Anti-Forensics

1
Anti-Forensics

• Jonathan Buhacoff

2
Agenda

• What are anti-forensics?
• Who conducts anti-forensics, and why?
• How are anti-forensics developed?
• Where when are anti-forensics applied?
• Example 1
• Example 2
• Applications

3
What are anti-forensics?

• Techniques to impair forensic analysis
• Reduce the amount of evidence
• Reduce the quality of evidence

4
Who conducts anti-forensics?

• Criminals, to escape prosecution
• Liberals, to enforce privacy
• Conservatives, to conceal scandals
• Academics, to improve forensics
• Hackers, for fun profit
• Government, to protect classified information
• One mans freedom fighter

5
How are anti-forensics developed?

• Identify assumptions
• Hardware (capabilities)
• Software (algorithms)
• People (procedures)
• Design an exploit
• Write an application

6
Where are anti-forensics applied?

• File storage
• Hide or destroy data
• Obfuscate audit trail
• Networks
• Conceal source or destination of packets
• Hide content of transfer
• Hardware
• Degaussing
• Traps

7
When are anti-forensics applied?

• Before data is created
• Prevention is the best medicine
• After data is created
• Routine use
• Emergency

8
Example 1
9
Example 2
10
Applications

• File system
• Steganography

11
Applications, file system
Slacker Slack space File growth
FragFS MFT Metadata growth
RuneFS Bad blocks Easy detection
WaffenFS Ext3 journal Consistency check
KY FS Null directory entries Validity check
Data Mule FS Inode reserved space Format check
StegFS Unused blocks New files
12
Applications, steganography
TextHide Text in text Key exchange
Jphide/seek Text in Jpeg Stegdetect
MP3Stego Text in MP3 Steg Watch
StegoVideo Data in any codec None yet
Hydan Data in EXE Only subset of instructions can be used
13
Applications, other
Timestomp create/modify/access/change None
Disk Utility 00s, FFs, random None
Nmap Decoy scan, FTP bounce Investigate each IP
StegTunnel TCP packets Dropped packets
Rexec Memory-only Live analysis
14
Anti-Forensics

• Jonathan Buhacoff