Anti-Forensics Professor Drew Hamilton Alex Applegate Auburn University References used: Paul Henry http: //www. techsec. com/pdf/Tuesday%20 Keynote%20 -%20 Anti-Forensics%20 -%20 Henry. pdf Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 1
Mac versus PC Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 2
Cracking Passwords • • Ready-to-use Free Software Phillippe Oechslin – Rainbow Tables Easy and cheap to develop advanced capability. Bootable live CDs/USB key – Local OS does not matter. Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 3
Password Cracking • Capable of cracking Windows XP passwords of up to 14 characters, including numbers and special characters in under 2 minutes with no special hardware • Attacks against both Windows and Unix systems • Able to generate custom dictionaries via rainbow tables • GPU calculation acceleration using n. Vidia Ge. Force GTX 470 (Fermi) – 480 processor cores under current hardware – Expandable to 3072 processor cores • Custom parallel processing code using CUDA and Open. ACC Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 4
Trend Manipulation • Whatever became of The Orchids? What if you create 50, 000 Virtual Machines, 50, 000 dummy accounts and 50, 000 “likes” for the Orchids? Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 5
Reasonable Doubt? (Paul Henry) • Encase and Sleuth kit Vulnerabilities – http: //www. isecpartners. com/files/i. SEC-Breaking_Forensics_Software. Paper. v 1_1. BH 2007. pdf • Evidentiary Implications of Potential Security Weaknesses in Forensic Software – “As with other forensic techniques, computer forensic tools are not magic; they are complex software tools that like all software may be subject to certain attacks. – Yet because these tools play such a critical role in our legal system, it is important that they be as accurate, reliable, and secure against tampering as possible. • Vulnerabilities would not only call into question the admissibility of forensic images, but could also create a risk that if undetected tampering occurs, courts may come to the wrong decisions in cases that affect lives and property. ” – http: //www. isecpartners. com/files/Ridder. Evidentiary_Implications_of_Security_Weaknesses_in_Forensic_Soft ware. pdf Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 6
Bootable Media • Create a bootable DVD – Lion, Ubuntu, Windows 7 repair disk • Encrypted environment on the HD – No trace on the PC – Custom encryption possible – True. Crypt is free Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 7
Have You Got Your Mojo (pac)? • • Mojo. Pac makes your USB Drive or IPOD your PC Leaves no trace on the host Free download www. mojopac. com Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 8
Windows Encryption & TPM • Bitlocker requires TPM hardware • Encryption key stored on removable USB drive – Not in all versions of Windows 7 / Vista - only enterprise/ultimate versions – Limited availability of motherboards with TPM chips • How good are TPMs? – Banned in Russia, China, Belarus and Kazakhstan Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 9
Encryption (Paul Henry) • Encryption is a forensic analysis's nightmare • It is only a matter of time before the bad guys adopt current technology encryption • Current offerings provide for multiple levels of “Plausible Deniability” – Create a hidden encrypted volume within an encrypted volume – Bad guy gives up the password to the first level only – Second level remains hidden and looks like random data within the volume (undetectable) – Total Downloads 3, 487, 388, 1 Day Download 5, 547 Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 10
Expanding USB Vulnerabilities Remote attack by adding 3 G modem to keyboard Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 11
Signals Intelligence: Onion Routing Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 12
The Onion Router (TOR) • Developed by the US Navy to protect information exchange across open channels • Not formally designed to be anti-forensic • Defeats external traffic analysis • Operates similar to a VPN, but strips out header data other than the previous node and the next node Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 13
The Onion Router (TOR) Source: The Onion Router Project Website http: //www. torproject. org Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 14
The Defiler’s Toolkit • First public anti-forensic tool (2002) • Developed by “The Grugq” • Targeted specifically to counter The Coroner’s Toolkit and only extensively tested for ext 2/3 file systems. • Works from the basis of File Insertion and Subversion Technique (FISTing) – “Inserting data into places it doesn’t belong” Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 15
The Defiler’s Toolkit • Six Components – Four data hiding systems • Kill Your File System (KY FS) – Stores data in superblocks / directory structures • Waffen FS – Stores data in the ext 3 journal file (of an ext 2 fs system) • Data Mule FS – Stores data in inode reserved space • Rune FS – Stores data in Bad Blocks – Two data wiping applications • Necrofile – finds unallocated inodes and wipes them • Klismafile – finds and zeroizes data in slack space Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 16
Metasploit Anti-Forensic Investigation Arsenal (MAFIA) • Developed by Vinnie Liu and distributed with Metasploit 2. 2 (2004) • Windows Specific • Four Components – – Time. Stomp: Slacker: SAM Juicer: Transmogrify: MAC Time modification tool Tool to hide data in slack space Password file extractor File Signature Modifier • Slacker and Transmogrify were never reliable and apparently discontinued. Transmogrify was never released Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 17
Meterpreter • Central component in the Metasploit Framework • Serves as a payload injected by any of a number of exploits • Opens a covert communication channel with shell command capabilities • Resides exclusively in memory, never touches the disk Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 18
Meterpreter (cont’d) • An artifact left in upper memory by Meterpreter Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 19
www. evidenceeliminator. comregister_r easons. d 2 w • Just some reasons why you must buy protection for yourself right now. • Pelican Bay State Prison (USA)". . putting a prisoner in a cell with a known assaulter and setting up alleged sex offenders for attack are not uncommon. . • "Cocoran Prison (California USA)". . Dillard, who weighed 120 pounds, fought back but Robertson was too powerful. He said he pounded on the cell door, banged at it in a way that the guards surely must have heard, but nobody ever came as he was raped. . • "The View From Behind Prison Bars (USA)". . The guard in the tower decided to blow one of the inmates' heads off. . The suicides at San Quentin are amazing. I never knew doing time would subject me to watching guys do swan dives off the Get total protection. Buy your license to fifth tier. . . we were forced to sleep in Evidence Eliminator™. shifts to keep the cockroaches from $149 is less than 149 years. University Digital Forensics in our mouths. . " Auburn crawling Permanent protection for only $149. 95(US) www. eng. auburn. edu/users/hamilton/security/ 20
Who Pays For Software? Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 21
Disk Wiping Products Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 22
Signatures • Examining hashes is a quick way to determine if specific files are or are not on the image that is being examined • Altering a single byte will alter the hash but still leave a malicious program executable Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 23
Some Hash Utilities are Unreliable Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 24
Packers & Binders (Paul Henry) • A Packer can change the hash of any executable file and render a search for a known MD 5 useless • The potentially malicious file will not be found with an antivirus scanner • Binders combine two or more executable in to a single executable file • Allows the bad guy to attach a Trojan, Key logger or other malicious program to a common exe file • The resulting MD 5 will not match a known bad database • 37 different free binders are downloadable at http: //www. trojanfrance. com/index. php? dir=Binders/ Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 25
Magnetic Remanance Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 26
Expanding Forensic Outreach Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 27
New Targets for Digital Forensics Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 28
Conclusion Auburn University Digital Forensics www. eng. auburn. edu/users/hamilton/security/ 29
Скачать презентацию Anti-Forensics Professor Drew Hamilton Alex Applegate Auburn University
98a9bfde14eaab97804b626ec2634310.ppt