Defeating Anti-forensics Techniques

Question 1

Anti-forensics

Answer 1

also known as counter forensics, is a set of techniques that attackers use in order to sidetrack the forensic investigation process. These techniques are designed to negatively impact the quantity and quality of evidence gathered from a crime scene.

Question 2

What happens when you delete a file out of a FAT file system

Answer 2

The OS replaces the first letter of a deleted file name with a hex byte code: E5h (E5h is a special tag that indicates that the file has been deleted)
The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the information until it is overwritten

Question 3

What happens when you delete a file out of a NTFS file system

Answer 3

When a user deletes a file, the OS marks the file as deleted in the master file table (MFT)
The clusters allocated to the deleted file are marked as free in the $BitMap ($BitMap file is a record of all used and unused clusters)
The computer now notices those empty clusters and avails that space for storing a new file
The deleted file can be recovered if the space is not allocated to any other file

Question 4

Deleted files in older FAT file system (Windows 98 and prior) are stored in?

Answer 4

Drive:\RECYCLED

Question 5

Deleted files for NTFS file system (Windows 2000, XP, NT) these are stored in?

Answer 5

Drive:\RECYCLER folder

Question 6

Deleted Files for Windows Vista and newer systems?

Answer 6

C:$Recycle.Bin

Question 7

What is the Recycle bin limit for Win Vista and later?

Answer 7

No Limit

Question 8

What is the Recycling bin limit for systems prior to Win Vista?

Answer 8

3.99 GB

Question 9

What does Windows Vista and later OS’s rename the files stored in the Recycle Bin?

Answer 9

$Ry.ext

Question 10

What do systems prior to Windows Vista rename the files stored in the Recycle Bin?

Answer 10

Dxy.ext

Question 11

What does the x and y represent for the renaming of files in the recycle bin?

Answer 11

In this naming process, “x” represents the drive name, “y” a sequential number starting from 0, and “.ext” being the original file’s extension such as .doc,
.docx, .pdf, etc.

Question 12

Where does the OS store details about deleted files?

Answer 12

Infor or Info2 hidden folder

Question 13

What do you do if the Recycle bin stops working?

Answer 13

If the Recycle Bin is not working or damaged, then delete the hidden INFO file from the Recycled folder and restart Windows to re-create the INFO file; this will enable you to access the deleted files in the Recycle Bin.

Question 14

MAC OS X File Recovery

Answer 14

1. Files move to trash folder if you delete them.
2. If Shift+delete is used, you bypass trash, but files can still be recovered using local or forensic tools such as TIMEMACHINE or REMO Recover or MacKeeper

Question 15

Linux File Recovery

Answer 15

1. Files deleted using /bin/rm remain on the disk, and are recoverable.
2. If an executable is deleted, its contents can be retrieved from
   /proc memory image; the command “cp /proc/$PID/exe
   /tmp/file”
   This creates a copy of a file in /tmp

Question 16

What do you do when a HD partition is deleted?

Answer 16

1. When a hard drive partition is deleted, what really happens is that the parameters that specify how the partition is setup are deleted, but the data stays intact and is waiting on you to recover it!!

Question 17

Partition Recovery in Windows

Answer 17

1. Recovery console through the install media
2. Remove HD from source machine, mount it as a slave in another machine
3. Use third-party recovery software

Question 18

What are the 3 password types?

Answer 18

1. Cleartext
2. Obfuscated
3. Hashed

Question 19

Password Attack Categories

Answer 19

1. Passive on-line
   a. Wire sniffing
   b. Man-in-the-Middle (MitM)
   c. Replay
2. Active on-line
   a. Guessing
   b. Malware
   c. Hash Injection
3. Offline
   a. Pre-computed/Rainbow Tables - http://projectrainbowcrack.com/table.htm
   b. Distributed Network (grids !!)
4. Non-electronic
   a. Shoulder surfing
   b. Dumpster diving

Question 20

How are Hashed Passwords Stored in the Windows SAM file?

Answer 20

The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords.

Question 21

What is Steganography?

Answer 21

Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data

Question 22

Substitution Steganography

Answer 22

substitutes redundant part of the cover object with a secret message

Question 23

Transform Steganography

Answer 23

embed secret message in a transform space of the signal (e.g. in the frequency domain)

Question 24

Statistical Steganography

Answer 24

embed messages by altering statistical properties of the cover objects and use hypothesis methods for extraction

Question 25

Distortion Steganography

Answer 25

Store information by signal distortion and in the extraction step measure the deviation from the original cover

Question 26

Cover Generation Steganography

Answer 26

Encode information that ensures creation of cover for secret communication

Question 27

Technical Steganography

Answer 27

use of physical or chemical means to hide information

Question 28

Linguistic Steganography

Answer 28

use of natural language to hide message in non-obvious ways

Question 29

Image Steganography

Answer 29

replaces redundant bits of image data with message

Question 30

Least Significant Bit Insertion Image Steganography

Answer 30

The right most bit of a pixel is called the Least Significant Bit (LSB). The binary data of the hidden message is broken up and inserted into the LSB of each pixel in the image file in a deterministic sequence. Modifying the LSB does not result in a noticeable difference

Question 31

Masking & Filtering Image Steganography

Answer 31

Mostly used on 24 bit and grayscale images. The masking technique hides data using a method similar to watermarks on actual paper, and it can be done by modifying the luminance of parts of the image. Masking techniques hide information in such a way that the hidden message is inside the visible part of the image.

Question 32

Algorithms & Transformation Image Steganography

Answer 32

The data is embedded in the cover image by changing the coefficients of a transform of an image
Types of techniques:
1. Fast fourier
2. Discrete cosine
3. Wavelet

Question 33

What are the three types of Image Steganography?

