- Email: [email protected]
ANTI-Forensics – distorting the evidence
ANTI - FORENSICS
ANTI-Forensics – distorting the evidence Bryan Sartin Computer Forensics (CF), as we know it, is in a volatile state. Newer and more sophisticated investigative challenges, both existing and on the horizon, are forcing CF to evolve as a practice. As such, the processes, the technologies, and the tools of the trade that characterise the conventional CF approach have changed. Simply put, CF today is not what it used to be and there are some very simple reasons why.
Data compromise year – 2005 The year 2005 has been referred to as the year of Data Compromise. Early 2005 brought about a marked change in the level of visibility surrounding the concepts of security breach and data compromise. By March, each consecutive week saw another major exposure of consumer and/or identity related information reach the headlines. These situations were impacting both government and private sector organisations, as well as the general consumer, in an often highly visible fashion. By year end, the statistics surrounding the companies being victimised made it clear that this was not only a US problem; security breaches leading to the compromises of sensitive information had become a very global issue. The attention suddenly thrust the CF arena, as a whole, into the limelight.
The mainstream CF however has risen to meet this challenge. By now, it shouldn't be a secret to anyone that CF is becoming somewhat mainstream in response to basic demand. The symptoms of this are common within the IT security space. Internationally, the law enforcement community has become very effective in identifying and apprehending the sources of these security breaches, as well as the fraudsters making use of the stolen data. At the same time, CF capabilities and expertise within the private sector have become more 4
Computer Fraud & Security
abundant as of late. Concurrently, more and more security services firms are offering Incident Response (IR) services while companies have begun to really recognise the business justification for maintaining an effective IR program in-house. Also, colleges and leading universities in a number of countries have started offering CF curriculums, better equipping technology graduates with the fundamentals of the practice. IT Security conferences without at least some level of CF coverage are rare these days, reflecting the popularity and perceived importance of the practice. All of these points are driving the evolution of the tools we CF examiners use.
The rise of Anti-forensics While the good guys are getting better every day, it is apparent that the crooks are onto us. Hackers are after data they can easily convert into cash. The increasing number of reported data compromises internationally underscores the fact that the information black market is bigger than ever, continually fueling the upward trend in data compromise events. In other words, where there's a will, there's a way when it comes to the opposition. While much of this may not be surprising, it should be pointed out that the now rampant information black market has spawned perhaps the most significant challenge to the CF space - AntiForensics. Anti-Forensics (AF) refers to the practice of trying to negatively affect
the integrity of the digital evidence comprising the CF crime scene. The link between Anti-Forensics and digital evidence is important to understand. Digital evidence, for CF purposes, refers to the log data, authentication information, date & timestamps, file system contents, and the like. They all provide the CF examiner with a thumb on the pulse of what has occurred within a systems environment, or on a specific computer system, at a given point in time. The quality and quantity of the digital evidence set available to examiners in a given CF investigation can often make or break a case. Anti-Forensics is any attempt to adversely impact the digital evidence set so as to make the dataset difficult or impossible for the examiner to use. Alternately, AF may involve efforts intended to cover a hackers tracks by disguising them, making them difficult to follow, and/or intentionally misleading. Either way, AF purposefully corrupts the crime scene and can effectively prohibit a forensics examiner from accurately identifying the source of a security breach, preventing containment, and extending exposure. Like data compromise, AF is a trend in the CF space that is on the rise. Increasingly sophisticated AntiForensics tools and techniques are a growing challenge for examiners not only in the law enforcement community, but also in government and the private sector. More often than not, when responding to possible compromises of sensitive information, AF will become a major factor in the ensuing investigation. In fact, we encounter some evidence of the application of AF in as many as two-thirds of all data compromise investigations. As such, it is important to understand the nature of the concept and especially, where and when AF techniques may have been applied. Whilst there is no commonly accepted standard in the way of terminology or practice in this area, there are at least three general categories of AntiForensics to be concerned with as an examiner: Data Obfuscation, Data Hiding, and Zero Footprinting.
