Understand-Anti-Forensics-Techniques

Understand Anti-Forensics Techniques

Leave a Comment / CHFI / By

Understand Anti-Forensics Techniques are the actions and methods that hinder the forensic investigation process in order to protect the attackers and perpetrators from prosecution in a court of law. These techniques act against the investigation process such as detection, collection, and analysis of evidence files and sidetrack the forensic investigators. These techniques impact the quality and quantity of the evidence of a crime scene, thereby making the analysis and investigation difficult.

Anti-forensic techniques, which include deletion and overwriting processes, also help to ensure the confidentiality of data by reducing the ability to read it. Attackers use these techniques in order to defend themselves against revelation of their actions during criminal activities. Deceitful employees may use anti-forensic tools for the destruction of data that may cause huge losses to the organization.

Related Product : Computer Hacking Forensic Investigator | CHFI

Anti-Forensics Techniques:

1. Data/File Deletion

Intruders will be more concerned about covering the tracks of their illegal activities across a network or system and try to delete the data contained in the hard disk as part of their effort to avert detection. They also try to delete footprints of the files using specialized tools. The process includes elimination of source files, logs, and traces of data from places on the hard drive, and entries on the hard disk drive (HDD), which include attributes, orphan files, and dynamic-link library DLL files. Intruders can also securely delete data or overwrite it to mask the original data.

However, investigators can probably recover the deleted files by using various data recovery tools depending on the operating system (OS) the computer is running.

What Happens when a File is Deleted in Windows?

When a user deletes a file, the OS does not actually delete the file, but marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use.

In the FAT file system, the OS replaces the first letter of a deleted file name with a hex byte code, E5h. E5h is a special tag that indicates the deleted file. The FAT file system marks the corresponding clusters of that file as unused, though it is not empty. The Windows New Technology File (NTFS) uses different approach and marks the index field in the MFT with a special code. The computer now looks at the clusters occupied by that file as being empty. Therefore, the space is available to store a new file. Users can recover the deleted file if the system has not overwritten the space.

2. Recycle Bin in Windows

The Recycle Bin is a location on the Windows desktop that temporarily stores deleted files. When a user deletes an item from the hard disk, Windows sends that deleted item to the Recycle Bin, and the icon changes to full from empty. The Recycle Bin does not store items deleted from removable media, such as a floppy disk or network drive.

The items present in the Recycle Bin still consume the space in the hard disk and are easy to restore. Users can restore the deleted files to their original position with the help of the Restore option of the Recycle Bin. Even after the users delete these files from the Recycle Bin, these items still take up space in the hard disk until the OS overwrites that location.

When the Recycle Bin becomes full, Windows automatically deletes the older items. The Windows OS assigns one specific space on each hard disk partition for the Recycle Bin. The system does not store larger items in the Recycle Bin but deletes them permanently.

Following are the steps to change the storage capacity of the Recycle Bin:

  1. On the desktop, right-click over the Recycle Bin and select
  2. Click the location of the Recycle Bin you want to change under the Recycle Bin location (likely C drive).
  3. Click Custom size and then enter a maximum storage size (in MB) for the Recycle Bin in the Maximum size (MB) box.
  4. Click OK.

Following are the steps to delete or restore files in the Recycle Bin:

Open Recycle Bin to perform the deletion or restoration operations.

  1. To restore a file, right-click on the file icon and select Restore.
  2. To restore all files, select All, go to Manage and click Restore the selected items.
  3. To delete a file, right-click on the file icon and select Delete.
  4. To delete all files, there are two methods:
    Select All, right-click and select Delete option.
    Go to manage option in the tool bar and click Empty the Recycle
    Both methods have a pop-up window to confirm whether to permanently delete the items. 

Also Read : Understand Anti-forensics and their goals

3. Storage Locations of Recycle Bin in FAT and NTFS Systems

Each drive contains a folder to store deleted files; deleted items are stored in Drive:\$Recycle.Bin folder in Windows Vista and later versions of Windows.

The older FAT file system, used across Windows 98 and earlier versions, stored the deleted files in Drive:\RECYCLED folder, whereas the Windows 2000, XP, and NT, which deploy NTFS file system, store these files in Drive: \RECYCLER folder.

The Windows OS using a FAT file system dumps all the recycled files into a single C:\RECYCLED directory, whereas an NTFS-based file system categorizes these into directories named as C:\RECYCLER\S-…. in Windows prior to Vista and C:\$RECYCLE.Bin\S-…. based on the user’s Windows security identifier (SID).

There is no size limit for Recycle Bin in Vista and later versions of the Windows, whereas the older versions had a maximum limit of 3.99 GO. Recycle in cannot store items larger than its storage capacity.

4. How the Recycle Bin Works

The Windows Vista and later versions renames the files stored in the Recycle Bin as $Ry.ext, whereas in older versions of Windows, it used be Dxy.ext. In this naming process, “x” represents the drive name, “y” a sequential number starting from 0, and “.ext” being the original file’s extension such as .doc, .docx, .pdf, etc.

