lides 


fts of my 


on that was 
posted 


Anti-Forensics 
and Anti -Anti-Forensics 

by Michael Perklin 


(But not Anti-Anti-Anti-Forensics) 


...or Uncle-Forensics. . . 


Anti-Forensic 
Techniques 
and Countermeasures 


by Michael Perklin 


DEFCON 20 - Friday July 27 


4 


Michael Perklin 


Digital Forensic Examiner 
Corporate Investigator 
Computer Programmer 
eDiscovery Consultant 


! Basically - A computer geek + legal 
support hybrid 


Typical 
Methodologies 


Copy First, Ask Questions Later; or 


Assess relevance first, copy if 
necessary; or 


Remote analysis of live system, copy 
targeted evidence only 


The approach o 
Private Firms 


- Copy everything; leave originals with 
the client 

1 (unless repossession is part of 
the job) 


Have to respect the property of 
custodians 


The approach of 
Public Agencies 


$ "Gung Ho" 


& Seize everything that may be relevant 


^ Copy everything when safely in their 
lab on their own time 


* Less pressure to return items 


Typically longer turnaround times 


8 


Typical Workflow 


Create 
Working 
Copy 


Process Data 
For Analysis 


Separate Wheat 
from Chaff 


Analyze Data 
For Relevance 


Prepare Report 
on Findings 


Archive Data 
For Future 


Create Working Copy 

- linage the HDD 

- Copy files remotely for analysis 
Process Data 

- Hash files 
-Analyze Signatures 

Separate Wheat 

- De-NIST or De-NSRL 

- Known File Filter (KFF) 

- Keyword Searches 
Analyze For Relevance 

- Good hits or false positives? 

- Look at photos, read documents, analyze spreadsheets 

- Export files for native analysis 

- Bookmark, Flag, or otherwise list useful things 
Prepare Report 

- Include thumbnails, snapshots, or snippets 

- Write-up procedures (Copy/Paste from similar case to speed up workload) 

- Attach appendices, lists, etc 
Archive Data 

- Store images on central NAS 

- Shelve HDDs for future use 


#1. Create a Working 

Copy 

Confounding the first stage of the 

process 


1 


i 1 


AF Technique #1 


Data Saturation 


^ Let's start simple 


* Own a LOT of media 


. * Stop throwing out devices 


II 


* Use each device/container for a 
small piece of your crimes 


^Investigators will need to go through 
everything 


11 


12 


AF Technique #2 
Non- Standard RAID 

^Common RAIDs share stripe patterns, 
block sizes, and other parameters 

^This hack is simple: 
Use uncommon settings! 

f * Use uncommon hardware RAID 
controllers (HP Smart Array P420) 

* Use firmware with poor Linux support. 
Don't flash that BIOS! 


13 

Non-standard RAID controllers sometimes allow you to choose arbitrary blocksizes (not 128 or 256, but how about 287?) 
This can force an examiner to take a logical copy using seized hardware 


Less damaging for Public sector, can be very expensive for Private sector 


; ® [Diagram/screenshot of improperly- 
reassembled stripes] 


Odd or Even? 


*1, 2, 3,, 4? 


*'2., 4, 1, 3? 


^ Little Endian or Big Endian? 


14 


1 


Mitigating 


Non-Standard RAIDs 


& De-RAID volumes on their own system 


1 


^ Use boot discs 


^ Their hardware reassembles it for you! 


^ If it doesn't support Linux, use 


Windows! Windows-Live CD! 


^ Image the volume, not the HDDs 


15 


#2. Process Data for 
Analysis 


Confounding the processing stage 


Create 
Working 
Copy 


Process Data 
For Analysis 


Separate Wheat 
from Chaff 


Analyze Data 
For Relevance 


Prepare Report 
on Findings 


Archive Data 
For F jture 


AF Technique #3 
File Signature Masking 


File Signatures are identified by 
file headers/footers 

* "Hollow Out" a file and store your 
crime inside 

^ Encode data and paste in middle of a 
binary file 


17 

MZ for EXEs 
PDF for PDFs 
PK for Zips 


s □uonntOiD^iDeDdn-DiDDnD^DDD°DD DDDDDDDDDD ™^„_ m . m nnnnnnnnnnnnnnnnnnnnnnnnooDnnonnnooo 


□UOnO tOiD tfllO eDdO -O iuuuuuuuuuuuuul 
6 □□□□□□□□□□□□□□□□□□□□□□□□□□onnonoDt 

jyL A Jp"DOA)^KDoOAW' > 'ooeEDaaA[] - o^iTn^ rTJnniaiDIl 1 AUviffiLy , 5 ^KSe^WCtoJ^dlDyUSBIMD "^Ve 

SOMAYTOyfiav^It-OS-'^^ 

! 17 □□□□□□□DDDODDDDDD 3DDODDD '. □ 10 AQ aD qP 2DD , d=B#SDRAb34r,UUJ 
ig 6n oD; e"8yu%AZ4udU8A^,Sffi>z[DT JY ud. 1 - , 

