tuesday keynote - anti-forensics - henry[1]

8/8/2019 Tuesday Keynote - Anti-Forensics - Henry[1]

1/47

2006 Secure Computing Corporation. All Rights Reserved.1

11/15/2007

Anti - ForensicsAnti - Forensics

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI

Vice President, Technology Evangelism

Secure Computing

Paul A. HenryMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP-ISSAP, CISM, CISA, CIFI


Secure Computing


2/47

2

Before We Get Started

What is the one thing to date that law enforcement / forensicinvestigators have always been been able to count on?

Criminals by their very nature are (fill in expletive of choice)

Mohammed Atif Siddique sentenced to eight years for possession of terrorism-related items. During his trial the jury had been told by Michael Dickson, a forensicsanalyst for the National Hi-Tech Crime Unit, that Siddique's laptop computer hadcontained material placed in a Windows folder where it would be difficult for aninexperienced user to find.The folder in question was c:windowsoptions, which isusually present on OEM Windows systems and is used for installation purposes. It isnot widely frequented by most computer users, but it's not secret either. Siddiqueseems not to have encrypted the material, which was described as videos, picturesand sound files "concerned with radical Islamic politics", and which included footageof Osama Bin Laden and the World Trade Center attack.

When police arrested Siddique in April of last year, over 100 police officers wereinvolved in an operation which broke down the door of his family home with abattering ram, closed off roads, and searched adjacent houses and shops. Over 60officers were involved in the investigation, along with 12 translators and experts fromthe National High Tech Crime Unit. "Some 34 computers and hard drives wereexamined. More than 5,000 computer discs and DVDs were removed, along with 25mobile phones and another 19 SIM cards. Almost 700 documents were taken fromthe computers and more than 1,000 statements taken."


3/47

3

What We Will Cover

The Rules Are Changing

Creating Reasonable Doubt - Vulnerabilities in Forensic Products

Virtual Environments - Have You Got Your MoJo

The Reality of Plausible Deniability

Vista - Encryption For The Masses

Steganography - Use and Detection

Disk Wiping The Tools Are Getting Scarily Good

What Good are Known Good/Bad Signatures

MetaSploit Slacker Hide tons of data encrypted in slack

Timestomp So much for MAC

Transmorgify One Click Defense

Samjuicer No More DLL Injection

Advanced Anti-Forensics Everything in RAM

Linux Anti-Forensics Where The Tools Dont Look


4/47

4

The Rules Are Changing

Admitting computer evidence in the future - a stricter standard?

Lorraine v Markel - Authentication of electronic evidence

Magistrate Judge Grimm refused to allow either party to offer e-mails in evidence to support their summaryjudgment motions. He found they failed to meet any of the standards for admission under the Federal Rules of

Evidence. The emails were not authenticated but simply attached to the parties motions as exhibits, as has been

a common practice.

In re: Vinhnee, 2005 WL 3609376

A recent decision by a Ninth Circuit Bankruptcy Appellate Panel rejected the prevailing standardfor authenticating electronically stored records and imposed stringent requirements that may help

defend against computerized evidence in a broad range of cases, including white-collarprosecutions. Although decisions of the Panel, which consists of three bankruptcy judges, arebinding precedent only for bankruptcy courts in the Ninth Circuit, Vinhnees persuasive analysishas the potential to change the use of electronic evidence in other courts.

The trial court turned away the credit card company even though the defendant (debtor) did not even show up orenter any argument, having the company suffer "the ignominy of losing even though its opponent did not show

up."


5/47

5

Reasonable Doubt?

Encase and Sleuth kit Vulnerabilities

http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf

Evidentiary Implications of Potential Security Weaknesses inForensic Software

As with other forensic techniques, computer forensic tools are not magic;they are complex software tools that like all software may be subject to

certain attacks. Yet because these tools play such a critical role in our legalsystem, it is important that they be as accurate, reliable, and secure againsttampering as possible. Vulnerabilities would not only call into question theadmissibility of forensic images, but could also create a risk that ifundetected tampering occurs, courts may come to the wrong decisions in

cases that affect lives and property. http://www.isecpartners.com/files/Ridder-

Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Software.pdf


6/47

6

Have You Got Your MoJo?

Your USB Drive or IPOD is your PC

Leaves no trace on the host


7/47

7


8/47

8

Keeping It Simple


9/47

9

With Out A Trace

Create an XP bootable CD

Boot from the CD and create anencrypted environment on the HD

No trace on the PC

Whats next?

How about Linux and a processor on a USB


10/47

10

Encryption

Encryption is a forensic analysis's nightmare

It is only a matter of time before the bad guys adopt currenttechnology encryption

Current offerings provide for multiple levels of Plausible Deniability Create a hidden encrypted volume within an encrypted volume

Bad guy gives up the password to the first level only

Second level remains hidden and looks like random data within the volume

(undetectable)


11/47

11

TrueCrypt

Settings are not stored in the registry Uses a key file rather then a crypto key

Which of the thousands of files on the image did the bad guy use as the key file?

Uses LRW to replace CRW eliminating any possible detection of nonrandom data within an image

Creates a virtual encrypted disk within a file and mounts it as a disk

Can work in Traveler mode with BartPE to eliminate any traces of itsuse within Windows

New version 4.3a just released Vista Support

Plausible deniability improved

Sector size other then 512 Traveler mode

Multi Algorithm Cascade

Total Number of Downloads 3,487,388

Number of Downloads Yesterday 5,547


12/47

12

Free On The Fly Encryption

FreOTFE

TrueCrypt

Cryptainer LE

CryptoExpert 2004 Lite

CompuSec

E4M Disk Encrytion

Scramdisk Encryption


13/47

13

Vista Encryption

The fear

TPM hardware

Encryption key stored on removable USB drive

The reality

Not in all versions of Vista - only enterprise version

Limited availability of motherboards with TPM chips

High end versions of Vista not exactly flying off the shelves Be sure to seize those USB keys


14/47

14

Steganography

Hiding data in graphic or audio files


15/47

15

Free Steganography

S-Tools 4t HIT Mail Privacy Lite

Camouflage


16/47

16

Stegdetect

Automated detection of data within an image

Works against:

Jsteg

Jphide Invisible secrets

Outguess

F5

appendixX and Comouflage


17/47

17

Evidence Eliminator

http://www.evidence-eliminator.com/register_reasons.d2w

Just some reasons why you must buyprotection for yourselfright now.PelicanBay State Prison (USA)"....putting a

prisoner in a cell with a known assaulter andsetting up alleged sex offenders for attackare not uncommon...."Cocoran Prison(California USA)"....Dillard, who weighed120 pounds, fought back but Robertson wastoo powerful. He said he pounded on thecell door, banged at it in a way that the

guards surely must have heard, but nobodyever came as he was raped...."The ViewFrom Behind Prison Bars (USA)"....Theguard in the tower decided to blow one ofthe inmates' heads off.... The suicides atSan Quentin are amazing. I never knew

doing time would subject me to watchingguys do swan dives off the fifth tier. Oneguy ripped his jugular out with a canopener. How about the inmate who wasshot to death while dangling from thefence? They left his body there for fourhours.... we were forced to sleep in shifts to

keep the cockroaches from crawling in ourmouths...."

Get total protection. Buy yourlicense to Evidence Eliminator.$149 is less than 149 years.Permanent protection for only

$149.95(US)


18/47

18

The Bad Guys Are Not Paying For It


19/47

19

Other Disk Wiping Products


20/47

20

Wipes Deeper Then Ever


21/47

21

Defeat Forensics For Only $29.95


22/47

22

Other Popular Wiping Tools

srm,

dban,

Necrofile,

Tracks Eraser Pro

Just Google disk wiping tools

Results 1 - 100 of about 1,960,000 fordisk wiping tools.


23/47

23

How Do They Measure Up?

Evaluating Commercial Counter-Forensic Tools, Matthew Geiger


24/47

24

Signatures

Examining hashes is a quick way to determine if specific files are or are not onthe image that is being examined

However altering a single byte will alter the hash but still leave a maliciousprogram executable


25/47

25

Signatures


26/47

26

Unreliable


27/47

27

EXE Packers

A Packer can change the signature of any exe file and render a search for aknown MD5 useless

The potentially malicious file will not be found with an antivirus scanner


28/47

28

Available Packers

Alloy 4.14

Aspack 21

Cexe NT only

Diet

Lzexe 1.00a Pack 1.0

Pecompact 1.20

Pecompact 1.23

Petite21

Petite22

Pklite32

Stoner_Compress

Gui for several packers UPX101

wWinlite

WWpack 3.05b3

ProTools


29/47

29

Binders

Binders combine two or more executable in to a single executable file

Allows the bad guy to attach a Trojan, Key logger or other maliciousprogram to a common exe file

