Lovtaler: Digital Antiforensics - May 5 2024

If you do data recovery or digital forensics, after a while, you are likely to see artifacts which can be characterized as "antiforensics".

This means that the malefactor uses methods to hide, alter, or destroy digital evidence in order to impede analysis.

Anti-forensics poses a serious challenge to examiners, who are not only obligated to stay current the latest tools and methods, but also keep abreast of the latest techniques in the field designed to defeat the examiner.

These techniques can be generally characterized:

Encryption Encryption is the most common anti-forensics method. Full disk encryption built into modern laptops is very difficult to crack if a strong password is used.

The bad guys can also use third-party encryption tools like VeraCrypt, AxCrypt and BitLocker on specific folders, files or disk partitions.

Veracrypt has some amazing functionality, including the use of one password to open one repository, but another password to open a completely separate storage location.

You can try and deal with it by:

• Brute-force password guessing using dictionaries and known password patterns

• Extracting keys from laptop RAM before shutting down

• Locating unencrypted copies of files in OS caches, temp folders, etc.

• Finding written down passwords during physical searches

• Compelling suspects to turn over passwords with court orders or plea deals

Secure Deletion - Simple deletion of digital files does not actually remove the underlying data. It merely marks the space as available for reuse, leaving data remnants that forensic tools can recover. Secure deletion goes further by overwriting files with random data so they cannot be reconstructed.

Anti-forensic tools for secure deletion of laptop files include:

• Built-in OS options like Cipher.exe (Windows) and srm (Linux)

• File shredder tools like Eraser, CCleaner and Freeraser

• Drive wiping programs like DBAN and CBL Data Shredder

• File system-specific delete tools like SDelete (Windows NTFS)

This has been complicated (from both perspectives) by solid state drives; which have fundamentally different approaches with respect to recovery.

Forensic examiners try to overcome secure deletion by:

• Searching OS journals and logs for traces of the deleted files

• Looking for temporary copies or cached versions of deleted data

• Analyzing file metadata for evidence of secure deletion tools used

• Carving out partially overwritten files based on file header signatures

Data Hiding Laptop users can hide files from cursory examination using anti-forensic techniques like:

• Changing file extensions to disguise file types (i.e. renaming .doc to .dll)

• Setting file/folder attributes to hidden or system

• Placing data in hard-to-find OS areas like Volume Shadow Copies

• Hiding data in "slackspace" between files or at the end of disk

• Embedding data in other file formats like images (steganography)

• Creating custom file systems that don't get mounted automatically

Examiners combat data hiding by:

• Using forensic tools that search all possible data locations automatically (more an efficiency thing)

• Filtering files by header signatures rather than extensions

• Hashing all files and comparing to known file hash databases

• Analyzing free space and file slack for unusual data remnants

• Scanning for steganographic signatures in media files

• Examining the drive hex and testing different file system hypotheses

Trail Obfuscation Digital devices automatically create all kinds of artifacts and traces of user activity, like:

• OS log files recording system events

• Registry entries noting installed programs and connected devices

• Web browsing history, cache, and cookies

• Recently used file lists and jump lists

• Saved data in application temp folders

To make reconstruction of their activities harder, anti-forensic users try to obscure these trails by:

• Disabling OS logging or setting logs to overwrite more quickly (HUGE red flag that shenanigans are up)

• Using portable apps that don't write to the registry

• Surfing the web in private/incognito mode

• Clearing browser data after each session

• Deleting laptop temp files using batch scripts

• Altering timestamps on key files and logs

Examiners try to find remnants of user activity missed by obfuscation methods through:

• Correlation of traces from multiple artifact locations

• Analysis of activity timelines to spot inconsistencies

• Recovery of deleted log entries and registry keys

• Search for known anti-forensic tool signatures

• Parsing of obscure OS files like pagefile.sys and hiberfil.sys

Attacks on Forensic Tools Some sophisticated anti-forensic users attempt to directly interfere with laptop forensic software through:

• Malicious code that detects and disables certain forensic tools

• Booby-trapped files designed to crash forensic programs during analysis

• Fake bad sectors on drive that give inconsistent images

• Timestamp manipulation that causes incorrect forensic timelines

• Encryption that only activates when forensic boot CDs are detected

• Subtle file system corruption that invalidates forensic tool output

Some software can actually detect virtualization, which adds complexity.

To guard against such attacks, forensic tools are carefully tested and hardened. Some best practices include:

• Running forensic tools on clean, isolated systems

• Watching for unexpected tool crashes or error messages

• Validating drive images by comparing hash values from multiple tools

• Manually reviewing hex and testing results after automated parsing

• Writing custom scripts to get data instead of depending on GUI tools

• Staying up to date on all forensic tool patches and security notices

Anti-forensics is constantly evolving, people dream up new ways to conceal their activity. For every anti-forensic measure, investigators try to develop a countermeasure - and the cycle continues.

By understanding the core principles behind anti-forensics, laptop examiners can recognize the telltale signs and adapt their techniques to find the truth that someone tried to hide.

While anti-forensics is a daunting challenge, it is not an insurmountable one. With a combination of cutting edge tools, creative analysis methods, and sheer tenacity, skilled examiners can still find compelling evidence - even from laptops where the user has gone to extreme lengths to cover their tracks. The battle between forensics and anti-forensics is likely to rage on as long as laptops remain central to our digital lives.