Computer Forensics: Anti-Forensic Tools & Techniques [Updated 2019]
Introduction
Understanding the principles of digital forensics is essential for anyone looking to attain The Certified Computer Forensics Examiner (CCFE) certification. This article will briefly explain anti-forensic hiding techniques, destruction methods, and spoofing to give you the knowledge needed when you take your exam.
Learn Digital Forensics
Encryption
Encryption is the act of turning data (or other information) into code, intended to prevent access from unauthorized users. Many tools aid with this, some of which reside right on a new version of Windows. Some of these tools include VeraCrypt, AxCrypt, BitLocker, and GNU Privacy Guard.
The history of encryption spans many hundreds of years and will likely require more study than can be compiled here. Some of the classical cryptography that may be seen on the CCFE include the Caesar Cipher and Vigenere Cipher. The first revolves around shifting letters to the left or right a set number of times. The latter involves a cipher and lining up two letters to get the third one.
Modern cryptography uses many different methods to break encryption. Data Encryption Standard (DES) is one that is often seen on the CCFE, along with Advanced Encryption Standard (AES), RSA, and DSA. These include both symmetric and asymmetric encryption. The main difference between these two is that a symmetric algorithm uses a single key for encryption and decryption, while asymmetric algorithms use two different keys.
For those who need more education on this, and other aspects of the test, InfoSec Institute offers an excellent study program for the CCFE.
Steganography
Steganography is the act of concealing secret information or messages in non-secret data or text. One of the most common ways to do this is via image, where a particular section is changed but in a way that is not evident. These files appear inconsequential, which is why they can be overlooked.
The process of steganography goes back centuries to a time when messages might be hidden on the scalp of messengers or hidden behind wax writing tablets. Technical steganography uses scientific methods to cover up the message, by use of things like microdots or invisible ink. Linguistic steganography hides the message in the original carrier and can be categorized as an open code. Virtually any digital medium will work, allowing messages and even entire files to be hidden in “plain sight” within pictures, video files, audio files, and virtually anything else.
Tools that help with steganography include Xiao Steganography, Image Steganography, Steghide, Crypture, SteganographX Plus, rSteg, and SSuite Picsel. Understanding how each works would be beyond the scope of this article, but for the CCFE, I recommend you gain a better understanding of each.
Spotting a stego-attack can be challenging, but it can be accomplished. In some instances, looking for repetitive patterns in images can clue you in (including small distortions). In other instances, tools will need to be used, such as EnCase, or ILook Investigator.
Changing Metadata/Timestamps
Metadata and timestamps can be manipulated to an attacker’s benefit. Metadata spoofing can fool web service clients by providing false WSDL files and WS-Security-Policy data. Changing timestamps can remove signs that forensic examiners use to determine possible areas of activity in a system if the time of activity is known.
Forensic examiners may be able to compile a timeline of an attacker’s activity and areas of interest with this information (putting those files into chronological order). However, overwriting metadata prevents this. The use of Timestomp can also overwrite timestamps and delete entries, making an examiner’s job more difficult. Checking metadata document authenticity can help mitigate the repercussions of these attacks.
Tunneling
Tunneling, which is also called port forwarding, allows private communication to be sent over a public network by a process called encapsulation. This ensures data packets appear public, enabling them to pass through with little to no judgment. A common way to utilize tunneling is through a VPN (Virtual Private Network), which encrypts data to keep away any security measures.
Constant monitoring of encrypted connections can help alert organizations to the possibility of this type of attack. Some, such as CryptoAuditor, can be used to stop these attacks as well.
Onion Routing
Onion routing is a mode of sending messages encrypted in layers, which correspond to layers in an onion. The data is transmitted through many network nodes (onion routers), and a layer of encryption is removed at each. When the final layer is peeled off, the message heads to the destination. As such, it is anonymous because nobody in the chain knows more than a few links in the chain, the ones before and after their own. This method of routing is used by the highly popular Tor networks.
Truly, the only way to defeat onion routing is to break through each successive router in reverse order, beginning with the exit node. This is exceptionally time consuming, but it can be accomplished.
Wiping a Drive
The process of wiping a hard drive seeks to make data unreadable. Reformatting a drive or deleting files does not erase those files, the data remains. Using a program that overwrites the information is common, as the more times data is overwritten, the less readable the previous data becomes.
More skilled criminals may go farther by using the Linux dd command to wipe the drive forensically. Some may also engage in degaussing, which is a procedure in which a hard drive is exposed to a powerful magnet to erase a drive. This can cause complete deletion of all files, which cannot be recovered in the future.
Forensic examiners can be helped by the existence of file fragments, as well as seemingly unrelated data. For instance, a chatsync folder could help to recover wiped Skype conversations even if the Skype database has been wiped/deleted.
Disabled Logging
Computers and other devices log all or most of the events that occur on them. For a criminal, this leaves a trail of evidence, which they then want to eliminate. There are different options for doing this. They can delete the log, which will leave a gap of knowledge.
As far as more technical tools, Auditpol is a tool that allows for turning auditing off and back on again, but this can easily be noticed by forensic analysts. The final, and best, tool is Winzapper. It allows the attacker to delete whatever they want from the log. This can be very hard, and sometimes impossible, to detect. A live RAM analysis can sometimes help a forensic investigator, as can analyzing swap and hibernation files.
Spoofing
Spoofing is an act where someone attempts to gain access to someone’s system or information by pretending to be someone he or she is not. The literal meaning of the word is “to trick.” There are various ways to spoof, but the two most common are IP and MAC spoofing, so understanding the difference is integral when studying for the CCFE.
IP spoofing is the easiest, and most common, means of spoofing. With IP spoofing, an individual prevents tracing to their computer by using a different IP address to do their dirty work. This can be done manually or with the assistance of tools. This type of spoofing is commonly used in distributed denial service attacks (DDoS).
MAC spoofing is a bit more involved, making it less common. A MAC address is set in the factory, and it cannot be changed. However, there are ways to cause your computer to broadcast a fake MAC address. This type of spoofing is harder for forensic analysts to counter.
Email spoofing is a common occurrence that involves sending messages by faking the email address that is sending the email. As such, people can be convinced the email is from a legitimate person or company, allowing them to fall victim to scams.
Forensic investigators can use several techniques to identify spoofing, including detecting forged email headers (email spoofing), examining wireless access point activity (MAC spoofing), and more.
Many of these subjects will be covered on the CCFE exam, so it is worth seeking out more information about anything you still have questions about. This should give a primer on the essential anti-forensic tools and techniques, so you have an idea of what a forensic analyst is actually up against.
Sources
http://www.neshaminy.org/cms/lib6/PA01000466/Centricity/Domain/223/Cyber%20Forensics%20Book.pdf
https://www.checkmarx.com/glossary/spoofing-attack/
Learn Digital Forensics