Defeating Anti-forensics Techniques Flashcards
Anti-forensics
also known as counter forensics, is a set of techniques that attackers use in order to sidetrack the forensic investigation process. These techniques are designed to negatively impact the quantity and quality of evidence gathered from a crime scene.
What happens when you delete a file out of a FAT file system
The OS replaces the first letter of a deleted file name with a hex byte code: E5h (E5h is a special tag that indicates that the file has been deleted)
The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the information until it is overwritten
What happens when you delete a file out of a NTFS file system
When a user deletes a file, the OS marks the file as deleted in the master file table (MFT)
The clusters allocated to the deleted file are marked as free in the $BitMap ($BitMap file is a record of all used and unused clusters)
The computer now notices those empty clusters and avails that space for storing a new file
The deleted file can be recovered if the space is not allocated to any other file
Deleted files in older FAT file system (Windows 98 and prior) are stored in?
Drive:\RECYCLED
Deleted files for NTFS file system (Windows 2000, XP, NT) these are stored in?
Drive:\RECYCLER folder
Deleted Files for Windows Vista and newer systems?
C:$Recycle.Bin
What is the Recycle bin limit for Win Vista and later?
No Limit
What is the Recycling bin limit for systems prior to Win Vista?
3.99 GB
What does Windows Vista and later OS’s rename the files stored in the Recycle Bin?
$Ry.ext
What do systems prior to Windows Vista rename the files stored in the Recycle Bin?
Dxy.ext
What does the x and y represent for the renaming of files in the recycle bin?
In this naming process, “x” represents the drive name, “y” a sequential number starting from 0, and “.ext” being the original file’s extension such as .doc,
.docx, .pdf, etc.
Where does the OS store details about deleted files?
Infor or Info2 hidden folder
What do you do if the Recycle bin stops working?
If the Recycle Bin is not working or damaged, then delete the hidden INFO file from the Recycled folder and restart Windows to re-create the INFO file; this will enable you to access the deleted files in the Recycle Bin.
MAC OS X File Recovery
- Files move to trash folder if you delete them.
- If Shift+delete is used, you bypass trash, but files can still be recovered using local or forensic tools such as TIMEMACHINE or REMO Recover or MacKeeper
Linux File Recovery
- Files deleted using /bin/rm remain on the disk, and are recoverable.
- If an executable is deleted, its contents can be retrieved from
/proc memory image; the command “cp /proc/$PID/exe
/tmp/file”
This creates a copy of a file in /tmp
What do you do when a HD partition is deleted?
- When a hard drive partition is deleted, what really happens is that the parameters that specify how the partition is setup are deleted, but the data stays intact and is waiting on you to recover it!!
Partition Recovery in Windows
- Recovery console through the install media
- Remove HD from source machine, mount it as a slave in another machine
- Use third-party recovery software
What are the 3 password types?
- Cleartext
- Obfuscated
- Hashed
Password Attack Categories
- Passive on-line
a. Wire sniffing
b. Man-in-the-Middle (MitM)
c. Replay - Active on-line
a. Guessing
b. Malware
c. Hash Injection - Offline
a. Pre-computed/Rainbow Tables - http://projectrainbowcrack.com/table.htm
b. Distributed Network (grids !!) - Non-electronic
a. Shoulder surfing
b. Dumpster diving
How are Hashed Passwords Stored in the Windows SAM file?
The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords.
What is Steganography?
Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data
Substitution Steganography
substitutes redundant part of the cover object with a secret message
Transform Steganography
embed secret message in a transform space of the signal (e.g. in the frequency domain)
Statistical Steganography
embed messages by altering statistical properties of the cover objects and use hypothesis methods for extraction
Distortion Steganography
Store information by signal distortion and in the extraction step measure the deviation from the original cover
Cover Generation Steganography
Encode information that ensures creation of cover for secret communication
Technical Steganography
use of physical or chemical means to hide information
Linguistic Steganography
use of natural language to hide message in non-obvious ways
Image Steganography
replaces redundant bits of image data with message
Least Significant Bit Insertion Image Steganography
The right most bit of a pixel is called the Least Significant Bit (LSB). The binary data of the hidden message is broken up and inserted into the LSB of each pixel in the image file in a deterministic sequence. Modifying the LSB does not result in a noticeable difference
Masking & Filtering Image Steganography
Mostly used on 24 bit and grayscale images. The masking technique hides data using a method similar to watermarks on actual paper, and it can be done by modifying the luminance of parts of the image. Masking techniques hide information in such a way that the hidden message is inside the visible part of the image.
Algorithms & Transformation Image Steganography
The data is embedded in the cover image by changing the coefficients of a transform of an image Types of techniques: 1. Fast fourier 2. Discrete cosine 3. Wavelet
What are the three types of Image Steganography?
