Anti forensics-techniques-for-browsing-artifacts

1. Anti-Forensics Techniques for browsing artifacts By: Gaurang Patel www.cyberworldhere.com

2. Page  2 Outline  Introduction to cybercrime  What is Cyber Forensics  Branches of Digital Forensics  Why Browser Forensics ?  Test and Analysis  Proposed Research Flow  Forensics Vs. Anti-Forensics  Why Anti-Forensics ?  Anti-Forensics Test and Analysis Flow  Anti-Forensics Techniques  Analysis of Results  Conclusion  References Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

3. Page  3 Introduction to cybercrime  Digital crime (also called cybercrime, e-crime, hi-tech crime and electronic crime) generally refers to criminal activity here computer or network is the source, tool, target, or place of a crime. Cybercrime is a term for any illegal activity that uses a computer as its primary means of commission Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

4. Page  4 What is Cyber Forensics  Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

5. Page  5 Branches of Digital Forensics 1. Disk Forensics 2. Printer Forensics 3. Network Forensics 4. Mobile Device Forensics 5. Database Forensics 6. Digital Music Device Forensics 7. Scanner Forensics 8. Browser Forensics 9. Social networking Forensics 10. PDA Forensics Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

6. Page  6 Why Browser Forensics ?  People uses Web Browsers to search for information, shop online, banking and investing, communicate through emails or instant messaging, and join online blogs or social networks, and many other functions.  Crimes Through browsers  Losses due to crimes  Important to collect trails as an evidence  Forensics Investigation to get browsing related data from computer Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

7. Page  7 Test and Analysis  Test Conduction in two modes 1) Normal Browsing Mode 2) Private Browsing Mode  Tools Used: * AccessData® FTK® Imager 3.1.3.2 * Autopsy 3.0.6 * Web browser Forensic Analyzer, version 1.2 * Cache, History and Cookie viewers by Nirsoft * Fsutil * Eraser Secure Deletion tool * Any Linux Distribution Live Diskette  Browsers Used: * Mozilla Firefox version 25.0.1 * Google Chrome version 17.0.963.12 * Internet Explorer version 9.0.8112.16421  System Used: Dell Xps 15 machine with 6 GB RAM, Windows 7 Professional and 750 GB hard-disk formatted with NTFS. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

9. Page  9 Normal Browsing Test:  Unique URLs and the Keywords used during the test URLs Keyword used in Search and opened link Google.com Cyber securityopened first Wikipedia page on cyber security standards Yahoo.com Virusattackopened home.mcafee.com/VirusInfo msn.com Threatopened first Wikipedia page Youtube.com Hacking Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

13. Page  13 Evidence collected using WEFA (Web browser Forensic Analyzer)  All the History, Cache and cookies based artifacts found by WEFA.  Also gives some interesting evidences like – Local File accessed by the user on the computer – Search outline of all the browsers with URL hit status (Direct or Indirect) Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

14. Page  14 Forensically sound tool- WEFA  Shows URL behavior like search, blog, news, video etc.  Shows URL hit status (Direct or Indirect)  WEFA recovers the deleted web browser log files  WEFA collects the artifacts from all the browsers at single time.  Carving index.dat files Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

16. Page  16 Carved File Analysis by Autopsy  How can we say that it is the Result of Carving of index.dat files.  To cross check we opened the carved files of WEFA in Autopsy.  It shows the same URL as shown in history. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

19. Page  19 Private Browsing Test: Unique URLs and the Keywords used during the test  Firefox (Private):  Chrome (Incognito):  Internet Explorer (In-Private): URLs Keyword Used in search Forbes.com Security Food.com Salad Timesofindia.indiatimes.com Exploit Djmaza.com Singh saab the great URLs Keyword Used in search Youtube.com Forensics Bing.com Social networking Play.google.com Angry birds URLs Keyword Used in search Hotmail.com - Filehippo.com Chat Torrentz.com Mickey virus Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

20. Page  20 Searching For Artifacts  Search Was Performed  Terminating the Private Browsing Session by closing browser  Common places of history, caches, cookies doesn’t leaves any trails  Used several tools but not found any trails of Private Browsing.  Captured the RAM (Volatile Memory) and swapping File Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