When a user deletes a file or folder, the OS stores all the details of the file such as its complete path, including the original file name, in a special hidden file called “Info” or “Info2” in the Recycle Bin folder. The OS uses this information to restore the deleted file to its original location. The Recycled hidden folder contains files deleted from My Computer, Windows Explorer, and some Windows applications.

How the Recycle Bin Works (Cont’d)

In the earlier versions of Windows, the system renamed the deleted file using the syntax: D<original drive letter of file><#>.<original extension>

For example, in the case of the Dxy.ext file in the Recycled folder, “x” denotes the name of drive such as “C,” “D,” and others; “y” denotes the sequential number starting from one; and .ext is the extension of the original file,

Consider the following example:

New file name: Dc1,txt = (C drive, second file deleted, a .tart file)

INFO file path: C:\Windows\Desktop\Books.txt

New file name: 0e7.doc = (E drive, eighth file deleted, a .doc file)

INFO file path: E:\Winword\Letter to Rosemary. dcc

In Windows Vista and later versions, renamed the deleted file using the syntax: $R<#>.<original extension>

Example:

New file name; $R7.doc=(eighth file deleted, a doe file) INFO file path($l<#>.<original extension›): $17 . doc In Windows versions newer than Vista and XP, the OS stores the complete path and file or folder name in a hidden file called INF. This file remains inside the Recycled or Recycler folder and stores information about the deleted file, It is a master database file and very crucial for the recovery of data. INFO2 contains various details of deleted files such as: original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from.

5. Damaged or Deleted INFO2 File

When a user damages, corrupts, or removes the lfslF02 file, the Recycle Bin loses the data. In such case, the investigators can recover or restore the lost data using data recovery software.

The damage or deletion of the file will delete it completely from the Recycle Bin, but the deleted and renamed files will still be present in the Recycled folder. As the user had renamed these files in the Recycled folder, they can search for such files and restore them manually. To restore such a file, manually search for that particular file and rename it. Click Start ->Find -> Files or Folders to find a file and then rename it.

If the Recycle Bin is not working or damaged, then delete the hidden INFO file from the Recycled folder and restart Windows to re-create the INFO file; this will enable you to access the deleted files in the Recycle Bin.

Following are the steps to delete the INFO file:

  • Open a command prompt window.
  • Type ad C: \RECYCLER\S-. .User SID (Change directory to Recycle Bin folder).
  • Type attrib -h info
  • Type del info2.

6. Damaged Files in Recycle Bin Folder

Damaged files in the Recycle Bin folder (C:\RECYCLER, C: \RECYCLER\S- or C: \$Recycle.Bin\ S-) do not appear in the Recycle Bin.

In such cases, follow the steps below to restore or recover the deleted files:

  • Create a copy of the Desktop.ini file in the Recycle Bin folder and save it in another folder, and then delete the entire contents of the Recycle Bin folder.
  • Delete all files in the Recycle Bin.
  • Restore the Desktop.ini file to the Recycled folder.
  • If there is no Desktop.ini file or if it is damaged, then re-create it by adding the information to blank Desktop.ini [..ShellClassInfo] CLSID= {645FF040-5081-10113-9F08-00AA002F954E} Create the blank Desktop.ini file by following the procedure below:
  • Right-click any empty space on the Windows desktop.
  • Select New ->Text Document.
  • Name it as Desktop.ini (if you get a change of file extension warning, simply ignore it).
  • Copy all the information given above into the newly created file.
  • Save it and move it to the Recycled folder.

7. Damaged Recycle Bin Folder

At times, the attacker could have tampered or damaged the Recycled Bin folder. In this case, users can delete the file and send them to the Recycled folder, even though the Recycle Bin on the desktop appears full. But, they will not be able to view the contents of the Recycle Bin or empty Recycle Bin as the damage will disable the Empty Recycle Bin command.

To overcome this delete the Recycled folder and restart Windows; it will regenerate the folder and restore its functionality. Even if the user tries to reset or repair the Recycle Bin folder, Windows will delete the complete folder and creates a new one.

In the current Windows 10 OS, follow the steps below to repair a damaged or corrupted recycle bin folder:

  • Open a command prompt with administrative privileges
  • Run rd /s qc:\ $Recycle .bin command
  • Restart the computer

Use this command to repair the $Recycle.bin  folder on the C drive. Perform the same operation to repair the Recycle Bin of every partition on the hard disk separately, by replacing C with the respective drive letter. Users and investigators should be very cautious while using the command, as any discrepancy can delete the wrong files or directory.

Questions related to this topic

  1. Are desktop files stored on hard drive?
  2. How do I find files on my C drive?
  3. Can I store files on D drive?
  4. How do I transfer files from OS to data?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment