Anti-Computer Forensic: How to Disrupt a Forensic Examination?

-
Anti-Computer Forensic:
How to Disrupt a Forensic Examination?
Hendratna Mutaqin



Abstract

Computer forensic tools become an important part of the investigation process, especially when dealing with digital evidence. Relying too much on this tools without analysing an opponent attack to disrupt a forensic examination will become a big problem. Investigators should be aware the impact of anti-computer forensic on their investigation. This research analyses how anti-computer forensic affect the investigation process. The methodology used by testing software to disrupt evidence and in-depth studying how to use anti-computer forensic tools and techniques. Conducting anti-computer forensic is not difficult. But, the effect of it is enormous for investigation result. Altering file metadata, hiding the data, artifact wiping, and the other techniques are very easy to commit with sufficient training and hard to detect. An investigator should be aware of their investigation in digital evidence. 

Introduction
Many or probably most of the people depend on the computers for their daily life. They make life more convenient by changing their routine activities from manual to computer based. Furthermore, almost all of the companies also use the computers and save their both secret and public data on them. Even the existence of the companies depends on how they can save the data well that force to maintain computer security on a high level to avoid data loss. On the other side, many perpetrators use a computer to commit a crime with various reason mostly because of the effectiveness and easy to run. These phenomena make the information saved in the storage of computer or well known as digital evidence significantly important for both investigators and criminals. While investigators collect and validate evidence from digital devices, criminals, on the other hand, take counteraction to destroy the evidence or make it invalid making frustrate the forensic investigation. This paper focuses on the implementation of various anti-forensic techniques and analyses their effectiveness in making investigation harder.
Literature Review

Palmer, et.al. (2001), cited by Zdzichowski, et.al. (2015) define digital forensic science as “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorised actions shown to be disruptive to planned operations”. This approach not only collects and analyse the data but also to prevent the further occasion. Two big branches of digital forensic investigation explained by Zdzichowski, et.al. (2015) is computer forensic and mobile phone or smartphone forensic. Digital forensic consist of four major steps: seizure, acquisition, analysis, and reporting. The output of the digital forensic is finding the digital evidence related to the current investigation cases. Computer forensic defined by Nelson (2008) is the process to analyse and obtain the evidence in digital form in criminal, civil or administrative cases. 

The integrity of the evidence in all investigative process is of chief significance (Meffert, et.al. (2016). Nelson (2008) identify four steps of processing digital evidence. The process consist of identifying digital information, collecting and documenting, analysing and organising, verifying the reliability of the evidence. Due to many tools and technique available both free and payable, ensuring the integrity and reliability of digital evidence is important activity because it can affect the investigation result. Furthermore, they have to be aware anti-computer forensic techniques. The definition of anti-computer forensic cited from Jain and Chhabra (2014) is the action to counter computer forensic taken to frustrate forensic investigation and avoid from it with the purpose to prevent any crime evidence from getting caught. Data hiding, encryption, and artifact wiping are the anti-computer forensic technique. Removing anti-computer forensic in use is difficult and impossible which may leave no trace in the system (Afonin, et.al., 2015). 

Reviewing the literature leads back to the question:
  1. What is the effect of anti-computer forensic?
  2. How are they work to disrupt an investigation and make it harder?
Research Result
The research question is how anti-forensic technique disrupts a forensic investigation. It will explore how anti-forensic work and how to anticipate their attack to the evidence. The main point of this research is the current anti-forensic classification, and explore more detail about each anti-forensic technique, how they work, and what the effect of an investigative result. 
General classification of anti-forensic techniques

