Forensic analysis can be a serious problem for hackers.
Advanced tools enable analysts to locate files that have
been well hidden. Some tools are able to detect files
hidden in slack space. Some recover deleted files and
some check for hacking tools. As forensics becomes more
sophisticated, more work is required to protect your data.
I'm not going to debate what the best techniques are but
I thought that I would share some anti-forensic techniques
or, as referred to by Adrian Crenshaw, occult computing.
One thing that can be useful to nosy people sifting through your
stash is time stamps. By looking at creation dates, date modified
and last accessed, a schedule of events can be pieced together
to show when you did what. One tool to get around this problem is
Metasploit's timestomp. TimeStomp is a cli tool that allows you
to modify all of these attributes. By altering the time stamp of
a file you can create your own "pattern of events" to obscure your
trail. You can set it to show that it was last accessed in 1776 if
want. Maybe Washington needed to check his email...
Another thing to consider, often I see advice saying that you should
rename files and change the extension. Well, yes but that's only
half of it. Files have other indicators as to what they are and
what they contain. File headers indicate what type the file is.
If you've ever opened a jpg with a hex editor you will see something
along the lines of:
yoya + jfif (if you do it you'll get the idea)
After that there's the rest of the file. Well that yoya tells what type
of file it is. Also the hex value for a jpg will be:
ff d8 ff e0 some have e1, d8, or other
Executables start with MZ. Forensic tools will immediately recognize
these types and report that the file extension does not match. This
is a simple problem. Use a hex editor like winhex or xvi32 or whatever
your favorite is and simply change the header to match whatever extension
you decide to use in your renaming. There is one caveat however.
Filesize will not change, so make sure that what you change it to
seems reasonable for that file size. Example: changing a 300mb video to
a dll might draw more attention. Combine this with timestomp for further
obscuration. One other note, if you're trying to be inconspicuous
don't set your dates to a time before the filetype was invented, no
docx files from the 70's...
Another indicator for files is the signatures. Many forensic tools rely
on an md5 hash to identify known files. This can include anything from
hacking tools, copyrighted music and movies, to system files.
A list can be compiled of hashes for every file on your drive and
many can be elimnated right from there, reducing the pile of possible
evidence. Changing the signature is easy. Open the file with a hex editor
and change a bit somewhere, typically plain text within the file is sufficient.
Or you can just hit it with UPX and repack it if happens to be an executable.
Again, this isn't the cure all. TimeStomp, for example, contains several
references to itself in plain text. If an examiner opens it with a hex editor
and searches for 'TimeStomp' it pops up quite a bit. So even if you rename a
file, change it's header, and change it's signature you should go in and make sure
there are no references inside the file that will blatantly shout out it's name.
Also, the old standby, encryption. Encrypt your files. I reccomend you encrypt
your entire hard drive. Software like TrueCrypt and Bit Locker are helpful.
I personally like TC. I like being able to create hidden volumes and to encrypt
the system partition. It's definitely worth looking in to.
Finally, consider using virtualization. Software like VMware, Virtual PC, and
such allow you to create a file that acts as a computer running on your computer.
(I know, I know... what is the matrix...)
So, Here's my quick start guide:
1. encrypt your hard drive
2. use a virtual pc
3. download and modify timestomp
4. create a hidden volume within an encrypted volume (TrueCrypt)
5. create a virtual machine in the hidden volume
6. encrypt the hard drive of the virtual machine
7. create a hidden volume within an encrypted volume on the virtual pc
8. place your stash in that hidden volume from 7
9. Appropriately alter your files as described above
10. modify timestamps as needed
11. Apply all other techniques for keeping your system locked down
Doing this it is probably still possible to get found out but consider
that if you get the chance to wipe the drive, even being able to read
previous states of bits, if you use multipass overwriting, a forensic
investigation would see that the drive is now random, used to be zeros.
Assuming they can go back further, used to be ones, was encrypted and so on...
While the idea of preventing any possible recovery may be impossible
the idea is to make it as difficult, time consuming and costly as possible.
I'm sure that I missed somethings and generalized a bit here and there
but I hope that this sheds some light on the subject for those that are
curious and gets the rest of us thinking. I also hope you enjoyed this article.
