Content uploaded by Ali Hadi
Author content
All content in this area was uploaded by Ali Hadi on Dec 09, 2016
Content may be subject to copyright.
Anti-Forensics:
Leveraging OS and File System Artifacts
"What one man can invent, another can discover."
–Sherlock Holmes
19-Feb-2016
Ali Hadi
ali@ashemery.com
Objective
•Talk on Anti-Forensics focusing on operating system
and file system artifacts that can be used to
confirm/refute if anti-forensics was used on a hard
drive.
•Talk covers Anti-Forensics from a criminal perspective
not privacy perspective
Anti-Forensics?
Tools and techniques that frustrate forensic
tools, investigations, and investigators …
- Dr. Simson Garfinkel
Anti Forensics
•Locating anti-forensic tools leads to suspicion
–Crumbs could be found even if removed!
•Simple: clearing caches, offline files, app artifacts, deleting
catalogs and thumbnail files, Jump Lists, Prefetch files, etc
•Complex: Full Disk Encryption, Injected DLLs (meterpreter),
Anti-X
GOALS ?
•Avoid detection
•Disrupting Information Collection
•Increase examination time
•Cast doubt on forensic reports or
testimony
•Subverting the tool
5
Categories
•Hiding:
–Data Hiding
–Trail Obfuscation
•Destruction:
–Artifact Wiping
–Attacking Forensic Tools
Q: What are we looking for?
"Data! Data! Data!
I can't make bricks without clay.“
-Sherlock Holmes
•Before we check where and how is Data "evidence" stored,
we must first understand what type of evidence from a
forensic perspective are we looking for:
–Time: a duration in this universe
–Keywords: any specific text related to a crime
–Action/Operation: open file, run program, shutdown system, etc
–Object: disk, partition, file, malware, etc
Operating System Artifacts
"Don't be conned by misleading menu structures!"
Techniques
•Shift+del
•Hiding files within system directories
•Changing the file extension
–.doc .xls
–.pdf .doc
•Merge Streams (Doc into XLS and vice versa)
•Changing one byte in a file
–Known to Unknown Hashes Bypass
•Split and Scatter (splitting files and then scattering them)
•Changing file headers
–Transmogrify
Techniques –Cont.
•Log Injection (misleading events)
•Deleted Files and Removed Programs
–Restore Points
–Registry Entries
–HKCU\Software\Microsoft\Windows\CurrentVersion\Run
•Online Storage: Dropbox, Gdrive, etc
•DLL Injection (Meterpreter)
How: Simple Techniques –Cont.
•CLSID List (Windows Class Identifiers),
https://autohotkey.com/docs/misc/CLSID-List.htm
rename FOLDER “My Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}”
SysInternals: Autoruns
Detection Techniques
•Different detection techniques (image path, memory, etc)
•Fuzzy Hashes
•Content Analysis
•Scheduled Tasks
•Thumbcache
•Log detection
–Correlation and Timeline Analysis
–Memory dump of erased events or wipers
–Centralized Log Management System
•Meterpreter
–Memory dump
–stdapi_sys_process_getpid
Volume Shadow Copies / Restore
Points
•Beware of accessing VSCs on Live Systems (why?)
Shadow Explorer –VSC Browser
•Browse a VSC
Windows Registry
User Registry File
•NTUser.Dat file
–Personal preferences and computer settings for user
–If just look at file meta data –file attributes
•Find out a lot of information
•First time user logged on
–Creation date of file
•Last time user logged on
–Last modified date of file
Recycle.Bin
•[Volume]:\$Recycle.Bin
•$Recycle.Bin (hidden by default)
•Subfolder per user named with account SID
•When a file is moved to the Recycle Bin, it becomes two files $I
and $R.
–$I -> original name and path, and deleted date
–$R -> original file data stream and other attributes
Recycle Bin
Clear “Recent Items”
Windows 7
To clear “Recent Item List”
Right click on Recent Items
and select clear
Jump Lists –Cont.
Frequent files used
Recent files used
Jump Lists –Cont.
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent Items
Jump Lists –Settings
If unchecked will prevent
application history from
appearing on the start menu
Used to adjust the number of items to
display in the Jump Lists
Libraries
•A list of Monitored folders
•Used to assist users to
find and organize their
media
–Documents
–Music
–Pictures
–Videos
They look like any other folder!!!
View them using a Forensic tool:
XML based files named with the library-
ms extension!
Link Explorer (LECmd)
Prefetch Files
•Prefetch files indicates to the examiner the following:
–Existence: application named was run
–Creation date: when the application was first run
–Modification date: when the application was last run
User Activity with ShellBags
•I still know what you did !!!
Index.DAT
•Contains all of the Web sites
•Every URL
•Every Web page
•All email sent or received through Outlook or Outlook Express
•All internet temp files
•All pictures viewed
Thumbs.DB
•Pictures opened in Windows OS
•Filmstrip
•Thumbnails
•Thumbs.DB Viewer
Binary Obfuscation
•Packers / Unpackers
–Reduce size, Hide actual code, Hide IAT, Anti-X
DOS Header
PE Header
.data
.code
DOS Header
PE Header
.data
.code
Packed Executable Original Executable
Simple
Packer
Binary Obfuscation –Cont.