May 2006
ANTI - FORENSICS
Data Obfuscation The oldest and most prevalent example of AF is Data Obfuscation. It sounds like a relatively non-technical and somewhat general term because it is Data Obfuscation refers to any attempt to cover a hacker's tracks by deleting or otherwise destroying digital evidence. For example, deleting backdoor programs and hacking utilities left after obtaining and exploiting some form of unauthorized access on a given computer system. Doing so may delay or even prevent detection. In the same example, the hacker or perpetrator may also search the affected system looking for any indication of his/her source address or location and deleting that as well. Almost every case will involve some form of data obfuscation. Tools like LogCleaner, for Win32 environments, are quite common and are intended to quickly detect and remove source IP's, MAC addresses, and other details from the digital evidence set contained on a target system. Data obfuscation may also involve the modification of the file system, or parts thereof, in efforts to simply mislead the examiner. Popular examples of this include modifying the system clock in efforts to create erratic variations in date and time stamps on the target computer. Of course these types of AF are nothing new and are easy to detect with modern forensics tools. Depending on the free space available on the target computer, deleted data can always be recovered and modifications to the system, as well as the purposeful corruption of critical system files, can be easy to detect. Knowing this, more inclined hackers will often leave behind intentionally misleading information, like a taunt-file containing a message in another language or crediting the compromise to another hacker group. Source address spoofing and the use of middle or staging computer systems from which to base attempts at intrusion are also common ways to mislead CF examiners. Although the security breach may
May 2006
have been easily detected, these AF techniques may prevent the CF examiner from detecting the real source of the intrusion. Computer forensic investigators rely on high quality evidence to win a case. Logs, authentication information, date and timestamps, file contents and other electronic data all need to be proven to be reliable in court. ANTI Forensic techniques are now being used to skew evidence and make it impossible for an examiner to use. According to Brian Sartin at ISACA, ANTI forensics is used in two-thirds of all data compromise investigations carried out by his organization. Examiners need to be on the look out for three methods of distorting evidence: • Data Obfuscation. • Data Hiding. • Zero-footprinting Almost every case will use some form of data obfuscation that involves a hacker erasing his tracks. But Data hiding draws on the power of cryptography to mask data rather than delete it The use of steganography is another data hiding approach. Examiners need to actively search for evidence of the use of ANTI-forensic techniques. Turn to page X ...
Data Hiding Another popular category of AF is Data Hiding. Like data obfuscation, Data Hiding is a broad term. But instead of attempting to destroy any evidence of a security breach, Data Hiding looks to mask it. It is evidently widely known within the hacker community that the good guys have the toolsets and capabilities to shed light on their tracks, even despite efforts to cover them up. As such, many newer and more currently popular hacking tools and techniques involve the ability to mask or hide individual files and the data within those files. Data encryption, for example, often intended to secure sensitive
information from exposure or misuse, is frequently employed by hackers to protect their identities and mask evidence of their crimes. Within AF, data encryption is found in two forms: encryption of data at-rest and data intransit. It is common that files and archives containing sensitive data intended for extraction from a target organization or computer system are encrypted by the hackers before removal. This makes good sense: if the contents of the archives were easily read, the nature and magnitude of the intrusion would be plain to see. Moreover, if an IT person finds an encrypted file left behind on a system, the fact that it does not contain clear text sensitive data, like credit card or identity-related information, may prevent that IT person from regarding that file as evidence of security breach. For this reason, Rar and Zip files left behind in data compromise cases are typically encrypted. In fact, freeware Rar and Zip utilities are commonly found these days with integrated AES encryption capabilities that can be easily invoked from command-line. Data in-transit may also be encrypted to protect the hacker. Lately, we have begun to find more and more examples of situations where hackers are using Secured Sockets for obtaining remote access to compromised computer systems or transferring stolen data. In many cases, Win32 systems have been found with variations of SSH and SFTP installed by the hackers for the purposes of masking their command-line activities and transfers. Even Unix systems that already have valid copies of these programs installed by the systems administrators are being found with encryption keys relative to configurations generated for unknown Secure Socket connections. The increasing occurrences of this type of finding suggest that the hackers may be using our own security tools against us and to their advantage. File-Packing is a unique Data Hiding technique. File-packing is both
Computer Fraud & Security
5