The number of anti-computer forensic is hard to calculate because consist of the various type and probably increase every day. Anti-computer forensic techniques divided into three category attack: data, memory, and digital forensic tools (Zdzichowski, et.al., 2015).
1. Data
Attacking the data is the common used anti-computer forensic method due to most of the evidence utilized by an investigator already from there. Data means any information saved on volatile media starting from the metadata until the destruction of the data storage. Zdzichowski, et.al. (2015) divide data attack into seven type: storage, hiding, source elimination, fabrication, physical or logical destruction, saturation, and virtualization.
  • Storage, The purpose of this attack is to make the process of acquisition file harder and time-consuming as possible, for example, Custom RAID arrays. Rouse (2015) explain RAID is the way to store the same data in different places on multiple hard disks. It can increase the mean time between failures (MTBF) and also increases fault tolerance.
  • Hiding, The conventional method of data hiding is storing sensitive information in a hidden area such as slack space or with different data format like steganography so that an investigator unlikely find it. 
  • Source elimination, The method to remove the data without any trace is by using live Linux distribution. Running Linux on the external device like a USB or optical disk then delete the content of the existing hard drive. 
  • Fabrication, Creating huge files with several of them has been altered then put into the hard disk. It makes an investigator spending most of his time to find and analyse the evidence.
  • Physical or logical destruction, The logical destruction method such as overwriting a cluster of data on disk into a random series of bytes or data transformation. Physical destruction is physically harming the device to make an investigator hard to acquire the evidence.
  • Saturation, a compression bomb is the example of this method. It compresses data on the high size and makes a denial-of-service effect when an investigator tries to extract the file. 
  • Virtualization, Saving data to virtualization storage make it harder an investigator to collect the evidence. It because information in the virtual storage leaves no trace on the file system of the physical machine. 
2. Memory
The nature of the information stored in Random Access Memory (RAM) is temporary. Much valuable information available in RAM because it is the bridge between the CPU, storage devices, and operating system.
  • Artefacts hiding, The most famous techniques to break memory acquisition is One-Byte Modification that making an acquired image is missing a massive amount of information needed an investigator to analyse memory data.
  • Pollution, This approach works by putting additional artifacts into memory that make the memory image analysis phase as unreliable as possible. The method such as fake processes, file strings or TCP connexion attributes makes an investigator frustrating with very time-consuming in analysis and adds doubt the validity of the evidence.
3. Digital Forensic Tools
The attack focus on exploiting the vulnerabilities of digital forensic tools with the standard attack is a denial of service, failure to validate data and fragile heuristics. The methods consist of attack to detection and exploitation.
  • Detection, The techniques focus on modify output or block during acquisition process by digital forensic tools. 
  • Exploitation, The techniques explore and find the vulnerabilities or weaknesses of digital forensic tools to make an investigation harder than before.
How anti-computer forensic work
Computer forensic tools are not the obstacle when dealing with digital evidence because of many free versions available with remarkable ability. But Anti-computer forensic appeared and transformed into the biggest challenge on digital forensic examination. One of the often question at the Court is about the anti-computer forensic issue that forces a digital forensic expert handling digital evidence correctly and in-depth analysis to ensure the quality of their investigation. As discussed earlier, anti-computer forensic comprise of three attacks: data, memory, and digital forensic tools. Furthermore, detailed study of their attack is discussed below. 
1. Tampering Metadata
Data about data or information about information is the definition of Metadata (NISO, 2001). File metadata is massive on computer forensic because it shows identity and validity of the evidence. Tampering in law perspective means “illegal or improper alteration of, or interference with, a document or evidence; or meddling or negotiating with a witness to influence his or her testimony” (Business Dictionary, 2016). If a perpetrator tampered metadata of the file before handled by an investigator, it makes the evidence invalid. Anti-forensic software programs like SitefileDate, BulkFile, A PDF can use to tamper file metadata (Doug, n.d.). The investigation creates three files with different format and tries to alter its metadata by using SetFileDate 2.0 as an anti-computer forensic program. This software can alter the information of file metadata including the created, modified, and last accessed date.
Figure 1 Three files are set up with original metadata

Source: File created by author

Figure 2 Process of altering three files by using SetFileDate 2.0

Source: SiteFileDate 2.0 

The information about metadata of three file on the Linux-Ubuntu terminal is displayed in figure 3.

