RECAP: What is Anti-Forensics?

Anything purposefully performed to evade detection and make it difficult for the forensic investigation to take place.

Goals of Anti-Forensics

• Interrupt and prevent information collection
• Make the investigator’s task of finding evidence difficult
• Hide traces of crime or illegal activity
• Compromise the accuracy of a forensics report or testimony
• Delete evidence that an anti-forensics tool has been run

Anti-Forensics: Techniques

Attackers use these techniques to defend themselves against the revelation of their actions during criminal activities.

Hashing to the rescure

It's a cryptographic hash function (CHF) is a mathematical algorithm that converts input data into a fixed-size hash value (or digest), unique to that data.

Today's Session : Anti-Forensics Techniques

1. File Carving & Deletion

2. Encryption

3. Data Hiding (Steganography)

4. Lab for some of those techniques

1. File and Partition Deletion & Carving

• What is a DISK?

  Click to reveal answer

  The physical device on which the data is stored in sectors. e.g. Hard Disk Drive (HDD), Solid-State Drive (SSD)

• What is a PARTITION?

  Click to reveal answer

  A sequence of consecutive sectors on a single disk. e.g. C: drive partition (Windows), Linux root partition (/)

1. File and Partition Deletion & Carving

• What is a VOLUME?

  Click to reveal answer

  One or multiple merged partitions that appear as one storage device to an OS. e.g. RAID 1 array, Logical Volume in LVM

• What is a FILE?

  Click to reveal answer

  A collection of data identified by a unique name and path in the file system. e.g. textfile.txt, image.png

Data Deletion

• When a file is deleted from the hard drive, the pointer to the file gets deleted but the contents of file remain on the disk
  
• Deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with the new data
  

FAT deletion: How? Take 5 mins to research and let's discuss

NTFS deletion: How?

NTFS Master File Table (MFT) – Core Entries

NTFS deletion:

Activity: Recycle Bin Forensics

How do Windows Vista and later versions handle deleted files in the Recycle Bin?

Additional Notes on Recycle Bin Forensics

• The original files associated with $I files are not visible in the GUI.
• $I files cannot be found if:
  • The file is corrupted or damaged.
  • An attacker or insider deletes the $I files from the Recycle Bin.
• However, these files remain hidden and can be found by navigating to the $Recycle.Bin folder.
• Investigators should check for $R files in the Recycle Bin to counter anti-forensic techniques.
• If the $I file is missing, use the $R file to recover the deleted file.
• Use the command:

  copy <$R*(or File name)> <Destination Directory>
  

File Carving

• File carving reconstructs files from fragments without relying on filesystem metadata.
• It identifies files using headers or footers, not extensions or metadata.
  • Example: A .jpg file has the header "JFIF" with the hex signature "4A 46 49 46".
    

Steps Involved in File Carving

1. Scan for Known File Signatures:
   Search the raw data for known headers/footers.

2. Recover File Fragments:
   Extract data blocks that belong to files.

3. Reconstruct the File:
   Reassemble fragments into a usable file (if possible).

4. Handle Errors:
   Corrupted or partial files may need special handling.

File Carving-Challenge

• Fragmentation: Files split across multiple sectors can make reconstruction complex.
• Overwritten Data: Once data is overwritten, it is often unrecoverable.
• Corrupted Data: Incomplete or damaged fragments may result in unusable files.
• False Positives: Carving may recover incomplete or irrelevant data.
• Unknown File Formats: Identifying unfamiliar file types without known signatures.

mmm, What about TRIM Function?

Read more about it

What is Cryptography?

• Cryptography from the Greek works kryptos (hidden) and graphein (writing).

• Even if a 3rd party intercepts the message unless they know how to decrypt the message it has no information to tell them apart from traffic analysis:

  • Who is communicating with whom
  • The frequency and timing of messages
  • The volume of exchanged data

Purpose of Cryptography: CIA

Characteristics of Cryptography

• Combines encryption (plaintext → ciphertext) and decryption (ciphertext → plaintext).
• Should be computationally infeasible to:
  • Derive plaintext from ciphertext without the key.
  • Derive ciphertext from plaintext without the key.
  • Cannot derive the encryption key from plaintext-ciphertext pairs

Now, what is Cryptanalysis, then ?

Types of Encryption

1. Symmetric Encryption

• A single key is used to encrypt and decrypt the message sent between two parties.

• Symmetric encryption is fast, and effective only when a key is kept absolutely secret between two parties.

• Examples include: Data Encryption Standard (DES), Advanced Encryption Standard (AES), Blowfish, Twofish

2. Asymmetric Encryption (Public Key)

• A pair of keys is used to encrypt and decrypt the message. The pair of keys are public and private keys.
• Private keys are kept secret, known only by the owner, and the public key is visible to everyone.
  
• RSA: Common for secure data transfer.
• ECC: More efficient than RSA, smaller keys with same security.

Symmetric Vs Asymmetric Encryption

Where is the data that we want to encrypt?

Question (Take 5 min)

• What is the difference between encryption for data at rest and data in transit, and their techniques?

What is Steganography

• Technique of hiding a secret message within an ordinary message to maintain confidentiality.

• Replaces unused bits in files (e.g., images, sound, text, audio, video) with secret data.

• Cover Media: A graphic image is commonly used as a "cover" to conceal hidden data.

• Steganalysis is the art of discovering and rendering covert messages using steganography

  • identifying the hidden message by comparing the differences found in the bit patterns of files.

What Can Be Hidden?

• Compromised server lists
• Hacking tool source code
• Plans for future attacks

Example

Encryption Vs Steganography

• Both encryption and steganography aim to achieve confidentiality,
  • but via different means and with different intent.

Encryption Vs Steganography

Steganography Components

Embedding Functions

Steg Performance

Secrecy

• Concern: Effectiveness of payload concealment.
• Questions:
  • What is the probability of detection by casual observation?
  • What is the likelihood of detection by Steganalysis?
  • Is the carrier contextually relevant to the channel it’s transmitted over?

Capacity

• Concern: Limitations of storage space within the cover-medium.
• Considerations:
  • What happens if the capacity threshold is exceeded? (e.g., 32-bit image file vs. 8-bit)
  • Greater payload size increases visible distortion in the cover medium.

Robustness

• Concern: Thresholds and vulnerabilities of the carrier-medium.
• Questions:
  • Does the payload survive if the carrier-medium is:
    • Converted
    • Cropped
    • Resized

Digital Techniques

• General Approach: Hiding a file within another, typically images, but can also include text, audio, video, executables, etc.
• LSB (Least Significant Bit): Data is hidden in the least significant bits of a file, causing minimal perceptible changes.
• Photo Steganography: Hides data by adjusting RGB color codes in images, with no noticeable difference.
• Audio Steganography: Similar to photo steganography, but data is hidden by adjusting the frequency (Hz) in audio files.
• X86 Op Codes: Hiding data within X86 instructions (e.g., XOR operations).
• ACL (Access Control Lists): Manipulating NTFS entries to conceal data within file system permissions.

LSB (Least Significant Bit)

Example: Original

Example: Changing MSB

Example: Changing LSB

Another Example

Try It

Click here

Cases of Crime: Malware

• Magento: malware steal credit card information
• Duqu: hides encrypted data in JPEG images bypassing content filtering.

Lab

• Please review you lab from here.

• Additionl resources are avaible on Moodle within this week section.