PresentationPDF Available

Anti-Forensics: Leveraging OS and File System Artifacts


Abstract and Figures

• Talk on Anti-Forensics focusing on operating system and file system artifacts that can be used to confirm/refute if anti-forensics was used on a hard drive. • Talk covers Anti-Forensics from a criminal perspective not privacy perspective
No caption available
No caption available
No caption available
No caption available
No caption available
Content may be subject to copyright.
Leveraging OS and File System Artifacts
"What one man can invent, another can discover."
Sherlock Holmes
Ali Hadi
Talk on Anti-Forensics focusing on operating system
and file system artifacts that can be used to
confirm/refute if anti-forensics was used on a hard
Talk covers Anti-Forensics from a criminal perspective
not privacy perspective
Tools and techniques that frustrate forensic
tools, investigations, and investigators …
- Dr. Simson Garfinkel
Anti Forensics
Locating anti-forensic tools leads to suspicion
Crumbs could be found even if removed!
Simple: clearing caches, offline files, app artifacts, deleting
catalogs and thumbnail files, Jump Lists, Prefetch files, etc
Complex: Full Disk Encryption, Injected DLLs (meterpreter),
Avoid detection
Disrupting Information Collection
Increase examination time
Cast doubt on forensic reports or
Subverting the tool
Data Hiding
Trail Obfuscation
Artifact Wiping
Attacking Forensic Tools
Q: What are we looking for?
"Data! Data! Data!
I can't make bricks without clay.“
-Sherlock Holmes
Before we check where and how is Data "evidence" stored,
we must first understand what type of evidence from a
forensic perspective are we looking for:
Time: a duration in this universe
Keywords: any specific text related to a crime
Action/Operation: open file, run program, shutdown system, etc
Object: disk, partition, file, malware, etc
Operating System Artifacts
"Don't be conned by misleading menu structures!"
Hiding files within system directories
Changing the file extension
.doc .xls
.pdf .doc
Merge Streams (Doc into XLS and vice versa)
Changing one byte in a file
Known to Unknown Hashes Bypass
Split and Scatter (splitting files and then scattering them)
Changing file headers
Techniques Cont.
Log Injection (misleading events)
Deleted Files and Removed Programs
Restore Points
Registry Entries
Online Storage: Dropbox, Gdrive, etc
DLL Injection (Meterpreter)
How: Simple Techniques Cont.
CLSID List (Windows Class Identifiers),
rename FOLDER “My Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}”
SysInternals: Autoruns
Detection Techniques
Different detection techniques (image path, memory, etc)
Fuzzy Hashes
Content Analysis
Scheduled Tasks
Log detection
Correlation and Timeline Analysis
Memory dump of erased events or wipers
Centralized Log Management System
Memory dump
Volume Shadow Copies / Restore
Beware of accessing VSCs on Live Systems (why?)
Shadow Explorer VSC Browser
Browse a VSC
Windows Registry
User Registry File
NTUser.Dat file
Personal preferences and computer settings for user
If just look at file meta data file attributes
Find out a lot of information
First time user logged on
Creation date of file
Last time user logged on
Last modified date of file
$Recycle.Bin (hidden by default)
Subfolder per user named with account SID
When a file is moved to the Recycle Bin, it becomes two files $I
and $R.
$I -> original name and path, and deleted date
$R -> original file data stream and other attributes
Recycle Bin
Clear “Recent Items”
Windows 7
To clear “Recent Item List
Right click on Recent Items
and select clear
Jump Lists Cont.
Frequent files used
Recent files used
Jump Lists Cont.
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent Items
Jump Lists Settings
If unchecked will prevent
application history from
appearing on the start menu
Used to adjust the number of items to
display in the Jump Lists
A list of Monitored folders
Used to assist users to
find and organize their
They look like any other folder!!!
View them using a Forensic tool:
XML based files named with the library-
ms extension!
Link Explorer (LECmd)
Prefetch Files
Prefetch files indicates to the examiner the following:
Existence: application named was run
Creation date: when the application was first run
Modification date: when the application was last run
User Activity with ShellBags