Figure 3 Directories entry in Linux terminal

Source: Linux Ubuntu Terminal


Linux terminal display file information in the hexadecimal format. The information about creation date can be identified on the 16-17 bytes, 18-19 bytes for the access date, and 24-25 bytes for the modified date. SiteFileDate 2.0 is the powerful software to change the metadata of the file. Table 1, 2, and 3 below display the process of converting Hexadecimal to Binary and Date. All information about the creating, access, and modified date has been changed to 1st January 1990. 















The information of all file metadata has changed by anti-computer forensic. SiteFileDate 2.0 can change metadata of the file. It will be a big problem when a perpetrator manipulates metadata of the file that potentially becomes a significant evidence before this file handled by an investigator. 

2. Data Hiding
Blunden (2009) cited by Beer, et.al. (2015) define data hiding is the storing data to the location which is unlikely to be found, or implementation the security method through obscurity. Three are many techniques to hide the data with three of them explain on this research:
a. Storing in undetectable device
Jain and Chhabra (2014) study that storing the necessary data, not in one place but the location unlikely an investigator will examine is recommended for the criminal. It makes an investigator frustrate and will cost a lot of time finding the required data. The action followed by wiping it off from the computer will make the work complete and this is a simple method which most of the opponent usually use.
b. Steganography
The simple and most effective techniques for data hiding. It is almost impossible to read the information without knowing the key to decrypt. StegHide is the example of free steganography tools to hide information inside the other media (Jain and Chhabra, 2014). The research use two file media.jpg and secret.txt. StegHide is using to hide information in secret.txt inside media.jpg by typing steghide embed command. Then type a key to finalize the process. Steghide extract command followed by type a key is using to obtain secret data from media.jpg. It produces a new file named secret.txt. Because the same file already exists in the same folder so the new file, secret.txt, overwrite the older.
Figure 4 Running steghide in Windows’s Command prompt
Source: Steghide on Command Prompt

Hiding a file into the media is hard to detect. Without knowing the key, it is impossible to extract a secret data from used media.
c. Encryption
The definition of Encryption is a process to scramble the data and make it either intelligible or undetectable protecting data by using an algorithm with a key is used to decrypt. Many open-source cryptographies are available such as TrueCrypt. Specific files, network protocols and traffic, and the file system can be encrypted and made it unreadable without a key (Thuen, n.d.). A secure encryption system such as DES or RSA will frustrate an investigation team. Therefore, a straight brute force approach is practically impossible to decrypt. Figure 5 shows the example of one-time pad stream cypher.

Figure 5 The example of one-time pad - Stream Cypher
Source: Cryptography Lesson on the University of Portsmouth

The original message is meet me outside then encrypted by using one-time-pad. The output file will be sent to the recipient is nyyyslkybmnja. It is hard to decrypt without knowing the key and the encryption method used by the sender.
d. Altering file extension
File extensions are the most common use to identify the type of the files, for example, file extension .pdf identifies the file as a pdf document. Altering file extension can be applied to hide the file such as .txt to .exe to make it appear as an executable program file. This file cannot be opened before transform to the correct format. However, several computer forensic tools have a signature analysis function to identify deviation of file extension (Jain and Chhabra, 2014). Figure 6 shows the same file with different extension. 

Figure 6 Two same files with different extension

Source: two file created by author

File with improper extension cannot be open. An investigator has to change the extension it before analysing it. Yip (2008) explain file signature analysis can be used to detect file tampering including changing file name extensions. Fortunately, some computer forensic tools have the file signature analysis function so that an investigator should perform it to detect the changing of file extension. 

3. Artifact Wiping
Deleting a file not always removing it from computer hard drive. It is because when files are deleted, they the operating system will de-allocated to unallocated or slack space. Artifact wiping has a function to destroy deleted file from unallocated or slack space. The advantages are less time-consuming and efficient although it has certain limitations. BC Wipe, Eraser, PGP Wipe are the example of tools perform data sanitization, and wiping slack and unallocated spaces. These tools can repeat to overwrite data files makes the retrieval process tough (Jain and Chhabra, 2014). Wiping all hard drive free space, including slack space, not only can do by manually but also at scheduled intervals. Also, the function of these tools, such as CCleaner by Piriform has the function to delete artifacts on daily internet user activities. This tools easily remove the artifacts such as internet history, chat, peer to peer networking, file access, file downloads. 