22. Page  22 Entries in RAM Browser URLs entries in RAM Keyword entries in RAM Mozilla Firefox- Private Forbes.com – 38 entries Security - 7 entries Food.com - 51 entries Salad - 47 entries Timesofindia.indiatimes.com – 17 Exploit - 8 entries Djmaza.com – 15 entries Singh saab the great - 9 Google Chrome- Incognito Youtube.com - 13 entries Forensics - 7 entries Bing.com - 150 entries Social networking - 14 Play.google.com – 200 entries Angry birds - 39 entries Internet Explorer-In-Private Hotmail.com – 20 entries - Filehippo.com - 38 entries Chat - 10 entries Torrentz.com - 30 entries Mickey virus - 25 entries Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

23. Page  23 Capture and Analysis of RAM and Paging File in Different Phases  Evidence found on the running machine acquired image  Quick Restart the System and acquired image again  Evidence still found in RAM after quick restart  Powered off machine for few (4-5) minutes and powered on again  Acquired image of RAM and Paging File again  No evidences found from the RAM dump. But some evidences found from the Paging file (Pagefile.sys). Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

26. Page  26 Forensics Vs. Anti-Forensics  Essentially, anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation.  Achieve Security using Anti Forensics.  Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

27. Page  27 Why Anti-Forensics ?  Anti-Forensics mainly for the security purpose.  For confidentiality of Information or Securing the Web-Transaction.  Smart Criminals are using it to Harden the forensic Investigation. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

30. Page  30 Anti-Forensics Techniques  Disable Page File It affects our computer performance and slow down the computing for less RAM Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

31. Page  31  Encrypt Page File We encrypted the content of pagefile and acquired the image again to analyse using the Forensics tools Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

34. Page  34  Clear the windows page file You can tell your computer to erase the pagefile on every shut down. Open the Registry by typing the regedit inside run and move to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSessionMa nagerMemory Management Inside that Change the DWORD value of ‘ClearPageFileAtShutdown’ from 0 to 1 Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

36. Page  36  Using the Linux Live CD or USB to browse the Web securely * We booted the existing machine with the Linux but not mounted the cd with Read/Write. Only we booted up and directly performed the browsing activities. * All the Linux file system get stored inside RAM and we restarted the machine there is no artifacts found from the machine. * So it is one of the best way to use Linux distribution to perform private browsing without leaving the artifacts behind. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

37. Page  37  Secure Wiping the browsing activities Normally deletion - not originally deleted, only the file reference is deleted from the system table and data remains in hard disk until it’s been overwritten by other data and can be recovered by several tools But if we securely wiping the data of browsing activities using multiple passes then it cannot be recovered back. So it is the best Anti-Forensics Technique. Forget to turn on the Private browsing mode ?-Don’t Worry.. Artifacts can be found from several history, cookies locations on the computer. we have used the tool named Eraser which securely wipe the contents from the hard disk which cannot be recoverable by any of the forensics tools. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

38. Page  38 Analysis of Results Disabling Paging File Encrypt Paging File Clear Page File Using Linux Distribution Secure Wiping (Using Several Passes) Performance Hit? Yes- We found serious degradation on performance after disabling the paging file because this swap storage is used for the faster indexing of the data. So it is not the effective Anti-forensics Technique if you want quick response. Yes-Performance hit due to the nature of encryption (EFS). EFS uses public key encryption in conjunction with symmetric key encryption. It slow down the Computing and takes more time to power on-off machine. Little- We have cleared the windows paging file and use the computer again and we found the little performance affection because page file stores the computing data as swap storage and when we access the same data again it gives the quick response if it resides in swap. No- To secure our browsing we used the Linux live disk and perform the web activity and then removed the cd from windows machine and here we doesn’t require to clear/wipe/encrypt the paging file. So computer performance remains as it is. No- Here we are wiping the browsing content (history, cookies, cache, Index.dat etc.) after normal browsing and not dealing with page file. So there is no performance affection. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

39. Page  39 Analysis of Results… Continued Disabling Paging File Encrypt Paging File Clear Page File Using Linux Distribution Secure Wiping (Using Several Passes) Evidence Remnant? No- No evidences because we disabled the page file creation. (Fig-16) No (Restart Required)- Evidence Content stored in Encrypted form so nobody can read it (Fig-19) No (Restart Required)- After clearing the Paging file, no evidences found from the Page file. Just found ‘0’s. (Fig-20) No- No browsing evidences found from the windows machine because we used the Linux distribution to perform the web activities. No- Secure wiping the evidence removes the traces from the computer by removing the entries using several passes (we used 35 passes). Removes the file from hard disk and not recovered by any of the recovery tool. (Fig-21) Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

