Tuesday, May 24, 2011

Anti-Forensics Strategies

I always get a thrill when I examine a system where a user tried to cover their tracks.  To paraphrase Craig Ball's point on the matter, "sometimes the gaping hole where data should be is the most incriminating evidence."  That said, a lot of the tools out there that your average computer user uses to "clean house" still leave an awful lot of artifacts behind (I'm looking at you, CCleaner).  Yes, there are anti-forensic techniques that can certainly make push-button examinations more difficult.  But at the end of the day, it's not a program that does an investigation - it's the investigator.  And as Harlan Carvey has observed, "As far as analysis is concerned, the 'best' tool is that grey, goopy gunk between your ears." 

So what does this mean?  Well, I'm switching sides for a moment to give you bad guys out there some ideas to mess with any examiner that may end up digging through your cess-pit of a computer.  Yeah, they'll probably still find the dirt that's there, but the least you can do is make it interesting for the poor guy/gal who has to turn over your digital midden heap in the course of their work.  So, without further ado:

Investigation Slowing Strategies

Funny Videos - This is probably the very best way to slow down any investigation.  Have lots and lots of funny videos stored throughout your drive (Tip:  this is especially useful if your nefarious misdeeds are video based).  Now, don't get lazy and just download the most popular funny vids - we've seen them all.  Get creative.  Really look for those out-there, maybe a bit geeky gems that will keep any investigator enthralled, despite the clips' complete lack of relevance to the case.  Extra marks if you create your own.

File and Folder Names - Investigators are well aware that there usually isn't a folder entitled "All My Illegal/Unethical Stuff" on a drive that will hand them the investigation on a platter.  But why not throw out a red herring?  Create folders with sinister names that contain pictures of bunny rabbits and clips of Dane Cook comedy routines.  Something along the line of Tobias' business cards (from Arrested Development) is a perfect example. 

Internet Search Terms - One of my favorite things in any investigation is to see the progression of search terms people use on their computers.  The sequence leading up to generating that perfect term to get the search engine to spit out whatever website they so desperately want to find can be an incredible insight into how the human mind works.  Bearing that in mind, try to create as many assinine and unintelligible search terms and then run them.  Hey, maybe you'll end up being surprised by what you find.

EDIT:  After seeing some well thought-out responses to this post, I have to come clean.  The intent was pretty much a tongue-in-cheek reference to my own foibles doing exams (i.e. having way too much fun with some of the funny videos... btw, have you seen this one?  Brilliant!...), and a bit of forensic humor inspired by comments found in happyasamonkeys blog.  This is my Screwtape Letters.  I actually feel a bit humbled by the responses.  Maybe I need to go legit and leave all this satire behind!


  1. One thing I've noticed quite often following exams is that a lot of analysts love to speculate! Most that I've met don't have a process that they follow, and technical nerds don't like to document what they do, and DEFINITELY don't like to be asked questions about what they did! As such, there's often very little rigor to what they do.

    So...one thing to do is to put some ebanking malware on a system, particularly if you're stealing data. The number of analysts that I've seen that actually understand things such as malware persistence mechanisms and indicators/evidence that malware has actually been launched is few and far between. As cybercrime seems to be moving to (or perhaps just being detected on) smaller targets, such as those that can't necessarily afford the boutique DFIR firms for response, they get what they pay for. Drop a copy of sdra64.exe into the system32 dir (and don't do anything else...), and sit back and see what happens.

  2. Going along with your example regarding images, one of the things I've run across when discussing these issues is seeded sites.

    Let's say someone's going out and downloading contraband images via the web or P2P. As a "protection mechanism", the proprietor of the site can seed it with network-capable and -aware malware, that also gets downloaded along with the images. These things do not necessarily need to be launched...like I said in my earlier comment, I've seen analysts stop when they find some 'malware' and think that they've struck gold!

  3. @Keydet89 Your reponses have much more substance than anything in the original post! I do actually find myself wanting to do some experiments now...

  4. I can say for myself, picking up on supertimeline analysis and reading my 'bedtime novel', WFA, certainly opens up the mind on the wealth of pointers available in any analysis. With that said, dumping everything out and looking at it will not serve the analyst too effectively as compared to getting just what you need, have a focused analysis then move on to the next one. Trying to take in the whole 'wealth' of artifacts in one sitting can be overwhelming.

  5. @Crayfiss very good point. And excellent choice in bedtime novel!

  6. It wouldn't be accurate to use the words "like" or "admire," but I certainly have an affection of sorts for the use of defrag as an antiforensic tactic. Attacker logs into a host non-interactively, executes a malware binary that they brought along for the ride, malware is loaded into process memory, and then the attacker deletes their binary and runs defrag to prevent recovery. It would be possible to use registry and prefetch artifacts to reconstruct some of the attacker activities, and of course it would be useful to acquire the malicious process from memory, but imagine the attacker chose not to employ a persistence mechanism and the machine were rebooted: you'd be left with only limited visibility.

  7. @Devo As it just so happens, I have had a couple interesting cases lately involving defrags, and what a tangled mess they leave behind for an investigator!

  8. It sounds silly, but one problem I come up against now and again is lack of basic literacy from suspects and victims alike. It can be very difficult to do successful keyword search when they never spell a word the same way twice, often using a mixture of pseudo-phonetic spelling, random multiple repetition of letters, local idiom, dyslexia, laziness and simply illiteracy. It can make grooming and gang jobs very difficult.

    I love the idea of using funny videos as caltrops :-) A couple of months ago I was preparing a test image for some researchers we've been working with and seeded it with a 1GB torrent of lolcats. That should keep em busy for a while.

    Keep up the good work! Loving the blog.

  9. @monkey 1GB of lolcats? I'd never finish that exam! The illiteracy problem is pretty widespread. Next to all the porn, it may be the one thing that makes me question the state of the human race.

  10. Just boot from a Live Linux CD such as Puppy Linux or Slax or Knoppix.

    It's a complete bypass around the Hard drive.
    You can navigate to your SDA thumbdrive through the OS on the live CD and store your stuff on it.

    Hear loud bangs at the door?
    Pop the thumbdrive in the microwave and hit popcorn.

    Here is a little tidbit on SSD'S Solid state drives and disk forensics.