What is Anti-Forensics?

Anti-Forensics

Anything purposefully performed to evade detection and make it difficult for the forensic investigation to take place.

Goals of Anti-Forensics

• Interrupt and prevent information collection
• Make the investigator’s task of finding evidence difficult
• Hide traces of crime or illegal activity
• Compromise the accuracy of a forensics report or testimony
• Delete evidence that an anti-forensics tool has been run

Anti-Forensics: Not to Get Caught

Anti-Forensics: Techniques

Attackers use these techniques to defend themselves against the revelation of their actions during criminal activities.

Scenario:

Imagine you're investigating a cybercrime case. You have a hard drive from a suspect’s computer. But how do you prove that the files you examine haven’t been altered?

I.e.

• What if the suspect tries to replace a key document with a forged version? Or what if an insider tampers with evidence before it reaches court?

Hashing to the rescure

This is where cryptographic hash functions become essential.

• They allow us to verify the integrity and authenticity of digital evidence.

Introduction to Cryptographic Hash Functions

• Definition: A cryptographic hash function (CHF) is a mathematical algorithm that converts input data into a fixed-size hash value (or digest), unique to that data.

Cryptographic Hash Functions: Core Properties:

• Integrity verification; Tamper detection; Evidence authentication
• Password hashing
• Cryptographic protocols

Attackers might alter timestamps or overwrite data, but if even a single byte changes, the hash value will change, alerting investigators.

Hash Functions: One way

Hash Functions

• Input (m): Any data (text, images, files, disk volumes)
• Hashing Algorithms:
  • MD5, SHA-256, SHA-3
  • RIPEMD-320, Blake, Gost
  • Haval, Snefru, Whirlpool
• Output (h, Fixed-Length):
  • 128-bit (MD5)
  • 256-bit (SHA-256)
  • 512-bit (SHA-512, Whirlpool)

Common Hash Functions: SHA

1. SHA (Secure Hash Algorithm): Designed by NSA, published by NIST.

• and are widely used

  My name is Ali.
  

  93dcd29592078477d5e87c6289a33f7dbc8711eeed28451a2d626fbc10c287dc
  

  My name is Ali
  

  8100189f7b5064b7eac0510cbdaeadb7d84662a146a5c85fab14579e3686fb37
  

Common Hash Functions: things to consider

• Take an input of any size
• Create a fixed size string
• Quick to compute
• The hash should be unique:
  • Different inputs should never create the same hash
  • If they do, it's a collision

Collision: Two different inputs produce the same hash output

2. MD5 (Message Digest Algorithm 5):

   • Produces a 128-bit hash.
   • Vulnerable to collisions; use in cryptography is discouraged.

3. RIPEMD (Race Integrity Primitives Evaluation Message Digest):

• Developed in Europe.
• RIPEMD-160 is commonly used in digital signatures and .
  • Used in various security protocols such as TLS, IPsec, and SSL to provide message integrity and authenticity.

TLS, SSL and IPSec are protocols that encrypt data sent over the internet.

Practical Hashing

1. Verify a Downloaded File:

• Hashes are often provided on the download page.
• Compare the hash of the downloaded file with the provided hash value:
  • e47df00b078b5f9daed0871f0e90d33f
    • ubuntu-17.10-beta2-desktop-amd64.iso
  • af906ba5d5f13b4b02b98351a819e3a7
    • ubuntu-17.10-beta2-server-amd64.iso
  • 63177ed9a01f2116671655b£06266e5d
    • ubuntu-17.10-beta2-server-i386.iso

2. Password Storage:

• Instead of storing plaintext passwords, store a hash.
• During authentication, compare the stored hash with the hash of the entered password.
• Important: No one ever knows your actual password, only its hash.
  

2. Password Storage: More

Hashing Alone DOESN'T Fully Mitigate Common Issues

• Many users choose common, easily guessable passwords (e.g., 123456, password).
• Attackers leverage rainbow tables (precomputed hash databases) to crack hashes instantly.
• If two users have the same password, their hashes will be identical, making breaches more severe.

2. Password Storage: More

The Solution : Adding Salt

• A random, unique value (salt) is added to each password before hashing.
• This ensures that even if two users have the same password, their stored hashes will be different.
  

3. Digital Signatures:

• Hash functions generate a unique hash for a message, encrypted with the sender’s private key to create a digital signature.
• The recipient decrypts the sender’s hash with their public key and compares it with the message’s hash.
• Provides:
  • Integrity: Ensure the message hasn't been altered.
  • Non-repudiation: Sender cannot deny sending the message.
  • Authenticity: Verifies the sender’s identity.
  • Informed consent: Confirms the sender’s intent.

3. Digital Signatures: Example

Password attacks

Passive: Man-in-the-Middle (MITM) Attack

An attacker intercepts communication between the user and authentication platform to steal data (e.g., passwords).

• Unsecured Channels: Data is easily readable if not encrypted.
• No Brute-Forcing: The attacker captures passwords directly without guessing.
• Hard to Execute: Requires trust from one or both parties.
• Mitigation: Invalidating traffic or using encryption can prevent the attack.
  

Active: Guessing/Brute Force Attack

The attacker tries different passwords until one works, often succeeding with weak passwords.

• Time-Consuming: Takes longer with strong passwords.
• High Bandwidth: Requires significant resources.
• Easily Detected: Multiple failed attempts trigger alerts.
• Core Problem: Weak passwords.
  

Offline Attacks: RAINBOW Table

Rainbow tables use precomputed hashes for dictionary words and compare them to database values.

• Storage: Requires large storage for the precomputed hashes.
• Succeeds with Weak Hashing: Effective with weak hashing algorithms and no salt.
• Defense: Stronger algorithms like bcrypt or scrypt can mitigate the attack.

Scenario: Reverse Hash Lookup

You are working with a user named jack@abcd12345.net. Jack has submitted a password, but the password has been stored as a hashed value for security purposes. Your task is to determine the original plaintext password from the hash.

Given Hash:

• Hash to Lookup: 5c4bf758b3e4a924c49c4cd683cc638b

Steps:

1. Visit the What’s My IP Hash Lookup Tool.
2. Copy and paste the hash into the tool.
3. Click the "Reverse Hash" button.

Lab:

• Please view your lab from here