2. Anti-Anti Forensics
Introduction
Who am I?
Things I’ve written you might have seen
Hacking Exposed: Computer Forensics
Anti Hacker Toolkit, Third edition
Computer Forensics, A beginners guide
Hacking Exposed Computer Forensics Blog
This presentation
Page 2
3. Master Title
What does Anti-Anti Forensics mean?
1. It’s a joke from the movie ‘The Big Hit’
2. It means defeating Anti Forensics tools from two
perspectives
1. Determining what was destroyed for use in a
spoliation motion
2. Determining what tool was destroyed and when it
was done
3. Defeating the tool be recovering what was
destroyed
Page 3
4. Master Title
Outline
Session Objectives:
Our goal is help you
1. Determine if wiping has occurred
2. Determine the number of files wiped
3. Determine if a system cleaner has run
4. Determine what the system cleaner has removed
5. Determine the time the system cleaner ran
6. Determine what the capabilities of the tool are
7. Possibly recover what was destroyed
Page 4
5. Master Title
Two types of Anti forensic tools discussed
• Wipers, that do no include system cleaners
• System cleaners, that may include wipers
Page 5
6. Master Title
Identifying wiping
• Wiping a whole disk
• Wiping a partition
• Wiping individual files
Page 6
7. Master Title
Determine the number of files wiped
• Most Wipers do three things to obfuscate what they have wiped
• Rename the file to a random file name
• Fill the file to overwrite the prior contents
• Reset the dates back to a fictitious time
• Find the block of file names that match these criteria all accessed within in seconds of
each other and you’ve found the wiped files.
• Count the number of these files and you’ve identified how many have been wiped
Page 7
8. Master Title
Lab: Determine the number of files wiped
Page 8
9. Master Title
Determine if a system cleaner has run
• The one thing system cleaners don’t clean, is their own install
• While they may wipe out system settings, registry files, histories, etc… they don’t
wipe out their own programs and configuration files
• Look for files created around the time of the clean, which will determine how to do on
the next slide
• Most have obvious names:
• Ccleaner
• Evidence Eliminator
• System Soap
Page 9
10. Master Title
Determine what the system cleaner has removed
• Check for the presence of the following areas that should have data by default
• Check the creation date of the user’s profile directory to determine the time range of
data missing
User Assist *MRUs
• TypedUrls *Restore Points
• Recent Lnks *Event Logs
• Internet History
• Recycle Bin
• Jump Lists
Page 10
11. Master Title
When did the cleaner run?
The first entry in the list of forensic sources from the prior tab marks the first entry after
the cleaner was run.
By default the cleaner will destroy all records from the time the user first logged in until
the time it was run.
Page 11
12. Master Title
Lab: Documenting the destruction
Page 12
13. Master Title
Determine what the capabilities of the cleaner is
• Once you’ve identified the cleaner in the prior slides, do some web research on its
capabilities and if it creates any logging.
• Download the program and test it in a vm to see what artifacts it leaves behind
• Make screenshots the website, its capabilities and if it costs money to buy.
• If it costs money to buy you might find a fragment of data left showing the
purchase, or request they produce one
Page 13
14. Master Title
Recover what was destroyed
• Restore Points
• Volume Shadow Copies
• Online backups
• NTFS $logfile
Page 14
15. Master Title
NTFS $Logfile
• Keeps track of all file system changes
• Keeps track of all files created and their complete MFT records
• Keeps a record of renames, including old and new file names
• Contains time stamps for some records
• Holds up to 32,000 records
Page 15
17. Master Title
Conclusions
• What can determine how much data was wiped
• We may be able to determine what files exactly were wiped
• We rarely can recovery the contents of the files that were wiped
• We can document and show what was destroyed for use either in a corporate hr
disciplinary meeting or litigation
• Being able to show what was destroyed and when can be as damaging as what was
contained within it
Page 17
18. Master Title
Questions?
Read my blog here:
Hackingexposedcomputerforensicsblog.blogspot.com
Follow me on twitter
@hecfblog
Be my buddy of facebook
Hacking Exposed Computer Forensics fan page
Email me your questions
dcowen@g-cpartners.com
Page 18