Figure 7 CCleaner function



Source: CCleaner software work on Windows 10

Figure 7 shows how CCleaner work to remove the desired file on the computer. An attacker can run it to remove the significant evidence before an investigator come to acquire the computer’s file. An investigator will find nothing because no trace leaves on the computer. Moreover, CCleaner can be set up to remove automatically that make an investigation harder.

4.Attack against computer forensic tools
Computer forensic tools have a significant role in digital forensic. Exploiting and finding the vulnerabilities of it is one way of anti-computer forensic work. There are many kinds of attack against computer forensic tools such as DoS and Hash Collision.
a. Denial of Service (DoS)
DoS attacks is an effort to make the target unavailable by overwhelming it with traffic from multiple sources. Moreover, the target in computer forensic predominantly resources used by an investigator. 
The vulnerability of computer forensic evidence used by the perpetrator to launch DoS attack. Jain and Chhabra (2014) explain two common type of DoS attack: Compression bomb and Regular Expression Denial of Service (ReDoS).
  • Compression bombs are the most shared and widespread of DoS attack. Compression bombs are slight size compressed files but need an enormous amount of disk space and make overwhelming any memory space available when being uncompressed. The habit of an investigator is curious of analysing compressed file make this technique is useful to make an investigation harder and time-consuming.
  • ReDoS Regular expressions are used matching the pattern to validate the input, useful in intrusion detection systems to prevent any malicious input. Evil Regex is an example of ReDos that can send a well-crafted input to make the system hang (OWASP, 2015).
Many ways an investigator can do to ignore DoS attack, for example, determining the type of the file and chosen the input of the investigation carefully. It can save the time and prevent computer forensic tools from the trouble.
b. Hash Collision
The hash function has a major role in computer forensic to guarantee that evidence has not been changing. It is an algorithm produce fixed value string from any data. However, a student from China can create a hash collision in 2015, and the result is same hash value on from two different inputs of data. The result produces a massive impact on the credibility of digital evidence (Pajek and Pimenidis, 2009).

5. Usbkill
Usbkill is written in Python and have the function to shut down the computer if any get any changes on computer’s USB ports. Neven (2015) also define USBkill an anti-forensic kill-switch waiting for the modification on the USB ports then shut down the computer immediately or execute some commands self-destruct and shut down the computer.

It will prevent an investigator perform acquisition process by using USB media, for example, live acquisition. On the other hand, this tools also can be a good thing like an administrator trying to prevent illegal physical access to the computer. Summing up, Zdzichowski, et.al. (2015) explain the aim of Usbkill is:
  •  Preventing anyone to install software and retrieve files from the computer to media storage use USB connection.
  • Avoiding use of tools that prevent screen savers or sleep mode activating which used by Police or thieves.
  • Using full disk encryption to increase the security of the server. 
Detecting Usbkill is possible by analysing the running of the Python or investigate the script in the related location. The good news is the script is open source and an investigator has the possibility to find source files from the storage media.

6. Live Linux Distributions
Linux live version such as Caine is useful tools either an investigator or a perpetrator. An investigator can acquire an image of the hard drive, and a perpetrator does the opposite action to destroy the content of the hard disk. Booting a Linux live version then do several anti-computers forensic, for example, modify system files and steal valuable information without leaving any evidence. The other thing, a perpetrator can do is to dump System Accounts Manager (SAM) hashes without traces, and nobody will know. SAM file contains Windows password information but hard to decode because it uses a system key as a proprietary encryption utility. However, the other way to steal password information is by using Backtrack or Kali running in RAM without leaving any evidence (Zdzichowski, et.al., 2015). Figure 8 shows Caine as a Live Linux distribution which its ability to boot in many options. 