ANTI - FORENSICS common in viruses, malware, and intrusions, involving the combination of two separate files together to form a single file. For example, packing a backdoor program together with a valid operating system service to mask the existence of the backdoor. Freeware File-packing tools like Morphine are easy to obtain, providing the capability to easily pack multiple files together. Packed binaries and executables can be particularly dangerous as system administrators may not be capable of detecting signs of the unwanted code. Additionally, this can also be dangerous in a CF investigation as even well-known hacking utilities that would otherwise be quickly detected, remain unidentified on the target system, even while they are still running. Similar to Morphine, Steganography is another popular file-packing tool. Steganography is designed expressly for the purpose of packing data files into images or pictures. For example, packing a 100K file containing sensitive information into a 600K JPG image. It can be extremely difficult to determine whether or not an image file has been packed using Steganography or in any way shed light on the type of data it might contain. Steganography is particularly detrimental tool as there are few legitimate uses for it. Many CF experts regard this utility as for AFpurposes only and as such, any indication of it on a target system should be regarded as highly suspicious. Steganography has been seen in a number of more recent investigations and is sort of a flavor of the month in terms of hacking utilities because of its data hiding AF properties. Another effective way to hide hacking utilities and malware from CF examiners is to place the files in hidden areas of a disk. The usage of the different hidden areas of a system hard disk is not only reserved for viruses, it is also common amongst backdoors and root kits. Placing components of a root kit into hidden directories on a disk may be effective at delaying the 6
Computer Fraud & Security
initial detection of a security breach, however the data will likely be picked up on quickly once the forensics commences. Instead, hacking utilities may be placed into sections of the disk designated as ‘bad sectors’, written to parts of the disk that are not reserved for operating system usage, or even written into the Windows System Restore directory. The idea is to prevent the detection of the malware code or hacking utility by placing its subcomponents into an area of the disk that is difficult to search without the proper tools.
Zero-Footprinting: Zero-Footprinting is another area of AF that is gaining in popularity. ZeroFootprinting refers to a program that is used to clean areas of the disk in order to completely destroy the original contents, rendering them undetectable. Zero-Footprinting tools, or Disk Cleaners, are becoming more and more common every day because of their usefulness for both legitimate and illegitimate purposes. A zero-footprinting tool not only unlinks a file, it specifically overwrites it with garbage data. One example of a freeware zero-footprinting tool is Simple File Shredder. This Windows-based tool enables the user to completely erase a file or directory, making the deleted information undetectable even with leading CF and undelete utilities. Other zero-footprinting tools include, BCWipe for Unix/Linux, Eraser for Windows, and PGP/GnuPGP. In addition, these tools can also be used to erase system memory to cover tracks remaining from programs that have been recently run. For AF-purposes, another effective way to zero-footprint a program or hacking utility is to install it as memory resident only. Analysis of systems that have been compromised in the course of a security breach will undoubtedly shed light on hacking utilities, especially types of root kits, which are never written to disk. The idea is that weak data acquisition procedures or inexperienced CF examiners
may overlook memory-resident-only programs and only search the system hard disk looking for signs of a breach. For obvious reasons, these types of utilities are more commonly found on Unix/Linux than on Windows-based systems that tend to be rebooted more frequently. No single AF technique or category mentioned here is the end all be all and none of these on their own will set up the perfect hack. As such, you’ll likely find combinations of two or more on an individual case or computer system being analysed. For example, you may see a packed backdoor program that is memory-resident-only. Or you may find several compressed Rar files, containing stolen sensitive information, that have been AES encrypted and then destroyed using Simple File Shredder once they’ve been transferred from the target system. As a CF examiner, it is important to understand that AF is primarily intended to make your job difficult. Don’t expect wellplanned AF techniques to be easy to pick up on – it requires a careful approach. AF is fast becoming a major part of the CF arena. With that said, CF is not what it used to be. The more simple days of finding a system showing some evidence of security breach, pulling an image, and then looking for signs of unauthorised access, are behind us. Today’s CF engagements cannot overlook the distinct possibility that AF tools and techniques may have been employed in efforts to cover the hacker’s tracks. Finding ways that data has been purposely hidden from you is now a necessary part of the equation and not something that often happens by mistake. Being one of the good guys, you must expect that AF has been used against you. Make no mistake about it, AF is here to stay. Being an expert CF examiner is to fully understand the latest and greatest tricks of the trade in terms of AF tools and techniques in order to keep pace with the opposition.