•Complex packers might overwrite its own memory space
•Unpacking:
–Statically (complex and time consuming)
–Dynamically (easy, needs native env.)
–Hybrid (best of both)
•Types:
–Common: UPX, FSG, MEW
–Complex: Armadillo, Obsidium, Sdprotect, ExeCrypt, VMProtect
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
Compressor3.1415 MB 2.7282 MB
File Systems Artifacts
“Don’t let jumbled Data Structures fool
you!"
Disks
•Without understanding of disks layout, you’ll never know
what is truly hidden over there!
Do you know what’s here?
File Systems
•Can reveal useful artifacts like:
–Manipulated Timestamps
–Metadata : deleted or crumbs
–Logs of actions : Journals
Volume Slack
•Unused space between the end of the volume and the end of
the partition
•Size of the hidden data in volume slack is only limited by the
space on the hard disk available for a partition
Volume Slack
Partition #1 Partition #2 Partition #3
File Slack Space
•Slack space could be used to hide data
Single Cluster with 8 sectors (4096 bytes)
Sector #0 Sector #1 Sector #2 Sector #3 Sector #4 Sector #5 Sector #6 Sector #7
File Data
2248 bytes
RAM Slack
312 bytes
Cluster Slack
1536 bytes
File Systems (NTFS)
•Everything written to the disk is considered a file
–Files, directories, metadata, etc
•MFT is the heart of NTFS (array of records 1024 bytes each)
•Records in the MFT are called metadata
•First 16 records in the MFT reserved for metadata files
•Entry #1 is $MFT
PowerForensics
File Systems (NTFS) –Cont.
•Deleted Files
–Unallocated space
–File System Journals, Index Files, and Log files: $I30, $LogFile,$UsnJrnl
•File Wipers
–Some crumbs left for investigator!
•Hiding within $DATA attribute
•Timestamps and timestomp tools
–MACE / MACB
$MFT Slack Space
•MFT Slack Space
Bad Blocks ($BadClus)
•Marked in the metadata file $BadClus (MFT entry 8)
•Sparse file with the size set to the size of the entire file system
•Bad clusters are allocated to this file
•Clusters can be allocated to $BadClus and used to store data
Alternate Data Streams (ADS)
•More than one
$DATA attribute
•Locating streams:
–Streams, LADS, etc
–DF tools
–Manually!
•Can also hide
binaries!
–Images
–EXEs
–etc
echo I am the hidden text > file.txt:Hidden.txt
Time Manipulation: Timestomp
•Also a form of Data Hiding!
Time Manipulation: Detection
•Compare timestamps of SIA with FN attributes
•FN attributes timestamps must be older than SIA timestamps
•Zero milliseconds in timestamps is suspect
•Check creation timestamps earlier than file system format
date
•Check Shadow Copies (SVCs) and Restore Points
•Check Journal files
•Creating timelines
$UsnJrnl
•Tracking NTFS’s history with $UsnJrnl
–Creation, deletion, modification, renaming and moving of file and
directory
–It is possible to find trace of deleted file.
–The event of program execution and opening document can be found
through tracking prefetch file and LNK file’s history
•$UsnJrnl record carving from unallocated space
–There are mass $UsnJrnl records in unallocated space
–Tracking old file system history(before several months) through
$UsnJrnl record carving
NTFS INDX Files (aka: $i30)
•Each directory index entry contains at least the following
metadata for the child:
–Filename
–Physical size of file
–Logical size of file
–Modified timestamp
–Accessed timestamp
–Changed timestamp
–Created timestamp
$LogFile
•A transaction journal of changes to the $MFT
•Could find file fragments and MFT records
•Could find MFT records in unallocated space
•Could locate file names that no longer exist on the disk
Finally …
•To catch a criminal, you need to think like one!
•Without proper understanding of the under-laying
technology, its just like you’re searching for a needle in the
haystack!
•They can run, but they can’t hide for ever
References
•http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-
streams-in-ntfs.aspx
•http://www.autohotkey.com/docs/misc/CLSID-List.htm
•https://www.runtime.org/diskexplorer.htm
•Anti-Forensics: Techniques, Detection and Countermeasures, Simson
Garfinkel
•Metasploit Autopsy –Reconstructing the Crime Scene,
http://www.blackhat.com/presentations/bh-usa-
09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-SLIDES.pdf
•A Windows Registry Quick Reference: For the Everyday Examiner, Derrick J.
Farmer and Burlington, Vermont
•https://en.wikiquote.org/wiki/Sherlock_Holmes
•PowerForensics Get-ForensicUsnJrnl, http://www.invoke-
ir.com/2016/02/forensic-friday-get-forensicusnjrnl.html