Figure 8 Caine Live Linux

Source: Linux Caine on Virtual Machine

However, if the first booting option in the computer is not USB flash drive or another external device, Caine live Linux cannot be run. 

7. Memory Anti-forensic
These methods are focused on volatile memory which the technique to use is by hiding and advanced data alteration. It makes memory-based anti-forensic techniques probably become unbeatable. Two techniques of it explained by Zdzichowski, et.al., (2015) are Attention Deficit Disorder (ADD) and Dementia. 
a. ADD
This method tries to place additional artifacts in the memory to increase the noise to signal ratio which is not related to the investigation. The purpose is to reduce the trust of forensic software in capturing the memory. The other purpose is to make the analysis process more time-consuming. Three techniques usually used by ADD: 
  • Create fake filenames string and place in the memory. 
  • Make terminated processes supported by additional attributes, for example, date of creation,, Process ID, Parent Process ID.
  • Create TCP connexions and artifacts in memory by using attributes such as local port, destination IP address, local IP address, destination port, and the state of the connexion.
b. Dementia
Dementia is an anti-forensic toolkit work on Microsoft Windows operating systems during memory acquisition to hide various artifacts inside the memory dump. Regarding that an investigator is running on machine handled by an attacker and using an external disk or network computer to dump the data, an attacker can defeat most live memory acquisition method.

Conclusion
The phenomena of anti-computer forensic forces an investigator who analyse digital evidence have to be aware doing his job for ensuring the quality and legal aspect of the result. Anti-computer forensic is likely do by perpetrator regarding the effectiveness and easy to commit. Most of the anti-forensic tools are free, and the guidance is available on the internet. It makes the possibility of perpetrator perform this action is high. Anti-computer forensic is divided into three big category attack: data, memory, and digital forensic tools. The techniques to attack against data consist of storage, hiding, source elimination, fabrication, physical or logical destruction, saturation, and virtualization. Artifact hiding and pollution is two of attack against memory. The last technique is digital forensic tools attack that consist of detection and exploitation.

This research investigates how the effect of anti-computer forensic tools and technique by performing several methods. Tampering file metadata has succeeded by using SiteFileDate 2.0 application. It can remove three if the different file metadata and cannot be traced. This research also explains the technique to hide the data. Storing data in the undetectable device and altering file extension are the conventional method. Almost all of people can do this without high-level training. Cryptography is the another way to the goal is to scramble the data and make it either intelligible or undetectable. Many methods can be applied on cryptography from the easy until the hard or impossible to decrypt. Steganography is the other and the sophisticated approach. The primary method used is hiding information inside the other media. It is almost impossible to read the information without knowing the key to decrypt. This research also explains the method such as artifact wiping, an attack against computer forensic tools, Usbkill, live Linux distributions, and memory anti-forensic that each can disrupt a forensic examination.

References

Afonin, O., Nikolaev, D., & Gubanov, Y. (2015). Countering anti-forensic effort- part 1. Belkasoft. Retrieved from: https://www.articles.forensicfocus.com/2015/09/01/countering-anti-forensic-efforts-part-1/. (Accessed on 22/4/2017).

Beer, R., Stander, A., Belle, J. (2015). Anti-forensics: a Practitioner perspective. Rondebosch: University of Cape Town.

Business Dictionary. (2016). Tampering definition. Retrieved from http://www.businessdictionary.com/definition/tampering.html.

Doug, C (n.d.). Forensic Protection: Detect and prevent file tampering in multimedia files. Retrieved from http://www.forensicprotection.com/Education_Authenticate.html.

Jani, A, Chhabra, G. (2014). Anti-forensic techniques: An analytical review. 

Meffert, C., Baggili, I., Breitinger, F., (2016). Deleting collected digital evidence by exploiting a widely adopted hardware write blocker. Boston: Cyber Forensic research and education group, University of New Haven.