The resulting MD5 will not match a known bad database 37 different free binders are downloadable at

http://www.trojanfrance.com/index.php?dir=Binders/


30/47

30

Downloadable Binders

Dropper Source Generator 0.1

Attach

Asylum Binder 1.0 by Slim

BigJack Joiner

Binder

Binding Suite

BladeJoiner 1.0 by BladeBladeJoiner 1.5 by Blade

BladeJoiner 1.55 by Blade

Blade-Bogart Joiner

Blade-Stoner Joiner

Concealer

EliteWrap

Embedder 1.50

Exe Bind 1.0

Exe Maker

FC Binder

GoboWrap 1.0b

Infector 2.0

Infector 9.0Juntador Beta

MultiBinder

PE-intro adder

Rat PackerRNS Exe Joiner

SaranWrap

Senna Spy One Exe Maker

Senna Spy One Exe Maker 2000

Senna Spy One Exe Maker 2000 - 2.0a

SilkRope 1.0

SilkRope 1.1SilkRope 2.0

SilkRope2k

TOP 1.0 by DaRaT

TOP 2.0 by DaRaT

TOP 2.0 beta by DaRaT

TOP 2.1 by DaRaT

TOP 4.0 by DaRaTTOP GUI by DaRaT

TOP GUI 2 by DaRaT

TrojanMan

WeirdBinder by Weird

X-Exejoiner and Icon changer by Lazarus

Zyon 1.0 multibinder

Sudden Discharge Compresso


31/47

31

Metasploit Anti Forensics


32/47

32

Timestomp

Metasploit

AntiForensics

Project

www.metasploit.com/projects/antiforensics/

uses the following Windows system calls:

NtQueryInformationFile()

NtSetInformationFile()

doesnt use

SetFileTime()


33/47

33

Timestomp

Metasploit

AntiForensics

Project


Ti t FTK U difi d


34/47

34

Timestomp FTK Unmodified

Ti t FTK M difi d


35/47

35

Timestomp - FTK Modified

Ti t E U difi d


36/47

36

Timestomp Encase Unmodified

Timestomp Encase Modified


37/47

37

Timestomp Encase Modified

Timestomp Explorer Unmodified


38/47

38

Timestomp Explorer Unmodified


39/47

Slacker


40/47

40

Slacker

Metasploit

AntiForensics

Project


Slacker Example


41/47

41

Slacker Example

Transmogrify Coming Soon


42/47

42

Transmogrify Coming Soon

Transmogrify - First ever tool todefeat EnCase's file signaturecapabilities by allowing you to maskand unmask your files as any filetype. (Coming Soon)

Well they have been saying thatsince 2005 and it is still not here

Metasploit

AntiForensics

Project


Samjuicer


43/47

43

Samjuicer

SAM Juicer does what pwdump does without hitting thedisk

Pwdump opens a share, drops binaries to the disk and starts aservice to inject itself in to LSASS

Reuses a transport channel that the Metaspoit frameworkuses, remotely and directly injects itself into the LSASSand sucks down the encrypted password files withoutleaving a file, touching the registry or starting a service.

Not having files or services starting makes protection technologiesthat rely on that 'signature' to prevent the attack rather impotent.

MetasploitAntiForensics

Project


Future Work


44/47

44

Future Work

NTFS change journal modification Secure deletion

Documentation of anti-forensic techniques

Browser log manipulation

File meta-data modification NTFS extended attributes

MetasploitAntiForensics

Project


Vincent Liu

Partner in Stach & Liu

[email protected]

www.stachliu.com

Advanced Anti-Forensics


45/47

45

Advanced Anti Forensics

What if the malicious file never touched the disk? MOSDEF (mose-def) is short for Most Definitely

MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking

In short, after you've overflowed a process you can compile programs to run inside that process and report back to you

www.immunitysec.com/resources-freesoftware.shtml

Linux Anti-Forensics


46/47

46

Linux Anti Forensics

Simply hide data where commercial forensic tools dont necessarily look Rune fs

Hide data in bad blocks inode

Waffen fs

Hide data in spoofed journal file

KY fs

Hide data in null directory entries

Data mule fs

Hide data in reserved space


47/47

2006 Secure Computing Corporation. All Rights Reserved.47

11/15/2007

Thank YouThank YouPaul A. HenryMCP+I, MCSE, CFSA, CFSO, CCSA, CCSE, CISM, CISA, CISSP-ISSAP, CIFI


Secure Computing

[email protected]

tuesday keynote - anti-forensics - henry[1]

Documents