May 2006
ANTI-Forensics – distorting the evidence Bryan Sartin Computer Forensics (CF), as we know it, is in a volatile state. Newer and more sophisticated investigative challenges, both existing and on the horizon, are forcing CF to evolve as a practice. As such, the processes, the technologies, and the tools of the trade that characterise the conventional CF approach have changed. Simply put, CF today is not what it used to be and there are some very simple reasons why.
Data compromise year – 2005 The year 2005 has been referred to as the year of Data Compromise. Early 2005 brought about a marked change in the level of visibility surrounding the concepts of security breach and data compromise. By March, each consecutive week saw another major exposure of consumer and/or identity related information reach the headlines. These situations were impacting both government and private sector organisations, as well as the general consumer, in an often highly visible fashion. By year end, the statistics surrounding the companies being victimised made it clear that this was not only a US problem; security breaches leading to the compromises of sensitive information had become a very global issue. The attention suddenly thrust the CF arena, as a whole, into the limelight.
The mainstream CF however has risen to meet this challenge. By now, it shouldn't be a secret to anyone that CF is becoming somewhat mainstream in response to basic demand. The symptoms of this are common within the IT security space. Internationally, the law enforcement community has become very effective in identifying and apprehending the sources of these security breaches, as well as the fraudsters making use of the stolen data. At the same time, CF capabilities and expertise within the private sector have become more 4
Computer Fraud & Security
abundant as of late. Concurrently, more and more security services firms are offering Incident Response (IR) services while companies have begun to really recognise the business justification for maintaining an effective IR program in-house. Also, colleges and leading universities in a number of countries have started offering CF curriculums, better equipping technology graduates with the fundamentals of the practice. IT Security conferences without at least some level of CF coverage are rare these days, reflecting the popularity and perceived importance of the practice. All of these points are driving the evolution of the tools we CF examiners use.
The rise of Anti-forensics While the good guys are getting better every day, it is apparent that the crooks are onto us. Hackers are after data they can easily convert into cash. The increasing number of reported data compromises internationally underscores the fact that the information black market is bigger than ever, continually fueling the upward trend in data compromise events. In other words, where there's a will, there's a way when it comes to the opposition. While much of this may not be surprising, it should be pointed out that the now rampant information black market has spawned perhaps the most significant challenge to the CF space - AntiForensics. Anti-Forensics (AF) refers to the practice of trying to negatively affect
the integrity of the digital evidence comprising the CF crime scene. The link between Anti-Forensics and digital evidence is important to understand. Digital evidence, for CF purposes, refers to the log data, authentication information, date & timestamps, file system contents, and the like. They all provide the CF examiner with a thumb on the pulse of what has occurred within a systems environment, or on a specific computer system, at a given point in time. The quality and quantity of the digital evidence set available to examiners in a given CF investigation can often make or break a case. Anti-Forensics is any attempt to adversely impact the digital evidence set so as to make the dataset difficult or impossible for the examiner to use. Alternately, AF may involve efforts intended to cover a hackers tracks by disguising them, making them difficult to follow, and/or intentionally misleading. Either way, AF purposefully corrupts the crime scene and can effectively prohibit a forensics examiner from accurately identifying the source of a security breach, preventing containment, and extending exposure. Like data compromise, AF is a trend in the CF space that is on the rise. Increasingly sophisticated AntiForensics tools and techniques are a growing challenge for examiners not only in the law enforcement community, but also in government and the private sector. More often than not, when responding to possible compromises of sensitive information, AF will become a major factor in the ensuing investigation. In fact, we encounter some evidence of the application of AF in as many as two-thirds of all data compromise investigations. As such, it is important to understand the nature of the concept and especially, where and when AF techniques may have been applied. Whilst there is no commonly accepted standard in the way of terminology or practice in this area, there are at least three general categories of AntiForensics to be concerned with as an examiner: Data Obfuscation, Data Hiding, and Zero Footprinting.
