ceic 2012 anti-anti-forensics
TRANSCRIPT
Anti-Anti ForensicsDavid Cowen, CISSP
G-C Partners, LLC
Anti-Anti Forensics
Who am I?
Things I’ve written you might have seen
Hacking Exposed: Computer Forensics
Anti Hacker Toolkit, Third edition
Computer Forensics, A beginners guide
Hacking Exposed Computer Forensics Blog
This presentation
Introduction
Page 2
Master Title
1. It’s a joke from the movie ‘The Big Hit’
2. It means defeating Anti Forensics tools from two perspectives
1. Determining what was destroyed for use in a spoliation motion
2. Determining what tool was destroyed and when it was done
3. Defeating the tool be recovering what was destroyed
What does Anti-Anti Forensics mean?
Page 3
Master Title
Session Objectives:Our goal is help you1. Determine if wiping has occurred2. Determine the number of files wiped3. Determine if a system cleaner has run4. Determine what the system cleaner has removed5. Determine the time the system cleaner ran6. Determine what the capabilities of the tool are7. Possibly recover what was destroyed
Outline
Page 4
Master Title
• Wipers, that do no include system cleaners
• System cleaners, that may include wipers
Two types of Anti forensic tools discussed
Page 5
Master Title
• Wiping a whole disk
• Wiping a partition
• Wiping individual files
Identifying wiping
Page 6
Master Title
• Most Wipers do three things to obfuscate what they have wiped
• Rename the file to a random file name
• Fill the file to overwrite the prior contents
• Reset the dates back to a fictitious time
• Find the block of file names that match these criteria all accessed within in seconds of each other and you’ve found the wiped files.
• Count the number of these files and you’ve identified how many have been wiped
Determine the number of files wiped
Page 7
Master Title
Lab: Determine the number of files wiped
Page 8
Master Title
• The one thing system cleaners don’t clean, is their own install
• While they may wipe out system settings, registry files, histories, etc… they don’t wipe out their own programs and configuration files
• Look for files created around the time of the clean, which will determine how to do on the next slide
• Most have obvious names:
• Ccleaner
• Evidence Eliminator
• System Soap
Determine if a system cleaner has run
Page 9
Master Title
• Check for the presence of the following areas that should have data by default
• Check the creation date of the user’s profile directory to determine the time range of data missing
User Assist *MRUs
• TypedUrls *Restore Points
• Recent Lnks *Event Logs
• Internet History
• Recycle Bin
• Jump Lists
Determine what the system cleaner has removed
Page 10
Master Title
The first entry in the list of forensic sources from the prior tab marks the first entry after the cleaner was run.
By default the cleaner will destroy all records from the time the user first logged in until the time it was run.
When did the cleaner run?
Page 11
Master Title
Lab: Documenting the destruction
Page 12
Master Title
• Once you’ve identified the cleaner in the prior slides, do some web research on its capabilities and if it creates any logging.
• Download the program and test it in a vm to see what artifacts it leaves behind
• Make screenshots the website, its capabilities and if it costs money to buy.
• If it costs money to buy you might find a fragment of data left showing the purchase, or request they produce one
Determine what the capabilities of the cleaner is
Page 13
Master Title
• Restore Points
• Volume Shadow Copies
• Online backups
• NTFS $logfile
Recover what was destroyed
Page 14
Master Title
• Keeps track of all file system changes
• Keeps track of all files created and their complete MFT records
• Keeps a record of renames, including old and new file names
• Contains time stamps for some records
• Holds up to 32,000 records
NTFS $Logfile
Page 15
Master Title
Lab: Parsing the $Logfile
Page 16
Master Title
• What can determine how much data was wiped
• We may be able to determine what files exactly were wiped
• We rarely can recovery the contents of the files that were wiped
• We can document and show what was destroyed for use either in a corporate hr disciplinary meeting or litigation
• Being able to show what was destroyed and when can be as damaging as what was contained within it
Conclusions
Page 17
Master Title
Read my blog here:
Hackingexposedcomputerforensicsblog.blogspot.com
Follow me on twitter
@hecfblog
Be my buddy of facebook
Hacking Exposed Computer Forensics fan page
Email me your questions
Questions?
Page 18