Answer 33

Least Significant Bit Insertion
Masking & Filtering
Algorithms & Transformation

Question 34

Audio Steganography

Answer 34

refers to hiding secret information in audio files. Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz)

Question 35

Echo Data Hiding Audio Steganography

Answer 35

the secret message is embedded into a cover audio signal as an echo. The parameters of the echo, amplitude, decay rate and offset from the original signal, are varied to represent an encoded secret binary message

Question 36

Spread Spectrum Audio Steganography

Answer 36

encodes data as a binary sequence that sounds like noise but can be recognized by a receiver with the correct key

Question 37

What are the five approaches used in spread spectrum Audio Steganography?

Answer 37

Direct Sequence Spread Spectrum (DSSS) 
Frequency Hopping Spread Spectrum (FHSS) 
LSB Coding
Tone Insertion
Phase Decoding

Question 38

what are two types of Audio Steganography?

Answer 38

Echo Data Hiding

Spread Spectrum

Question 39

What Is Direct Sequence Spread Spectrum (DSSS)?

Answer 39

A secret message is spread out by chip rate (constant) and then modulated with a pseudo-random signal that is then interleaved with the cover signal

Question 40

What is Frequency Hopping Spread Spectrum (FSSS)?

Answer 40

audio file’s frequency spectrum is altered so that it hops rapidly between frequencies

Question 41

What is LSB Coding?

Answer 41

replaces the LSB of information in each sampling point with a coded binary string

Question 42

What is Tone Insertion?

Answer 42

depends on the inaudibility of low power tones in the presence of significantly higher spectral components

Question 43

What is Phase Decoding?

Answer 43

It encodes the secret message bits as phase shifts in the phase spectrum of a digital signal, achieving a soft encoding in terms of signal-to-noise ratio

Question 44

Video Steganography

Answer 44

hiding secret information or any kind of files with any extension into a carrier video file. Discrete Cosine Transform (DCT) manipulation is used to add secret data.

Question 45

Issues to consider with Steganography?

Answer 45

1. Levels of visibility - embedding cannot distort cover image to point that it is noticeable
2. File format dependence - image and sound files are either lossless or lossy.
   a. Lossy compression reduces file size by permanently eliminating certain information, especially redundant information (even though the user may not notice it). JPEG is an example of a format using lossy compression. Does not maintain data integrity. Vector Quantization is used.
   b. Lossless compression retains raster values during compression and file size is also reduced. For example, LZ77 is a lossless compression file type. Maintains data integrity. Huffman Coding algorithm & Lempel-Ziv Coding algorithm are used.
3. The conversion of lossless information to compressed lossy information destroys the hidden information in the cover.

Question 46

What is Stegoanalysis?

Answer 46

the art of discovering and rendering covert messages using steganography

Question 47

Steganography Attacks

Answer 47

Stego-only
Known-Stego
Known-message
Known-cover
Chosen-message
Chosen-Stego

Question 48

What is a Stego-only attack?

Answer 48

You only have access to the stego-medium or stego-object. In this attack, the staganalyst needs to try all possible steganography algorithms and related attacks to recover the hidden information.

Question 49

What is a Known-stego Attack?

Answer 49

You know the steganographic algorithm as well as original and stego-object. You can extract the hidden information with the information at hand.

Question 50

What is a known-message attack?

Answer 50

Presumes that the message and the stego-medium are available. Using this attack, one can detect the technique used to hide the message.

Question 51

What is a known-cover attack?

Answer 51

Attackers have knowledge of both the stego-object and the original cover-medium. This will enable a comparison between both the mediums in order to detect the changes in the format of the medium and find the hidden message.

Question 52

What is a chosen-message attack?

Answer 52

The steganalyst uses known message to generate a stego-object by using some steganography tool in order to find the steganography algorithm used to hide the information. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.

Question 53

What is a chosen-stego attack?

Answer 53

takes place when the steganalyst knows both the stego- object and steganographic tool or algorithm used to hide the message.

Question 54

Pixel

Answer 54

A single point in an image

Question 55

Bit Depth

Answer 55

Number of colors available for each pixel

Question 56

Resolution

Answer 56

Sharpness and clarity of an image

Question 57

File Formats

Answer 57

Particular ways to encode information

Question 58

Image file size

Answer 58

measured in bytes

Question 59

Compression

Answer 59

the method used to make an image smaller

Question 60

Vector Images

Answer 60

use geometrical primitives such as points, lines, curves, and polygons, which are all based upon mathematical equations to represent images in the computer

Question 61

Raster Images

Answer 61

a data file or structure representing a generally rectangular grid of pixels, or points of color, on a computer monitor. A colored raster image has pixels with eight bits of information for each of the red, green, and blue components. Quality of a raster image is determined by the total number of pixels and the amount of information in each pixel

Question 62

Standard Image File Formats

Answer 62

1. Joint Photographic Experts Group (JPEG) - .jpg
2. JPEG 2000 - .jp2
3. Graphics Interchange Format (GIF) - .gif
4. Tagged Image File Format (TIFF) - .tif
5. Windows Bitmap - .bmp
6. Portable Network Graphics (PNG) - .png

Question 63

Rootkit detection techniques:

Answer 63

1. signature based
2. heuristic / behaviour based
3. integrity based
4. runtime execution path profiling
5. cross-view based - function by assuming that the attackers have disrupted the OS in some way. This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the OS APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.

Question 64

Userland Execve Technique

Answer 64

lets programs on the victim computer load and run without using the Unix execve() kernel call, thereby letting the attacker overcome kernel-based security systems that might deny access to execve().

Question 65

Syscall proxying

Answer 65

Rather than uploading the entire exploit program, the attacker can upload a system call proxy to accept the remote procedure calls from the attacker’s machine. The victim’s machine executes the requested system call and sends the result back to the attacker.