Your SlideShare is downloading. ×
0
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Ceic 2012 anti-anti-forensics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ceic 2012 anti-anti-forensics

1,113

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,113
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Anti-Anti Forensics David Cowen, CISSP G-C Partners, LLC
  • 2. Anti-Anti Forensics Introduction Who am I? Things I’ve written you might have seen  Hacking Exposed: Computer Forensics  Anti Hacker Toolkit, Third edition  Computer Forensics, A beginners guide  Hacking Exposed Computer Forensics Blog  This presentation Page 2
  • 3. Master Title What does Anti-Anti Forensics mean? 1. It’s a joke from the movie ‘The Big Hit’ 2. It means defeating Anti Forensics tools from two perspectives 1. Determining what was destroyed for use in a spoliation motion 2. Determining what tool was destroyed and when it was done 3. Defeating the tool be recovering what was destroyed Page 3
  • 4. Master Title Outline Session Objectives: Our goal is help you 1. Determine if wiping has occurred 2. Determine the number of files wiped 3. Determine if a system cleaner has run 4. Determine what the system cleaner has removed 5. Determine the time the system cleaner ran 6. Determine what the capabilities of the tool are 7. Possibly recover what was destroyed Page 4
  • 5. Master Title Two types of Anti forensic tools discussed • Wipers, that do no include system cleaners • System cleaners, that may include wipers Page 5
  • 6. Master Title Identifying wiping • Wiping a whole disk • Wiping a partition • Wiping individual files Page 6
  • 7. Master Title Determine the number of files wiped • Most Wipers do three things to obfuscate what they have wiped • Rename the file to a random file name • Fill the file to overwrite the prior contents • Reset the dates back to a fictitious time • Find the block of file names that match these criteria all accessed within in seconds of each other and you’ve found the wiped files. • Count the number of these files and you’ve identified how many have been wiped Page 7
  • 8. Master Title Lab: Determine the number of files wiped Page 8
  • 9. Master Title Determine if a system cleaner has run • The one thing system cleaners don’t clean, is their own install • While they may wipe out system settings, registry files, histories, etc… they don’t wipe out their own programs and configuration files • Look for files created around the time of the clean, which will determine how to do on the next slide • Most have obvious names: • Ccleaner • Evidence Eliminator • System Soap Page 9
  • 10. Master Title Determine what the system cleaner has removed • Check for the presence of the following areas that should have data by default • Check the creation date of the user’s profile directory to determine the time range of data missing  User Assist *MRUs • TypedUrls *Restore Points • Recent Lnks *Event Logs • Internet History • Recycle Bin • Jump Lists Page 10
  • 11. Master Title When did the cleaner run? The first entry in the list of forensic sources from the prior tab marks the first entry after the cleaner was run. By default the cleaner will destroy all records from the time the user first logged in until the time it was run. Page 11
  • 12. Master Title Lab: Documenting the destruction Page 12
  • 13. Master Title Determine what the capabilities of the cleaner is • Once you’ve identified the cleaner in the prior slides, do some web research on its capabilities and if it creates any logging. • Download the program and test it in a vm to see what artifacts it leaves behind • Make screenshots the website, its capabilities and if it costs money to buy. • If it costs money to buy you might find a fragment of data left showing the purchase, or request they produce one Page 13
  • 14. Master Title Recover what was destroyed • Restore Points • Volume Shadow Copies • Online backups • NTFS $logfile Page 14
  • 15. Master Title NTFS $Logfile • Keeps track of all file system changes • Keeps track of all files created and their complete MFT records • Keeps a record of renames, including old and new file names • Contains time stamps for some records • Holds up to 32,000 records Page 15
  • 16. Master Title Lab: Parsing the $Logfile Page 16
  • 17. Master Title Conclusions • What can determine how much data was wiped • We may be able to determine what files exactly were wiped • We rarely can recovery the contents of the files that were wiped • We can document and show what was destroyed for use either in a corporate hr disciplinary meeting or litigation • Being able to show what was destroyed and when can be as damaging as what was contained within it Page 17
  • 18. Master Title Questions? Read my blog here:  Hackingexposedcomputerforensicsblog.blogspot.com Follow me on twitter  @hecfblog Be my buddy of facebook  Hacking Exposed Computer Forensics fan page Email me your questions  dcowen@g-cpartners.com Page 18

×