In this article Anti-Forensics Techniques has been explained with its different topic like Trail Obfuscation, Artifact Wiping, Encryption and Program Packers this techniques etc.
1. Anti-Forensics Techniques: Trail Obfuscation
Anti-Forensics Techniques Trail Obfuscation is one of the anti-forensic technique that attackers use to mislead, divert, complicate, disorient, sidetrack, and/or distract the forensic examination process. The process involves different techniques and tools, such as
- Log cleaners
- Spoofing
- Misinformation
- Backbone hopping
- Zombie accounts
- Trojan commands
In this process, the attackers delete or modify metadata of some important files in order to confuse the investigators. They modify header information and file extensions using various tools. Timestomp, which is part of the Metasploit Framework, is one of the trail obfuscation tool that attackers use to modify, edit, and delete the date and time of a metadata and make it useless for the investigators. Transmogrify is another tool used to perform trail obfuscation.
Related Product : Computer Hacking Forensic Investigator | CHFI
Anti-Forensics Techniques: Trail Obfuscation (Cont’d)
Using the Timestomp application, one can change the modified date and time stamp completely, thereby invalidating the validity of the document and misleading the investigation process.
This slide depicts step-by-step process of how the Timestomp application helps users to change the date and time of a file.
2. Anti-Forensics Techniques: Artifact Wiping
Artifact Wiping refers to the process of deleting or destroying the evidence files permanently using various tools and techniques, such as disk-cleaning utilities file-wiping utilities and disk degaussing/destruction techniques. The attacker permanently eliminates particular files or the file systems.
Disk-cleaning utilities
The attackers use the tools that can overwrite the data on disks through various methods. However, these tools are not completely effective as they leave footprints. Some of the commonly used disk-cleaning utilities include Piriform, CCleaner, BCWipe Total WipeOut, Active@ KillDisk, CyberScrub’s cyberCide, DriveScrubber, Shredlt, Secure Erase, etc.
File-wiping utilities
These utilities delete the individual files from an OS in a short span and leave a much smaller signature when compared with the disk-cleaning utilities. However, some experts believe that many of these tools are not effective, as they do not accurately or completely wipe out the data and also require user involvement. The commonly used file-wiping utilities are BCWipe, R-Wipe & Clean, Eraser, CyberScrubs Privacy Suite, etc.
Anti-Forensics Techniques: Artifact Wiping (Cont’d)
1. Disk degaussing and destruction techniques
Degaussing process is a technique in which attackers apply a magnetic field to a digital media device to entirely clean the previously stored data. It is an expensive technique and needs specialized equipment. Most attackers commonly depend on physical destruction of the device to destroy the evidence. Methods include disintegration, incineration, pulverizing, shredding, and melting.
3. Anti-Forensics Techniques: Encryption
Encryption is the process of translating the data into a secret code so that only the authorized personnel can access it. It is an effective way to secure the data. To read the encrypted file, users require a secret key or a password that can decrypt the file. Therefore, most attackers use encryption technique as one of the best anti-forensic technique.
Data encryption is one of the commonly used techniques to defeat forensic investigation process and also involves encryption of codes, files, folders, and sometimes complete hard disks. Intruders use strong encryption algorithms to encrypt data of investigative value, which renders it virtually unreadable without the designated key. Some algorithms are capable of averting the investigation processes by performing additional functions including use of a key file, full-volume encryption, and plausible deniability.
Following are the built-in encryption utilities provided by Microsoft for Windows I and later:
- BitLocker—encrypts an entire volume
- Encrypting File System (EFS)—encrypts individual files and directories
The encryption is easily available with various software applications and offers ease in usage, which adds to the difficulty in investigating the encryption process. VeraCrypt is one of the most widely used tools for anti-forensic encryption.
Also Read : Detecting Steganography
Encrypting File System (EFS): Recovery Certificate (Cont’d)
EFS on Microsoft Windows is a component of the NTFS file system of Windows 2000 and later versions. EFS provides file system-level encryption that enables transparent encryption and decryption of the files by using advanced, standard cryptographic algorithms, through which the manual access to any data on the computer is restricted to an outsider.
Another important feature of the EFS is the recovery certificate. This feature is very useful in cases where an organization needs to recover data of damaged or lost encryption key or when an employee is no more or dismissed from services, or moves to a different company without notice. Using the recovery certificate, forensic investigators can still recover the EFS-encrypted files.
Note: You must log in as an administrator to perform the steps given below. In addition, the given steps are not applicable to Windows 7 (Starter, Home basic, and Home Premium).