Least Significant Bit Insertion
Masking & Filtering
Algorithms & Transformation
Audio Steganography
refers to hiding secret information in audio files. Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz)
Echo Data Hiding Audio Steganography
the secret message is embedded into a cover audio signal as an echo. The parameters of the echo, amplitude, decay rate and offset from the original signal, are varied to represent an encoded secret binary message
Spread Spectrum Audio Steganography
encodes data as a binary sequence that sounds like noise but can be recognized by a receiver with the correct key
What are the five approaches used in spread spectrum Audio Steganography?
Direct Sequence Spread Spectrum (DSSS) Frequency Hopping Spread Spectrum (FHSS) LSB Coding Tone Insertion Phase Decoding
what are two types of Audio Steganography?
Echo Data Hiding
Spread Spectrum
What Is Direct Sequence Spread Spectrum (DSSS)?
A secret message is spread out by chip rate (constant) and then modulated with a pseudo-random signal that is then interleaved with the cover signal
What is Frequency Hopping Spread Spectrum (FSSS)?
audio file’s frequency spectrum is altered so that it hops rapidly between frequencies
What is LSB Coding?
replaces the LSB of information in each sampling point with a coded binary string
What is Tone Insertion?
depends on the inaudibility of low power tones in the presence of significantly higher spectral components
What is Phase Decoding?
It encodes the secret message bits as phase shifts in the phase spectrum of a digital signal, achieving a soft encoding in terms of signal-to-noise ratio
Video Steganography
hiding secret information or any kind of files with any extension into a carrier video file. Discrete Cosine Transform (DCT) manipulation is used to add secret data.
Issues to consider with Steganography?
- Levels of visibility - embedding cannot distort cover image to point that it is noticeable
- File format dependence - image and sound files are either lossless or lossy.
a. Lossy compression reduces file size by permanently eliminating certain information, especially redundant information (even though the user may not notice it). JPEG is an example of a format using lossy compression. Does not maintain data integrity. Vector Quantization is used.
b. Lossless compression retains raster values during compression and file size is also reduced. For example, LZ77 is a lossless compression file type. Maintains data integrity. Huffman Coding algorithm & Lempel-Ziv Coding algorithm are used. - The conversion of lossless information to compressed lossy information destroys the hidden information in the cover.
What is Stegoanalysis?
the art of discovering and rendering covert messages using steganography
Steganography Attacks
Stego-only Known-Stego Known-message Known-cover Chosen-message Chosen-Stego
What is a Stego-only attack?
You only have access to the stego-medium or stego-object. In this attack, the staganalyst needs to try all possible steganography algorithms and related attacks to recover the hidden information.
What is a Known-stego Attack?
You know the steganographic algorithm as well as original and stego-object. You can extract the hidden information with the information at hand.
What is a known-message attack?
Presumes that the message and the stego-medium are available. Using this attack, one can detect the technique used to hide the message.
What is a known-cover attack?
Attackers have knowledge of both the stego-object and the original cover-medium. This will enable a comparison between both the mediums in order to detect the changes in the format of the medium and find the hidden message.
What is a chosen-message attack?
The steganalyst uses known message to generate a stego-object by using some steganography tool in order to find the steganography algorithm used to hide the information. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.
What is a chosen-stego attack?
takes place when the steganalyst knows both the stego- object and steganographic tool or algorithm used to hide the message.
Pixel
A single point in an image
Bit Depth
Number of colors available for each pixel
Resolution
Sharpness and clarity of an image
File Formats
Particular ways to encode information
Image file size
measured in bytes
Compression
the method used to make an image smaller
Vector Images
use geometrical primitives such as points, lines, curves, and polygons, which are all based upon mathematical equations to represent images in the computer
Raster Images
a data file or structure representing a generally rectangular grid of pixels, or points of color, on a computer monitor. A colored raster image has pixels with eight bits of information for each of the red, green, and blue components. Quality of a raster image is determined by the total number of pixels and the amount of information in each pixel
Standard Image File Formats
- Joint Photographic Experts Group (JPEG) - .jpg
- JPEG 2000 - .jp2
- Graphics Interchange Format (GIF) - .gif
- Tagged Image File Format (TIFF) - .tif
- Windows Bitmap - .bmp
- Portable Network Graphics (PNG) - .png
Rootkit detection techniques:
- signature based
- heuristic / behaviour based
- integrity based
- runtime execution path profiling
- cross-view based - function by assuming that the attackers have disrupted the OS in some way. This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the OS APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.
Userland Execve Technique
lets programs on the victim computer load and run without using the Unix execve() kernel call, thereby letting the attacker overcome kernel-based security systems that might deny access to execve().
Syscall proxying
Rather than uploading the entire exploit program, the attacker can upload a system call proxy to accept the remote procedure calls from the attacker’s machine. The victim’s machine executes the requested system call and sends the result back to the attacker.