May 2006
ANTI - FORENSICS
Data Obfuscation The oldest and most prevalent example of AF is Data Obfuscation. It sounds like a relatively non-technical and somewhat general term because it is Data Obfuscation refers to any attempt to cover a hacker's tracks by deleting or otherwise destroying digital evidence. For example, deleting backdoor programs and hacking utilities left after obtaining and exploiting some form of unauthorized access on a given computer system. Doing so may delay or even prevent detection. In the same example, the hacker or perpetrator may also search the affected system looking for any indication of his/her source address or location and deleting that as well. Almost every case will involve some form of data obfuscation. Tools like LogCleaner, for Win32 environments, are quite common and are intended to quickly detect and remove source IP's, MAC addresses, and other details from the digital evidence set contained on a target system. Data obfuscation may also involve the modification of the file system, or parts thereof, in efforts to simply mislead the examiner. Popular examples of this include modifying the system clock in efforts to create erratic variations in date and time stamps on the target computer. Of course these types of AF are nothing new and are easy to detect with modern forensics tools. Depending on the free space available on the target computer, deleted data can always be recovered and modifications to the system, as well as the purposeful corruption of critical system files, can be easy to detect. Knowing this, more inclined hackers will often leave behind intentionally misleading information, like a taunt-file containing a message in another language or crediting the compromise to another hacker group. Source address spoofing and the use of middle or staging computer systems from which to base attempts at intrusion are also common ways to mislead CF examiners. Although the security breach may
May 2006
have been easily detected, these AF techniques may prevent the CF examiner from detecting the real source of the intrusion. Computer forensic investigators rely on high quality evidence to win a case. Logs, authentication information, date and timestamps, file contents and other electronic data all need to be proven to be reliable in court. ANTI Forensic techniques are now being used to skew evidence and make it impossible for an examiner to use. According to Brian Sartin at ISACA, ANTI forensics is used in two-thirds of all data compromise investigations carried out by his organization. Examiners need to be on the look out for three methods of distorting evidence: • Data Obfuscation. • Data Hiding. • Zero-footprinting Almost every case will use some form of data obfuscation that involves a hacker erasing his tracks. But Data hiding draws on the power of cryptography to mask data rather than delete it The use of steganography is another data hiding approach. Examiners need to actively search for evidence of the use of ANTI-forensic techniques. Turn to page X ...
Data Hiding Another popular category of AF is Data Hiding. Like data obfuscation, Data Hiding is a broad term. But instead of attempting to destroy any evidence of a security breach, Data Hiding looks to mask it. It is evidently widely known within the hacker community that the good guys have the toolsets and capabilities to shed light on their tracks, even despite efforts to cover them up. As such, many newer and more currently popular hacking tools and techniques involve the ability to mask or hide individual files and the data within those files. Data encryption, for example, often intended to secure sensitive
information from exposure or misuse, is frequently employed by hackers to protect their identities and mask evidence of their crimes. Within AF, data encryption is found in two forms: encryption of data at-rest and data intransit. It is common that files and archives containing sensitive data intended for extraction from a target organization or computer system are encrypted by the hackers before removal. This makes good sense: if the contents of the archives were easily read, the nature and magnitude of the intrusion would be plain to see. Moreover, if an IT person finds an encrypted file left behind on a system, the fact that it does not contain clear text sensitive data, like credit card or identity-related information, may prevent that IT person from regarding that file as evidence of security breach. For this reason, Rar and Zip files left behind in data compromise cases are typically encrypted. In fact, freeware Rar and Zip utilities are commonly found these days with integrated AES encryption capabilities that can be easily invoked from command-line. Data in-transit may also be encrypted to protect the hacker. Lately, we have begun to find more and more examples of situations where hackers are using Secured Sockets for obtaining remote access to compromised computer systems or transferring stolen data. In many cases, Win32 systems have been found with variations of SSH and SFTP installed by the hackers for the purposes of masking their command-line activities and transfers. Even Unix systems that already have valid copies of these programs installed by the systems administrators are being found with encryption keys relative to configurations generated for unknown Secure Socket connections. The increasing occurrences of this type of finding suggest that the hackers may be using our own security tools against us and to their advantage. File-Packing is a unique Data Hiding technique. File-packing is both
Computer Fraud & Security
5
