPERIMENT CONDUCTED The experimental part of this paper has been divided into different stages as under:

STAGE 1

For data hiding techniques For data wiping Attacks against CFT

STAGE 2

STAGE 3

STAGE 1 : For Data Hiding Techniques A laptop with certain steganographic files and encrypted files and drive has been used. Following table shows the tools used for the same purpose : Data Hiding Technique Steganography Cryptography On The Fly Encryption Tools Used S-Tools Camouflage PGP Truecrypt

For camouflaged files The forensic tool WinHex has been used to detect the camouflage file.However, certain online tools are also available that detects whether the file is camouflaged or not. The concept behind camouflage is Appending the file to End of File. Hence, the size of camouflaged file varies from the original file. But the main point to be focused upon by the investigators is how to find out whether the file has been camouflaged or not and to crack it to reveal the hidden data.

Following snapshots depicts the difference between a normal file and a camouflaged file when opened up in WinHex.

EOF of normal file when opened up in WinHex.

EOF of a camouflaged file when opened up in WinHex.

Using Winhex , the password for camouflaged files can be changed and hidden data can be revealed. The snapshots given below depicts the steps used to crack a camouflage file using WinHex.

STEP 1: Detecting whether the file is camouflaged or not.

STEP 2: Searching for the series 00 01 00----------00 09 00 near End of File.

The series 00 02 00 is visible near End of File. Password for the file is 73 E2 1F 50 78 DF.

STEP 3: Changing the password for the file and recovering the hidden data. This is done by changing the first hexadecimal value of the password to 63 ( 63 is the hexadecimal value for a) and remaining to 20 ( 20 is for blank spaces). Hence, the new password for the camouflaged file becomes a (without inverted commas). Using this password and camouflage software, hidden data can be revealed.

10

Password of camouflaged file changed to a (without inverted commas)

Using the above method to defeat the anti forensic technique Steganography, following data was revealed.

The another tool used to detect steganographic files is STEGDETECT. The snapshot given below is from stegdetect . It depicts the detection of steganographic file.

Negative result . Stegdetect was not able to detect the steganographic file.

11

For Encrypted Text and On the Fly encryptions: Cryptanalysis has to be done in order to defeat cryptography. Encryption is being used by several applications for security purposes. Encryption cannot be broken until and unless investigator knows which software and algorithm has been used to encrypt the document or the content. Stronger the algorithm, difficult is to decrypt the content. This is one of the anti forensic methods that have steadily and strongly resisted computer forensic examinations.

STAGE 2 : For Data Wiping Following table lists the tools with their purpose used in this stage of the experiment. Tool Used WinHex Purpose For Wiping of Files and Directories For checking whether the wiped files can be recovered back or not For File wiping

Free Wipe Wizard

STEP 1 : Wiping the files/ folders using WinHex

Wiping of files/folders using wipe securely feature of WinHex

12

Same files and folders have been wiped using the software Free Wipe Wizard. STEP 2 : Checking whether the wiped folders and files can be recovered.

Wiped folders were recovered back.

STAGE 3 : Attacks against CFTs If one has detailed knowledge of how a specific forensic tool is working, he can manifest bugs in the tool itself so as to make the results unreliable. Certain kinds of vulnerabilities have been caught in various CFTs. These vulnerabilities are exploited by the attacker to hamper the investigation process. Some of the vulnerabilities are listed as under : Buffer overflow bugs in network forensic softwares like tcpdump, ethereal, snort. Files that cause softwares like Encase to crash. For the experimental phase of this stage, following tools were used : Tool Used Extension changer File Properties changer WinHex Purpose To change the extension of the files To change the properties of the file To detect File Extension Mismatch

13

STEP 1 : Extension changer was used to change the extension of the files. These files were then deleted And image for the container folder was created.

STEP 2 : WinHex was used to recover the files and detect the file extension mismatch.

Option to detect file type mismatch using WinHex

File Type mismatch detected

14

CONCLUSION The conducted experiments prove that all anti forensic techniques and tools are not strong enough to divert an investigation process. In many cases, these tools and techniques fail to perform some important anti forensic functions like wiping the data irreversibly , hiding data behind files , changing the extension of files, changing the time stamps for the files created and many more. However, some of the anti forensic measures like encryption are still acting as an hindrance for investigators and investigation processes. Many forensic techniques used these days can be circumvented. CFTs need to be developed keeping in mind the security aspects so that they cannot be altered in any way and anti forensics measures can be defeated easily.

The results for the experiment conducted is summarized as below : Anti Forensic Technique Steganography Anti Forensic tool used S-Tools Camouflage Forensic tool used WinHex Stegdetect Result Camouflaged file was detected and cracked. Stegdetect was not able to detect the file. Only cryptanalysis can be done. Wiped folders were recovered back. File Extension Mismatch was detected

Encryption Data Wiping Attacks against CFTs

PGP Trucrypt WinHex Free Wipe Wizard File Extension Changer File Properties Changer

WinHex WinHex

15

REFERENCES : 1.Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Journal of Digital Investigation 3(suppl. 1), 4449 (2006) 2. Warren, G., et al.: Computer Forensics, Incident Response Essentials, p. 4. AddisonWesley, London (2002) 3. Sartin, B.: Anti-forensics, distorting the evidence. Journal of Computer Fraud and Security (5), 46 (2006) 4.Geiger, M.: Evaluating Commercial Counter-Forensic Tools. Carnegie Mellon University, Pittsburgh (2005) 5. Carrier, B.: File System Forensic Analysis, p. 283. Addison Wesley, London (2005) 6. Frith, D.: Stenography approaches, options and implications. International Journal of Network Security (4), 46 (2007)

16