National Information Standards Organization (NISO). (2004). Understanding Metadata. Bethesda, MD 20814 USA: NISO Press.

Nelson, B., Phillips, A., Enfinger, F., Steuart, C. (2008). Guide to computer forensics and investigation. Massachusetts: Course Technology Thomson Learning, Inc.

Neven, E. (2015). Python-USB kill anti-forensic usb killswitch. Retrieved from: https:www.//7io.net/2015/07/02/python-usbkill-anti-forensic-usb-killswitch/. (Accessed on 17/4/2017).

OWASP. (2015). Regular expression Denial of Service – ReDos. Retrieved from: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS. (Accessed on 17/4/2017).

Pajek, P., Pimenidis, E., (2009). Computer Anti-forensics Methods and their Impact on Computer Forensic Investigation. United Kingdom: University of East London.

Rouse, M. (2015). RAID (redundant arrays of independent disks). Retrieved from: http://searchstorage.techtarget.com/definition/RAID. (Accessed 11/4/2107)

Thuen, C., (n.d.). Understanding Counter-Forensics to Ensure a Successful Investigation. University of Idaho.

Yip, M. (2008). Signature analysis and computer forensics. University of Birmingham. Retrieved from: http://www.academia.edu/2728575/Signature_analysis_and_Computer_Forensics. (Accessed on 22/4/2017).

Zdzichowski P., Sadlon, M., Väisänen T., Munoz, A., Filipczak, K. (2015). Anti-forensic Study. NATO Cooperative Cyber Centre of Excellence (NATO CCD COE).










Comments

Post a Comment

Popular posts from this blog

Mobile Forensic Data Acquisition Methods

-
Image
Mobile Forensic Data Acquisition Methods When conducting data acquisition method on mobile phone, consider 5 data acquisition method that might be helpful for the result of investigation: Cellular data acquisition SIM file system acquisition Logical acquisition Physical acquisition File system acquisition Otherwise, Mobile storage and evidence locations can be located on several location including: Internal memory (RAM, ROM or flash memory (NAND/NOR) is used to store mobile phone’s OS, applications and data) SIM Card (Stores personal information, address books, messages, and service-related information) External memory (Stores personal information such as audio, video, images, etc) Extraction methods on mobile phone consist of several methods depend on the type and brand of the phone: Apple & Blackberry :- Vendor of OS and hardware. Symbian & Android & Windows :- Different vendors for OS and hardware ( Proprietary OS).  Consider these steps whe...
Read more

Big Data Analysis in Public Sector: Opportunities, Tools, and Ethics

-
Image
Big Data Analysis in Public Sector: Opportunities, Tools, and Ethics Hendratna Mutaqin Abstract Big Data has a significant role in helping the individual, corporate, and government to get a better decision-making which supported by credible evidence. The problem emerges when traditional approaches cannot handle the big data so that sophisticated tools like Hadoop, Visualization Product, NoSQL are required to deal with it. Although having many advantages, the users have to follow the big data ethical rules. Big data ethics must be concerned to evitable any indictments from the other party. Introduction Big data analytic helps users to make predictions and solve problems. It can reduce the mistake when making a prediction, reducing cost of living and increasing the income. The vast, unstructured, and unsolved by traditional methods will be challenged to analyze the big data. This paper discusses the opportunity of big data for the public sector, technologies to handle and th...
Read more

How to get a bitlocker password?

-
Image
The easiest way to find your bitlocker password is by using Command Prompt. 1. Type cmd on your windows and run as Administrator 2. C:\Windows\system32>manage-bde -protectors -get c: BitLocker Drive Encryption: Configuration Tool version 10.0.19041 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [System] All Key Protectors  Numerical Password:       ID: {06AE1787-XXXXXXXXXXXXXXX}       Password:         715869-275543-0555554-2DDD4-AAAAA-BBBBB-YYYYY-XXXX Now you can find the bitlocker password. The command below is to find bitlocker password for Drive D C:\Windows\system32>manage-bde -protectors -get d:
Read more