Anti Forensics Tool
Packages that are used for countering forensic activities, including encryption, steganography, andanything that modifies attributes. This all includes tools to work with anything in generalthat makes changes to a system for the purposes of hiding information.
Anti Forensics Tool
There are an abundance of measures available to the standard digital device users which provide the opportunity to act in an anti-forensic manner and conceal any potential digital evidence denoting a criminal act. Whilst there is a lack of empirical evidence which evaluates the scale of this threat to digital forensic investigations leaving the true extent of engagement with such tools unknown, arguably the field should take proactive steps to examine and record the capabilities of these measures. Whilst forensic science has long accepted the concept of toolmark analysis as part of criminal investigations, 'digital tool marks' (DTMs) are a notion rarely acknowledged and considered in digital investigations. DTMs are the traces left behind by a tool or process on a suspect system which can help to determine what malicious behaviour has occurred on a device. This article discusses and champions the need for DTM research in digital forensics highlighting the benefits of doing so.
The size of the malware corpus is growing exponentially, with the barrier to entry lowering due to openly available toolkits, such as RIG EK and Necurs, allowing for redistribution of variants of similar malware. There are also open source and user-friendly tools that allow for the creation of polymorphic malware to evade static and heuristic analysis. The most popular malware variants for cybercriminals have recently shifted from Ransomware, such as Cerber, NotPetya and Wannacryptor, to cryptomining malware, such as Adylkuzz, JenkinsMiner, Wannamine and banking trojans like Emotet and Gh0st.
The increased prominence of malware, such as banking trojans and cryptojackers, for which a lack of publicity, detection or analysis presents a strategic marketplace advantage, has increased the importance and complexity of measures to evade forensic analysis, through the use of anti-forensic countermeasures.
One of the most common mechanisms that malware uses to evade forensic analysis, is remaining inert or removing itself when it detects that it has been executed from within a virtualised environment. This is to prevent automated analysis, detection and signature submission by antivirus software or malware analysts.
The ability for malware to accomplish this task is accomplished through two main methods. Firstly, malware will attempt to ascertain the validity of the physical characteristics of its surrounding environment, and secondly, malware will attempt to assess the validity of the other programs running and whether they can be determined to be analysis or virtualisation tools.
There are also behavioural indicators of liveness within a system. These are things such as activity within the registry, browser caches, total amount of cookies, and system events. Additionally, malware in the wild will often also look for signatures indicative of installed common analysis tools, such as IDA pro and Python.
As a result of this, malware analysts will use tools in order to spoof the signatures resultant from the execution of malware, so that they are able to bypass anti-forensics countermeasures implemented by malware authors. There are tools, such as Paranoidfish, that show indicators of a virtual machine, so that an analyst can remove these, to better simulate a virtualised environment.
However, for the purpose of malware forensics, the most effective method of bypassing these anti-forensics capabilities is to simply install an operating system on the hardware itself. Antivirus companies frequently have air-gapped bare metal infrastructure provisioned for this reason.
Double-Flux is another innovative malware network traffic obfuscation methodology. The way in which this works is by changing the DNS NS records as well as the DNS A records, which is termed double flux. The most famous example of Double-Flux being used as an anti-forensic methodology is the Avalanche network, where, according to Europol, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of this malware infection were identified in over 180 countries.
As can be seen from this blog post, there is a constant arms race between malware authors and malware analysts, in terms of forensics and anti-forensics. This results in a variety of specialised tools and innovative methods being used by both sides in a reactive manner.
Adding to these difficulties, intentional anti-forensic measures are increasingly being employed by both criminals and everyday users that cause additional costs in time and money to be incurred by investigations.
Strictly speaking, digital anti-forensics are any means used to compromise or prevent availability of information on a computer, mobile device, storage medium, etc. The use of anti-forensic measures should not lead to assumptions that they are hiding criminal activity however. After all, everyone is entitled to some degree of personal privacy and measures such as communications encryption are not illegal if the intent is not to hide criminal activity.
However, the use of anti-forensics by those with ill intent certainly makes digital forensics investigations more time-consuming and expensive as most famously exhibited in the 2015 struggle between Apple and the FBI over applying forensics to a locked iPhone that was owned by one of the San Bernardino attackers who killed and injured a total of 36 people.
In all cases, when digital forensics experts attempt to discover and extract data from a suspected system they use only their own trusted programs rather than rely on programs in what could be a compromised, anti-forensics loaded device.
Digital forensics experts must continually stay one step ahead of data hiding, destruction and obfuscation techniques and any other anti-forensic measures currently in vogue. In their investigations, they must also bear in mind that the use of anti-forensics may have legitimate uses in preserving personal privacy, which may limit their forensic activities.Business IT departments are also well-advised to stay abreast of anti-forensic developments and join online communities to share current information that would not compromise their security or intellectual property. Maintaining an ongoing education program with digital forensics engineers is also a wise move.
Anti-forensics methods can include using software to securely delete files, making changes to time stamps on a computer through software or systems built into an operating system, deleting or altering logs, using file, folder, or volume encryption on a drive, and using tools built into bootable flash drives or CDs to alter data.
If an employee uses anti-forensics techniques in an effort to cover up illegal activities before their data is collected in an investigation, the time and cost of the investigation can increase drastically. Bryan and his colleagues have identified a handful of proactive and reactive steps to mitigate anti-forensics efforts and reduce costs stemming from internal investigations.
I have seen the following Windows Prefetch entries in nearly every Windows XP / Vista machine that I have reviewed over the past several years.Their existence always reminds me of the imperfect nature of information gained via individual artifacts.Does this mean that a user ran the Microsoft Defragmenter application on July 16, 2009 at 1:19PM?Or was the defragmenter started automatically by Windows?The defragmenter tool has been used very effectively as an anti-forensic tool since it was first introduced.In cases where data spoliation could be important, it is critical for the examiner to be able to identify any overt actions by a user.Complicating this is that starting with Windows XP, the operating system conducts limited defragmentation approximately every three days. [1] This post seeks to identify forensic artifacts which can help us determine if a user initiated the defrag application.
The GUI defragmenter tool leaves a wealth of artifacts that can distinguish user execution of defrag from system execution.It is commonly accessed from the Start Menu -> Accessories -> System Tools menu.We will query the following artifacts to identify user actions:
When the defragmenter is run using the GUI, only the dfrgntfs.exe entry is updated within the Prefetch directory (with an updated access time stamp and execution count).This immediately reveals that the artifacts shown in Figure 1 were not left by the GUI tool.It may also explain why we often see higher execution counts for dfrgntfs.exe than defrag.exe when parsing the Prefetch entries.As an aside, it is interesting to note that I found differences in how the execution count was updated.When using the GUI, the execution value for dfrgntfs.exe was incremented by one and when using the command line application, the counts were incremented by three.
Unlike the artifacts for the GUI defragmenter, the Prefetch artifacts left by command line execution of defrag.exe are the same as those left by the Windows automated process.Upon command line execution both defrag.exe and dfrgntfs.exe are created in the Prefetch directory.Further, their last access times are updated to the time the application was run.This tells us when the defrag tool was last run, but does not allow us to differentiate between system defrags and user generated activity.Therefore we will need to turn to timeline analysis.
With very limited artifacts, old fashioned timeline analysis will likely be our best bet to identify user defrag activity.This is not a theoretical exercise.We have seen instances of the defrag tool used as an anti-forensics tool in recent intrusion cases.Often this plays out with the intruder installing their payload on the system, deleting it, and then running defrag.exe to prevent the malware from being recovered by incident responders.