40. Page  40 Analysis of Results… Continued Disabling Paging File Encrypt Paging File Clear Page File Using Linux Distribution Secure Wiping (Using Several Passes) Evidence Remains in RAM after Restart? Yes- RAM contains the evidences after restart. (Fig- 12) Yes- RAM contains the evidences after restart. (RAM store as in unencrypted form) (Fig- 12) Yes- RAM contains the evidences after restart. (We cleared page file not the RAM.) (Fig- 12) No- RAM contains no evidences after restart because we ran the Linux over the windows to browse the web. Yes- RAM contains the evidences after restart. Evidence Remains in RAM After Power off & On (After 4-5 Min.)? No- Power off & on (after few minutes) completely wipe the evidences. No- No unencrypted evidence found. No- No evidence found from RAM after Power Off- On No- There are no traces found in windows machine RAM. No- Evidence removed from RAM but it is required to handle the Page file to remove traces. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

41. Page  41 Analysis of Results… Continued Disabling Paging File Encrypt Paging File Clear Page File Using Linux Distribution Secure Wiping (Using Several Passes) Evidence Recovered (After Private Browsing)? No No No No No Best For Private Browsing? Yes (Recommended) Average Average Yes (Recommended) No Best For Normal Browsing? Yes (Not Enough- Required More Action to Remove Other Traces ) Yes (Not Enough- Required More Action to Remove Other Traces ) Yes (Not Enough- Required More Action to Remove Other Traces ) Yes Yes Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

42. Page  42 Recommended from Above Comparison  Here we recommend to use Technique “Disable page file and Use Private Browsing” because after private browsing we need to handle only Swap storage and only one time Disable does not create the paging storage file (size=As RAM Size) and we does not require additional restarts as we need in Page file encryption and Page file Clear. (Power Off machine for few minutes after Private browsing is required to remove evidences completely from RAM)  Another Recommendation from above comparison is to use “Linux live distribution in any of the browsing mode (Private/Normal)” and which does not leaves any traces behind. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

43. Page  43 CONCLUSION  Before moving directly to the Anti-Forensics it is important to understand the Forensics methodology first. This research used proper test methods and examined the normal and private browsing activities on three popular web browsers to collect evidences like browsing history, caches, and cookies forensically and then we used the several Anti-Forensics techniques to mitigate or remove the trails after browsing activities. So if you want to achieve the end-level security then don’t forget to use the Anti-Forensics. We have concluded the Latest Firefox (Private) is the secured one than the other browsers. We have also proposed the proper method to achieve the more security by the use of Anti-Forensics and tested every technique using that method to check for the effectiveness and finally concluded the best Anti-forensic technique. Further research can be done in Anonymity browsers like TOR to analyse which level of privacy they give to us. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

44. Page  44 References [1] Muhammad Kamran Ahmed, Mukhtar Hussain, Asad Raza,“ An Automated User Transparent Approach to log Web URLs for Forensic Analysis”, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics. [2] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi and Mario Guimaraes,“ Forensic Analysis of Private Browsing Artifacts”, 2011 International Conference on Innovations in Information Technology [3] Andrew Marrington, Ibrahim Baggili, Talal Al Ismail, Ali Al Kaf, “Portable Web Browser Forensics: A forensic examination of the privacy benefits of portable web browsers”, Computer Systems and Industrial Informatics (ICCSII), 2012 International Conference. [4] Aljaedi, A. Lindskog, D. ; Zavarsky, P. ; Ruhl, R. ; Almari, F., “Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging ”, Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom). [5] Harry Parsonage January 2010, “Web Browser Session Restore Forensics”, Retrieved fromhttp://computerforensics.parsonage.co.uk/downloads/WebBrowserSessionRestoreForensics.pdf (1 December 2013). [6] SeungBong Lee Jewan Bang ; KyungSoo Lim ; Jongsung Kim ; Sangjin Lee ,“A Stepwise Methodology for Tracing Computer Usage”, INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference. Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