TOdD6>aOaAA}tD¥aae:e-oQUa)i D ¥[)D:o S gat>>.a-J HD.O 

j r S|Du€>)ttt & a$^¥'DAE#aE x-™iHt> rEd¥%.~t£iAa%/GA)M) ,$ !DERsRIK5I4e-A%[y 


14 


JPG File Internals 


Mitigating 
File Signature Masking 


Use "Fuzzy Hashing" to identify 
potentially interesting files 

FTK supports this out-of-the-box 

^ Analyze all "Recent" lists of common 
apps for curious entries 


19 


#3. Separate Wheat 
from Chaff 

Confounding the sifting process 


Talk about NRSL, date filtering, deduplication and other sifting/culling techniques 


Background: NSRL 

^National Software Reference Library 

* Huge databases of hash values 

* They strive for complete coverage of 
all commercially available software 

* Every dll, exe, hip, pdf, dat file 
installed by every commercial 
installer 

Used by investigators to filter 
"typical" stuff 


AF Technique #4 
Rendering NSRL Useless 

^Modify all system and program files 

*• Modify a string .in the file 

* Recalculate and update the 
embedded CRCs 

* Turn off Data Execution Prevention 

(dep) ^^X^h^^&M 

^ NSRL will no longer match anything 


22 

National Software Reference Library 


Data 
Execution 
Prevention 

Validates system files 
Stops unsafe code. 
Protects integrity 


Mitigating 
Rendering NSRL Useless 


^Search, don't filter 

f * Identify useful files rather than 
eliminating useless files 
(i.e. Whitelist approach vs 
Blacklist) 


24 


AF Technique # 
Scrambled MAC Times 

All files store multiple timestamps 

Modified - the last write 
Accessed - the last read 
Created - the file's birthday 

Randomize every timestamp (ie 
Timestomp) 

"Disable time updates in registry 


* Randomize BIOS time regularly 


26 


27 


#4. Analyze Data 


Confounding file analysis 


Separate Wheat 
from Chaff 


Prepare Report 
on Findings 


Sometimes files can't be analyzed completely inside FTK/Encase/tool 

Files are commonly exported to a temporary folder for external analysis with other tools 

Badguy files exist on the analysis machine natively instead of isolated within an image 

This can cause problems, and not just the obvious problems with viruses... 


1 


AF Technique #6 


Restricted Filenames 


* Even Windows 7 still has holdovers 
from DOS days: Restricted filenames 


~' : * ' CP^; : * >;[\ / . -~ \ , . * ' " 
PRN 
AUX 
NUL 
C0M# 
LPT# 


^ Use these filenames liberally 


29 


Mitigating 
Restricted Filenames 


Never export files with native 
filenames 

Always specify a different name 

! FTK does this by default (1. jpg) 

xport by FilelD or autogen'd name 


30 


i m 


Circular References 


* Folders in folders have typical limit 


of 255 characters on NTFS 


"Symbolic Links" or "Junctions" can 


point to a parent 


S;G : \Parent\Child\Parent\Child 


* Store criminal data in multiple 


nested files/folders 


31 


Circular 


References 


Many tools that recursively scan 
folders are affected by this attack 


Some tools don't bat an eye (FTK4) 


Mitigating 
Circular References 

Do not export folders for analysis 
Only export files themselves 


atten" the export of all nested 
files into one common folder 


33 


AF Technique #8 
Use Lotus Notes 


NSF files and their .id files always 
give problems 

* There are many tools to deal with 
NSFs 


5 Every one of them has its own 
problems 


Lotus Notes 


[Diagram comparing notes dll use] 

Most apps that support .NSF files use 
the same IBM Lotus Notes dll 


If anyone knows how to use their API, 
it's IBM themselves 


ain yourself on Lotus Note 

not rely on NSF conversio 

tus Notes is the best NSF 
t has its quirks 

ce you know the quirks you c 
vigate around them 


#5. Report Your 
Findings 

Confounding the reporting process 


AF Technique #9 
HASH Collisions 


9 MD5 and SHA1 hashes are used to 
identify files in reports 

Add dummy data to your criminal files 
so its MD5 hash matches known good 
files 

* Searches for files by hash will yield 
unexpected results 


Hash Collisions 


Of course, this would only be useful 
in a select few cases: 

^i.e. you stole company data and 
stored on a volume they could 
seize/search 


39 


Mitigating 
HASH Collisions 


( * Use a hash function with fewer 
collisions (SHA1, SHA256, Whirlpool) 

* Doublecheck your findings by opening 
each matched file to verify the 
search was REALLY a success 


boy would your face be red! 


AF Technique #10 
Dummy HDD 


'Have a PC with an HDD that isn't used 


USB-boot and ignore the HDD for 
everyday use 

""Store work on cloud/remote machine 

Manually connect to address each day 


II 


Automate dummy writes to local HDD to 
simulate regular usage 


41 


Mitigating 
Dummy HDDs 


5 Always check for USB drives 
They can be SMALL these days 

* Pagefile on USB drive may point to 
network locations (if the OS was 
paging at all . . .) 

If possible, monitor network traffic 
before seizure to detect remote drive 
location 


Questions 


• * Have you encountered frustration in 


your examinations? 


How did you deal with it? 


* I'd love to hear about it in the 


speaker room! 


43 


44