Anti-forensic techniques

From Forensics Wiki
Revision as of 19:10, 29 December 2008 by Netstat (Talk | contribs)

Jump to: navigation, search

Anti-forensic techniques try to frustrate forensic investigators and their techniques.

This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.


Traditional anti-forensics

Overwriting Data and Metadata

Secure Data Deletion

Securely deleting data, so that it cannot be restored with forensic methods.

Overwriting programs typically operate in one of three modes:

  1. The program can overwrite the entire media.
  2. The program can attempt to overwrite individual files. This task is complicated by journaling file systems: the file itself may be overwritten, but portions may be left in the journal.
  3. The program can attempt to overwrite files that were previously “deleted” but left on the drive. Programs typically do this by creating one or more files on the media and then writing to these files until no free space remains, taking special measures to erase small files — for example, files that exist entirely within the Windows Master File Table of an NTFS partition (Garfinkel and Malan, 2005).

Programs employ a variety of techniques to overwrite data. Apple’s Disk Utility allows data to be overwritten with a single pass of NULL bytes, with 7 passes of random data, or with 35 passes of data. Microsoft’s cipher.exe, writes a pass of zeros, a pass of FFs, and a pass of random data, in compliance with DoD standard 5220.22-M. (US DoD, 1995). In 1996 Gutmann asserted that it might be possible to recover overwritten data and proposed a 35-pass approach for assured sanitization (Gutmann 1996). However, a single overwriting pass is now viewed as sufficient for sanitizing data from ATA drives with capacities over 15 GB that were manufactured after 2001 (NIST 2006).

Be aware that software 'data destroyers' may not necessarily do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.

Overwriting Metadata

If the examiner knows when an attacker had access to a Windows, Mac or Unix system, it is frequently possible to determine which files the attacker accessed, by examining file “access” times for every file on the system. Some CFTs can prepare a “timeline” of the attacker’s actions by sorting all of the computer’s timestamps in chronological order. Although an attacker could wipe the contents of the media, this action itself might attract attention. Instead, the attacker might hide her tracks by overwriting the access times themselves so that the timeline could not be reliably constructed.

For example, Timestomp will overwrite NTFS “create,” “modify,” “access,” and “change” timestamps (Metasploit 2006). The Defiler’s Toolkit can overwrite inode timestamps and deleted directory entries on many Unix systems; timestamps on allocated files can also be modified using the Unix touch command (The Grugq 2003).

Preventing Data Creation

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

For example, a partition can be mounted read-only or accessed through the raw device to prevent the file access times from being updated. The Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate can be set to “1” to disable updating of the last-accessed timestamp; this setting is default under Windows Vista (Microsoft 2006).

Cryptography, Steganography, and other Data Hiding Approaches

Encrypted Data

Cryptographic file systems transparently encrypt data when it is written to the disk and decrypt data when it is read back, making the data opaque to any attacker (or CFT) that does not have the key. These file systems are now readily available for Windows, Mac OS, and Linux. The key can be protected with a passphrase or stored on an auxiliary device such as a USB token. If there is no copy of the key, intentionally destroying the key makes the data stored on the media inaccessible (Boneh and Lipton, 1996). Even if the cryptographic system lacks an intentional sanitization command or “self-destruct,” cryptography can still be a potent barrier to forensic analysis if the cryptographic key is unknown to the examiner.

Cryptography can also be used at the application level. For example, Microsoft Word can be configured to encrypt the contents of a document by specifying that the document has a “password to open.” Although older versions of Microsoft Word encrypted documents with a 40-bit key that can be cracked with commercial tools, modern versions can optionally use a 128-bit encryption that is uncrackable if a secure passphrase is used.

Encrypted Network Protocols

Network traffic can likewise be encrypted to protect its content from forensic analysis. Cryptographic encapsulation protocols such as SSL and SSH only protect the content of the traffic. Protecting against traffic analysis requires the use of intermediaries. Onion Routing (Goldschlag, Reed and Syverson, 1999) combines both approaches with multiple layers of encryption, so that no intermediary knows both ends of the communication and the plaintext content.

More information: Tor and VPN.

Program Packers

Packers are commonly used by attackers so that attack tools will not be subject to reverse engineering or detection by scanning. Packers such as PECompact (Bitsum 2006) and Burneye (Vrba 2004) will take a second program, compress and/or encrypt it, and wrap it with a suitable extractor. Packers can also incorporate active protection against debugging or reverse engineering techniques. For example, Shiva will exit if its process is being traced; if the process is not being traced, it will create a second process, and the two processes will then trace each other, since each process on a Unix system may only be traced by one other process. (Mehta and Clowes, 2003)

Packed programs that require a password in order to be run can be as strong as their encryption and password. However, the programs are vulnerable at runtime. Burndump is a loadable kernel module (LKM) that automatically detects when a Burneye-protected file is run, waits for the program to be decrypted, and then writes the raw, unprotected binary to another location (ByteRage 2002). Packed programs are also vulnerable to static analysis if no password is required (Eagle 2003).


Steganography can be used to embed encrypted data in a cover text to avoid detection. Steghide embeds text in JPEG, MBP, MP3, WAV and AU files (Hetzl 2002). Hydan exploits redundancy in the x86 instruction set; it can encode roughly 1 byte per 110 (El-Khalil 2004). Stegdetect (Provos 2004) can detect some forms of steganography.

StegFS hides encrypted data in the unused blocks of a Linux ext2 file system, making the data “look like a partition in which unused blocks have recently been overwritten with random bytes using some disk wiping tool” (McDonald and Kuhn, 2003).

FreeOTFE and TrueCrypt allow a second encrypted file system to be hidden within another encrypted file system. The goal of this filesystem-within-a-filesystem is to allow the users to have a “decoy” file system with data that is interesting but not overtly sensitive. A person who is arrested or captured with a laptop encrypted using this software could then give up the first file system’s password, with the hope that the decoy would be sufficient to satisfy the person’s interrogators.

Generic Data Hiding

Data can also be hidden in unallocated or otherwise unreachable locations that are ignored by the current generation of forensic tools.

Metasploit’s Slacker will hide data within the slack space of FAT or NTFS file system. FragFS hides data within the NTFS Master File Table. RuneFS (Grugq 2003) stores data in bad blocks. (Thompson and Monroe, 2006). Waffen FS stores data in the ext3 journal file (Eckstein and Jahnke 2005). KY FS stores data in directories (Grugq 2003). Data Mule FS stores data in inode reserved space (Grugq 2003). It is also possible to store information in the unallocated pages of Microsoft Office files.

Information can be stored in the Host Protected Area (HPA) and the Device Configuration Overlay (DCO) areas of modern ATA hard drives. Data in the HPA and DCO is not visible to the BIOS or operating system, although it can be extracted with special tools.

Detecting Forensic Analysis

There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

Other Anti Forensics

Targeting forensic tool blind spots

Targeting forensic tool vulnerabilities

Targeting generic tool/lib vulnerabilities


Garfinkel, S., Anti-Forensics: Techniques, Detection and Countermeasures, The 2nd International Conference on i-Warfare and Security (ICIW), Naval Postgraduate School, Monterey, CA, March 8-9, 2007. [1]

Henrique, G. Wendel, Anti Forensics: Making computer forensics hard, Code Breakers III, São Paulo, Brazil, Setember 2006. [2]

See also

Externals Links