ANTI - FORENSICS common in viruses, malware, and intrusions, involving the combination of two separate files together to form a single file. For example, packing a backdoor program together with a valid operating system service to mask the existence of the backdoor. Freeware File-packing tools like Morphine are easy to obtain, providing the capability to easily pack multiple files together. Packed binaries and executables can be particularly dangerous as system administrators may not be capable of detecting signs of the unwanted code. Additionally, this can also be dangerous in a CF investigation as even well-known hacking utilities that would otherwise be quickly detected, remain unidentified on the target system, even while they are still running. Similar to Morphine, Steganography is another popular file-packing tool. Steganography is designed expressly for the purpose of packing data files into images or pictures. For example, packing a 100K file containing sensitive information into a 600K JPG image. It can be extremely difficult to determine whether or not an image file has been packed using Steganography or in any way shed light on the type of data it might contain. Steganography is particularly detrimental tool as there are few legitimate uses for it. Many CF experts regard this utility as for AFpurposes only and as such, any indication of it on a target system should be regarded as highly suspicious. Steganography has been seen in a number of more recent investigations and is sort of a flavor of the month in terms of hacking utilities because of its data hiding AF properties. Another effective way to hide hacking utilities and malware from CF examiners is to place the files in hidden areas of a disk. The usage of the different hidden areas of a system hard disk is not only reserved for viruses, it is also common amongst backdoors and root kits. Placing components of a root kit into hidden directories on a disk may be effective at delaying the 6
Computer Fraud & Security
initial detection of a security breach, however the data will likely be picked up on quickly once the forensics commences. Instead, hacking utilities may be placed into sections of the disk designated as ‘bad sectors’, written to parts of the disk that are not reserved for operating system usage, or even written into the Windows System Restore directory. The idea is to prevent the detection of the malware code or hacking utility by placing its subcomponents into an area of the disk that is difficult to search without the proper tools.
Zero-Footprinting: Zero-Footprinting is another area of AF that is gaining in popularity. ZeroFootprinting refers to a program that is used to clean areas of the disk in order to completely destroy the original contents, rendering them undetectable. Zero-Footprinting tools, or Disk Cleaners, are becoming more and more common every day because of their usefulness for both legitimate and illegitimate purposes. A zero-footprinting tool not only unlinks a file, it specifically overwrites it with garbage data. One example of a freeware zero-footprinting tool is Simple File Shredder. This Windows-based tool enables the user to completely erase a file or directory, making the deleted information undetectable even with leading CF and undelete utilities. Other zero-footprinting tools include, BCWipe for Unix/Linux, Eraser for Windows, and PGP/GnuPGP. In addition, these tools can also be used to erase system memory to cover tracks remaining from programs that have been recently run. For AF-purposes, another effective way to zero-footprint a program or hacking utility is to install it as memory resident only. Analysis of systems that have been compromised in the course of a security breach will undoubtedly shed light on hacking utilities, especially types of root kits, which are never written to disk. The idea is that weak data acquisition procedures or inexperienced CF examiners
may overlook memory-resident-only programs and only search the system hard disk looking for signs of a breach. For obvious reasons, these types of utilities are more commonly found on Unix/Linux than on Windows-based systems that tend to be rebooted more frequently. No single AF technique or category mentioned here is the end all be all and none of these on their own will set up the perfect hack. As such, you’ll likely find combinations of two or more on an individual case or computer system being analysed. For example, you may see a packed backdoor program that is memory-resident-only. Or you may find several compressed Rar files, containing stolen sensitive information, that have been AES encrypted and then destroyed using Simple File Shredder once they’ve been transferred from the target system. As a CF examiner, it is important to understand that AF is primarily intended to make your job difficult. Don’t expect wellplanned AF techniques to be easy to pick up on – it requires a careful approach. AF is fast becoming a major part of the CF arena. With that said, CF is not what it used to be. The more simple days of finding a system showing some evidence of security breach, pulling an image, and then looking for signs of unauthorised access, are behind us. Today’s CF engagements cannot overlook the distinct possibility that AF tools and techniques may have been employed in efforts to cover the hacker’s tracks. Finding ways that data has been purposely hidden from you is now a necessary part of the equation and not something that often happens by mistake. Being one of the good guys, you must expect that AF has been used against you. Make no mistake about it, AF is here to stay. Being an expert CF examiner is to fully understand the latest and greatest tricks of the trade in terms of AF tools and techniques in order to keep pace with the opposition.
May 2006