PresentationPDF Available

Anti-Forensics: Leveraging OS and File System Artifacts

Authors:

Abstract and Figures

• Talk on Anti-Forensics focusing on operating system and file system artifacts that can be used to confirm/refute if anti-forensics was used on a hard drive. • Talk covers Anti-Forensics from a criminal perspective not privacy perspective
No caption available
… 
No caption available
… 
No caption available
… 
No caption available
… 
No caption available
… 
Content may be subject to copyright.
Anti-Forensics:
Leveraging OS and File System Artifacts
"What one man can invent, another can discover."
Sherlock Holmes
19-Feb-2016
Ali Hadi
ali@ashemery.com
Objective
Talk on Anti-Forensics focusing on operating system
and file system artifacts that can be used to
confirm/refute if anti-forensics was used on a hard
drive.
Talk covers Anti-Forensics from a criminal perspective
not privacy perspective
Anti-Forensics?
Tools and techniques that frustrate forensic
tools, investigations, and investigators …
- Dr. Simson Garfinkel
Anti Forensics
Locating anti-forensic tools leads to suspicion
Crumbs could be found even if removed!
Simple: clearing caches, offline files, app artifacts, deleting
catalogs and thumbnail files, Jump Lists, Prefetch files, etc
Complex: Full Disk Encryption, Injected DLLs (meterpreter),
Anti-X
GOALS ?
Avoid detection
Disrupting Information Collection
Increase examination time
Cast doubt on forensic reports or
testimony
Subverting the tool
5
Categories
Hiding:
Data Hiding
Trail Obfuscation
Destruction:
Artifact Wiping
Attacking Forensic Tools
Q: What are we looking for?
"Data! Data! Data!
I can't make bricks without clay.“
-Sherlock Holmes
Before we check where and how is Data "evidence" stored,
we must first understand what type of evidence from a
forensic perspective are we looking for:
Time: a duration in this universe
Keywords: any specific text related to a crime
Action/Operation: open file, run program, shutdown system, etc
Object: disk, partition, file, malware, etc
Operating System Artifacts
"Don't be conned by misleading menu structures!"
Techniques
Shift+del
Hiding files within system directories
Changing the file extension
.doc .xls
.pdf .doc
Merge Streams (Doc into XLS and vice versa)
Changing one byte in a file
Known to Unknown Hashes Bypass
Split and Scatter (splitting files and then scattering them)
Changing file headers
Transmogrify
Techniques Cont.
Log Injection (misleading events)
Deleted Files and Removed Programs
Restore Points
Registry Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Online Storage: Dropbox, Gdrive, etc
DLL Injection (Meterpreter)
How: Simple Techniques Cont.
CLSID List (Windows Class Identifiers),
https://autohotkey.com/docs/misc/CLSID-List.htm
rename FOLDER “My Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}”
SysInternals: Autoruns
Detection Techniques
Different detection techniques (image path, memory, etc)
Fuzzy Hashes
Content Analysis
Scheduled Tasks
Thumbcache
Log detection
Correlation and Timeline Analysis
Memory dump of erased events or wipers
Centralized Log Management System
Meterpreter
Memory dump
stdapi_sys_process_getpid
Volume Shadow Copies / Restore
Points
Beware of accessing VSCs on Live Systems (why?)
Shadow Explorer VSC Browser
Browse a VSC
Windows Registry
User Registry File
NTUser.Dat file
Personal preferences and computer settings for user
If just look at file meta data file attributes
Find out a lot of information
First time user logged on
Creation date of file
Last time user logged on
Last modified date of file
Recycle.Bin
[Volume]:\$Recycle.Bin
$Recycle.Bin (hidden by default)
Subfolder per user named with account SID
When a file is moved to the Recycle Bin, it becomes two files $I
and $R.
$I -> original name and path, and deleted date
$R -> original file data stream and other attributes
Recycle Bin
Clear “Recent Items”
Windows 7
To clear “Recent Item List
Right click on Recent Items
and select clear
Jump Lists Cont.
Frequent files used
Recent files used
Jump Lists Cont.
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent Items
Jump Lists Settings
If unchecked will prevent
application history from
appearing on the start menu
Used to adjust the number of items to
display in the Jump Lists
Libraries
A list of Monitored folders
Used to assist users to
find and organize their
media
Documents
Music
Pictures
Videos
They look like any other folder!!!
View them using a Forensic tool:
XML based files named with the library-
ms extension!
Link Explorer (LECmd)
Prefetch Files
Prefetch files indicates to the examiner the following:
Existence: application named was run
Creation date: when the application was first run
Modification date: when the application was last run
User Activity with ShellBags
I still know what you did !!!
Index.DAT
Contains all of the Web sites
Every URL
Every Web page
All email sent or received through Outlook or Outlook Express
All internet temp files
All pictures viewed