45. Page  45 References [7] Hong Guo Bo Jin ; Wei Qian, “Analysis of Email Header for Forensics Purpose ”, Communication Systems and Network Technologies (CSNT), 2013 International Conference. [8] Selamat, S.R. Yusof, R. ; Sahib, S. ; Hassan, N.H. ; Abdollah, M.F. ; Abidin, Z.Z., “Traceability in digital forensic investigation process”, Open Systems (ICOS), 2011 IEEE Conference. [9] Van Staden, F.R. Venter, H.S., “Adding digital forensic readiness to the email trace header”, Information Security for South Africa (ISSA), 2010. [10] Kaushik, A.K. Pilli, E.S. ; Joshi, R.C., “Network forensic system for port scanning attack”, Advance Computing Conference (IACC), 2010 IEEE 2nd International. [11] Zhong Xiu-yu, “A model of online attack detection for computer forensics ”, Computer Application and System Modeling (ICCASM), 2010 International Conference. [12] Keith J. Jones, “Forensic Analysis of Microsoft Internet Explorer Cookie Files”, Retrieved from http://www.index- of.es/Forensic/Forensic%20Analysis%20of%20Microsoft%20Internet%20Explorer%20Cookie%20Files.pdf (16 November 2013). [13] Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington , “Forensic artifacts of Facebook‟s instant messaging service”, 6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011, Abu Dhabi, United Arab Emirates. [14] Stamm, M.C. Tjoa, S.K. ; Lin, W.S. ; Liu, K.J.R., “Anti-forensics of JPEG compression ”, Acoustics Speech and Signal Processing (ICASSP), 2010 IEEE International Conference. [15] Belani, R., Jones, K., (2005, March, 29). “Web browser forensics”, Retrieved from http://www.symantec.com/connect/articles/web-browser-forensics-part-1 (1 December, 2013). [16] Belani, R., Jones, K., (10 May 2005). “Web Browser Forensics”, Retrieved from http://www.symantec.com/connect/articles/web-browser-forensics-part-2 (1 December, 2013). Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

46. Page  46 References [17] Brookman, J. (2010, December). “Browser privacy features: a work in progress. Center for Democracy & Technology”, Retrieved from http://cdt.org/files/pdfs/20101209_browser_rpt.pdf (3 December 2013). [18] Aggarwal, G., Boneh, D., Bursztein, E., & Jackson, C. (2010). “An analysis of private browsing modes in modern browsers”. Stanford University”, Retrieved from http://www.usenix.org/events/sec10/tech/ ( 4 December 2013). [19] Bas Kloet, Hoffmann Investigations September 2010, “Advanced file carving”, Retrieved from http://computerforensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf (4 December 2013). [20] Rich Murphey, “Automated Windows event log forensics”, Retrieved from http://www.dfrws.org/2007/proceedings/p92- murphey.pdf (5 December 2013) [21] “Anti-forensic_techniques”, Retrieved from http://www.forensicswiki.org, (25 January 2014) [22] “Anti-forensic-project-listing”, Retrieved from https://www.anti-forensics.com/anti-forensic-project-listing/ (2 February 2014) [23] “How Computer Forensics Works”, Retrieved from http://computer.howstuffworks.com/computer-forensic3.htm (16 February 2014) [24] “How EFS Works”, Retrieved from http://technet.microsoft.com/en-us/library/cc962103.aspx (26 February 2014) [25] “Anti-forensics”, Retrieved http://resources.infosecinstitute.com (18 March 2014) [26] “Anti-forensics Encryption”, Retrieved from http://www.reddit.com/r/antiforensics/comments/yhfw2/encrypt_your_swap_space/ (2 April 2014) [27] “Swap Space Handling”, Retrieved From http://support.microsoft.com/kb/314834 (15 April 2014) [28] “Anti-Forensics using Linux Distribution”, https://www.anti-forensics.com/leave-no-artifacts-behind-linux-live-cds/ (2 May 2014) [29] “Anti-Forensics Techniques”, https://www.anti-forensics.com/anti-forensic-project-listing/ (5 May 2014) Copyright © http://www.cyberworldhere.com Copyright © http://www.cyberworldhere.com

Anti forensics-techniques-for-browsing-artifacts

gaurang17

Anti forensics-techniques-for-browsing-artifacts