I still know what you did !!!
Contains all of the Web sites
Every URL
Every Web page
All email sent or received through Outlook or Outlook Express
All internet temp files
All pictures viewed
Pictures opened in Windows OS
Thumbs.DB Viewer
Binary Obfuscation
Packers / Unpackers
Reduce size, Hide actual code, Hide IAT, Anti-X
DOS Header
PE Header
DOS Header
PE Header
Packed Executable Original Executable
Binary Obfuscation Cont.
Complex packers might overwrite its own memory space
Statically (complex and time consuming)
Dynamically (easy, needs native env.)
Hybrid (best of both)
Common: UPX, FSG, MEW
Complex: Armadillo, Obsidium, Sdprotect, ExeCrypt, VMProtect
Compressor3.1415 MB 2.7282 MB
File Systems Artifacts
Don’t let jumbled Data Structures fool
Without understanding of disks layout, you’ll never know
what is truly hidden over there!
Do you know what’s here?
File Systems
Can reveal useful artifacts like:
Manipulated Timestamps
Metadata : deleted or crumbs
Logs of actions : Journals
Volume Slack
Unused space between the end of the volume and the end of
the partition
Size of the hidden data in volume slack is only limited by the
space on the hard disk available for a partition
Volume Slack
Partition #1 Partition #2 Partition #3
File Slack Space
Slack space could be used to hide data
Single Cluster with 8 sectors (4096 bytes)
Sector #0 Sector #1 Sector #2 Sector #3 Sector #4 Sector #5 Sector #6 Sector #7
File Data
2248 bytes
RAM Slack
312 bytes
Cluster Slack
1536 bytes
File Systems (NTFS)
Everything written to the disk is considered a file
Files, directories, metadata, etc
MFT is the heart of NTFS (array of records 1024 bytes each)
Records in the MFT are called metadata
First 16 records in the MFT reserved for metadata files
Entry #1 is $MFT
File Systems (NTFS) Cont.
Deleted Files
Unallocated space
File System Journals, Index Files, and Log files: $I30, $LogFile,$UsnJrnl
File Wipers
Some crumbs left for investigator!
Hiding within $DATA attribute
Timestamps and timestomp tools
$MFT Slack Space
MFT Slack Space
Bad Blocks ($BadClus)
Marked in the metadata file $BadClus (MFT entry 8)
Sparse file with the size set to the size of the entire file system
Bad clusters are allocated to this file
Clusters can be allocated to $BadClus and used to store data
Alternate Data Streams (ADS)
More than one
$DATA attribute
Locating streams:
Streams, LADS, etc
DF tools
Can also hide
echo I am the hidden text > file.txt:Hidden.txt
Time Manipulation: Timestomp
Also a form of Data Hiding!
Time Manipulation: Detection
Compare timestamps of SIA with FN attributes
FN attributes timestamps must be older than SIA timestamps
Zero milliseconds in timestamps is suspect
Check creation timestamps earlier than file system format
Check Shadow Copies (SVCs) and Restore Points
Check Journal files
Creating timelines
Tracking NTFS’s history with $UsnJrnl
Creation, deletion, modification, renaming and moving of file and
It is possible to find trace of deleted file.
The event of program execution and opening document can be found
through tracking prefetch file and LNK file’s history
$UsnJrnl record carving from unallocated space
There are mass $UsnJrnl records in unallocated space
Tracking old file system history(before several months) through
$UsnJrnl record carving
NTFS INDX Files (aka: $i30)
Each directory index entry contains at least the following
metadata for the child:
Physical size of file
Logical size of file
Modified timestamp
Accessed timestamp
Changed timestamp
Created timestamp
A transaction journal of changes to the $MFT
Could find file fragments and MFT records
Could find MFT records in unallocated space
Could locate file names that no longer exist on the disk
Finally …
To catch a criminal, you need to think like one!
Without proper understanding of the under-laying
technology, its just like you’re searching for a needle in the
They can run, but they can’t hide for ever
Anti-Forensics: Techniques, Detection and Countermeasures, Simson
Metasploit Autopsy Reconstructing the Crime Scene,
A Windows Registry Quick Reference: For the Everyday Examiner, Derrick J.
Farmer and Burlington, Vermont
PowerForensics Get-ForensicUsnJrnl, http://www.invoke-
References P2
Advanced $UsnJrnl Forensics, FORENSIC INSIGHT
Prefetch Files,
LECmd, Eric Zimmerman,
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.