Thumbs.DB
Pictures opened in Windows OS
Filmstrip
Thumbnails
Thumbs.DB Viewer
Binary Obfuscation
Packers / Unpackers
Reduce size, Hide actual code, Hide IAT, Anti-X
DOS Header
PE Header
.data
.code
DOS Header
PE Header
.data
.code
Packed Executable Original Executable
Simple
Packer
Binary Obfuscation Cont.
Complex packers might overwrite its own memory space
Unpacking:
Statically (complex and time consuming)
Dynamically (easy, needs native env.)
Hybrid (best of both)
Types:
Common: UPX, FSG, MEW
Complex: Armadillo, Obsidium, Sdprotect, ExeCrypt, VMProtect
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
Compressor3.1415 MB 2.7282 MB
File Systems Artifacts
Don’t let jumbled Data Structures fool
you!"
Disks
Without understanding of disks layout, you’ll never know
what is truly hidden over there!
Do you know what’s here?
File Systems
Can reveal useful artifacts like:
Manipulated Timestamps
Metadata : deleted or crumbs
Logs of actions : Journals
Volume Slack
Unused space between the end of the volume and the end of
the partition
Size of the hidden data in volume slack is only limited by the
space on the hard disk available for a partition
Volume Slack
Partition #1 Partition #2 Partition #3
File Slack Space
Slack space could be used to hide data
Single Cluster with 8 sectors (4096 bytes)
Sector #0 Sector #1 Sector #2 Sector #3 Sector #4 Sector #5 Sector #6 Sector #7
File Data
2248 bytes
RAM Slack
312 bytes
Cluster Slack
1536 bytes
File Systems (NTFS)
Everything written to the disk is considered a file
Files, directories, metadata, etc
MFT is the heart of NTFS (array of records 1024 bytes each)
Records in the MFT are called metadata
First 16 records in the MFT reserved for metadata files
Entry #1 is $MFT
PowerForensics
File Systems (NTFS) Cont.
Deleted Files
Unallocated space
File System Journals, Index Files, and Log files: $I30, $LogFile,$UsnJrnl
File Wipers
Some crumbs left for investigator!
Hiding within $DATA attribute
Timestamps and timestomp tools
MACE / MACB
$MFT Slack Space
MFT Slack Space
Bad Blocks ($BadClus)
Marked in the metadata file $BadClus (MFT entry 8)
Sparse file with the size set to the size of the entire file system
Bad clusters are allocated to this file
Clusters can be allocated to $BadClus and used to store data
Alternate Data Streams (ADS)
More than one
$DATA attribute
Locating streams:
Streams, LADS, etc
DF tools
Manually!
Can also hide
binaries!
Images
EXEs
etc
echo I am the hidden text > file.txt:Hidden.txt
Time Manipulation: Timestomp
Also a form of Data Hiding!
Time Manipulation: Detection
Compare timestamps of SIA with FN attributes
FN attributes timestamps must be older than SIA timestamps
Zero milliseconds in timestamps is suspect
Check creation timestamps earlier than file system format
date
Check Shadow Copies (SVCs) and Restore Points
Check Journal files
Creating timelines
$UsnJrnl
Tracking NTFS’s history with $UsnJrnl
Creation, deletion, modification, renaming and moving of file and
directory
It is possible to find trace of deleted file.
The event of program execution and opening document can be found
through tracking prefetch file and LNK file’s history
$UsnJrnl record carving from unallocated space
There are mass $UsnJrnl records in unallocated space
Tracking old file system history(before several months) through
$UsnJrnl record carving
NTFS INDX Files (aka: $i30)
Each directory index entry contains at least the following
metadata for the child:
Filename
Physical size of file
Logical size of file
Modified timestamp
Accessed timestamp
Changed timestamp
Created timestamp
$LogFile
A transaction journal of changes to the $MFT
Could find file fragments and MFT records
Could find MFT records in unallocated space
Could locate file names that no longer exist on the disk
Finally …
To catch a criminal, you need to think like one!
Without proper understanding of the under-laying
technology, its just like you’re searching for a needle in the
haystack!
They can run, but they can’t hide for ever
References
http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-
streams-in-ntfs.aspx
http://www.autohotkey.com/docs/misc/CLSID-List.htm
https://www.runtime.org/diskexplorer.htm
Anti-Forensics: Techniques, Detection and Countermeasures, Simson
Garfinkel
Metasploit Autopsy Reconstructing the Crime Scene,
http://www.blackhat.com/presentations/bh-usa-
09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-SLIDES.pdf
A Windows Registry Quick Reference: For the Everyday Examiner, Derrick J.
Farmer and Burlington, Vermont
https://en.wikiquote.org/wiki/Sherlock_Holmes
PowerForensics Get-ForensicUsnJrnl, http://www.invoke-
ir.com/2016/02/forensic-friday-get-forensicusnjrnl.html
References P2
Advanced $UsnJrnl Forensics, FORENSIC INSIGHT
Prefetch Files, http://www.forensicswiki.org/wiki/Prefetch
LECmd, Eric Zimmerman,
http://binaryforay.blogspot.com/2016/02/introducing-lecmd.html
http://www.williballenthin.com/forensics/indx/
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.