Following are the steps involved to create, install, and update a recovery certificate: Create the recovery certificate
- Open a Command Prompt window
- Insert a removable media such as a disc or USB drive to store the certificate
- Navigate to the directory on the removable media drive where you want to store the recovery certificate by typing in removable media drive letter:, and then press Enter
- Type cipher /r: file name> (file name is the name to be given for the recovery certificate), and then press Enter
Note: If prompted for an administrator password or confirmation, type the password or provide confirmation
Install the recovery certificate
- Insert the removable media that contains the recovery certificate
- In the Search box, type secpol.msc, and then press Enter
Note: If prompted for an administrator password or confirmation, type the password or provide confirmation
- In the left pane, double-click Public Key Policies, right-click Encrypting File System, and then click Add Data Recovery Agent.
- In the Add Recovery Agent Wizard, click Next, and then navigate to the recovery certificate.
- Click the certificate and then click
- When asked if you want to install the certificate, click Yes, click Next, and then click
- Nov open a Command Prompt window, type gpupdate, and then press Enter.
Update previously encrypted files with the new recovery certificate
- Log on to the account used when the files were first encrypted.
- Open a Command Prompt window, type cipher/u, and then press Enter.
Note: If you do not choose to update encrypted files with the new recovery certificate right at that time, the files will automatically update the next time you open them.
Advanced EFS Data Recovery Tool
Advanced EFS Data Recovery tool decrypts the protected files and works on all versions of Windows 2000, XP, 2003, Vista, Windows 7, 8, 8.1, and Windows Server 2008 and 2012. Recovery of the data is still possible even when the system is damaged, is not bootable, or when some encryption keys have been tampered with.
Advanced EFS Data Recovery tool recovers EFS-encrypted data that becomes inaccessible because of the system administration errors such as removing users and user profiles, misconfiguring data recovery authorities, transferring users between domains, or moving hard disks to a different PC.
This tool also helps to recover EFS-encrypted files under the following circumstances:
- EN-protected disk inserted into a different PC
- Deleted users or user profiles
- User transferred into a different domain without EFS consideration
- Account password reset performed by system administrator without EFS consideration
- Damaged disk, corrupted file system, unbootable OS
- Reinstalled Windows or computer upgrades
- Formatted system partitions with encrypted files left on another disk
4. Anti-Forensics Techniques: Encrypted Network Protocols
Attackers use the encrypted network protocols to protect the identification of the network traffic as well as its content from forensic examination. Few cryptographic encapsulation protocols such as SSL and SSH can only protect the content of the traffic. However, to protect against the traffic analysis, attackers should also anonymize themselves whenever possible.
Attackers use virtual routers such as, the Onion routing approach, which provides multiple layers of protection. Onion routing is the technique used for secret communication over a computer network. This network encapsulates messages in layers of encryption, similar to the layers of an onion and employs a worldwide volunteer network of routers that serve to anonymize the source and destination of communications. Therefore, tracing this type of communication and attributing it to a particular source is very difficult for investigators.
5. Anti-Forensics Techniques: Program Packers
Program packers are one of the anti-forensic techniques attackers use to hide their data. The technique is similar to cryptography. The packers compress the files using various methods called algorithms. There are many different algorithms and unless the investigators know the one used to pack and have a tool to unpack it, they will not be able to access the file.
Using this technique the attacker can hide the evidence files into containers making the files hard to detect. Therefore, during forensic investigations, the investigator’s first approach should be to mount compound files.
Packers can also include active protection against debugging or reverse engineering techniques. The packed programs those need a password in order to run are equally strong as encryption. Packed programs are also susceptible to static analysis if no password is required.
Intruders use packers to hide attack tools from detection by reverse-engineering or scanning, Packers can carry executable files, malware, and other attack elements. In case of executable files, these programs carry the unpackers built into them as well, which unpack the file when user tries to run it and installs the executable on the host system. Some of the widely used packers are UPC, PECompact, BurnEye, Exe Stealth Packer, Smart Packer Pro, etc. The investigators can dynamically analyze these types of packed executables by running them in a controlled environment and observing their behavior.
Packed programs that require a password to run are strong, whereas, the one’s that do not require a password are vulnerable to static analysis.
Questions related to this topic
- What are the best file encryption tools?
- What are the encryption techniques?
- What is the easiest way to encrypt a file?
- Which tool relies on the logged on user’s certificate details to encrypt or decrypt files and folders?
- What is Anti-Forensics Techniques Trail Obfuscation?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com