SlideShare a Scribd company logo

Ceic 2012 anti-anti-forensics

Download as PPTX, PDF
Jose Moruno Cadima
Jose Moruno Cadima
Technology
1 of 18
Anti-Anti Forensics David Cowen, CISSP G-C Partners, LLC
Anti-Anti Forensics Introduction Who am I? Things I’ve written you might have seen  Hacking Exposed: Computer Forensics  Anti Hacker Toolkit, Third edition  Computer Forensics, A beginners guide  Hacking Exposed Computer Forensics Blog  This presentation Page 2
Master Title What does Anti-Anti Forensics mean? 1. It’s a joke from the movie ‘The Big Hit’ 2. It means defeating Anti Forensics tools from two perspectives 1. Determining what was destroyed for use in a spoliation motion 2. Determining what tool was destroyed and when it was done 3. Defeating the tool be recovering what was destroyed Page 3
Master Title Outline Session Objectives: Our goal is help you 1. Determine if wiping has occurred 2. Determine the number of files wiped 3. Determine if a system cleaner has run 4. Determine what the system cleaner has removed 5. Determine the time the system cleaner ran 6. Determine what the capabilities of the tool are 7. Possibly recover what was destroyed Page 4
Master Title Two types of Anti forensic tools discussed • Wipers, that do no include system cleaners • System cleaners, that may include wipers Page 5
Master Title Identifying wiping • Wiping a whole disk • Wiping a partition • Wiping individual files Page 6
Master Title Determine the number of files wiped • Most Wipers do three things to obfuscate what they have wiped • Rename the file to a random file name • Fill the file to overwrite the prior contents • Reset the dates back to a fictitious time • Find the block of file names that match these criteria all accessed within in seconds of each other and you’ve found the wiped files. • Count the number of these files and you’ve identified how many have been wiped Page 7
Master Title Lab: Determine the number of files wiped Page 8
Master Title Determine if a system cleaner has run • The one thing system cleaners don’t clean, is their own install • While they may wipe out system settings, registry files, histories, etc… they don’t wipe out their own programs and configuration files • Look for files created around the time of the clean, which will determine how to do on the next slide • Most have obvious names: • Ccleaner • Evidence Eliminator • System Soap Page 9
Master Title Determine what the system cleaner has removed • Check for the presence of the following areas that should have data by default • Check the creation date of the user’s profile directory to determine the time range of data missing  User Assist *MRUs • TypedUrls *Restore Points • Recent Lnks *Event Logs • Internet History • Recycle Bin • Jump Lists Page 10
Master Title When did the cleaner run? The first entry in the list of forensic sources from the prior tab marks the first entry after the cleaner was run. By default the cleaner will destroy all records from the time the user first logged in until the time it was run. Page 11
Master Title Lab: Documenting the destruction Page 12
Master Title Determine what the capabilities of the cleaner is • Once you’ve identified the cleaner in the prior slides, do some web research on its capabilities and if it creates any logging. • Download the program and test it in a vm to see what artifacts it leaves behind • Make screenshots the website, its capabilities and if it costs money to buy. • If it costs money to buy you might find a fragment of data left showing the purchase, or request they produce one Page 13
Master Title Recover what was destroyed • Restore Points • Volume Shadow Copies • Online backups • NTFS $logfile Page 14
Master Title NTFS $Logfile • Keeps track of all file system changes • Keeps track of all files created and their complete MFT records • Keeps a record of renames, including old and new file names • Contains time stamps for some records • Holds up to 32,000 records Page 15
Master Title Lab: Parsing the $Logfile Page 16
Master Title Conclusions • What can determine how much data was wiped • We may be able to determine what files exactly were wiped • We rarely can recovery the contents of the files that were wiped • We can document and show what was destroyed for use either in a corporate hr disciplinary meeting or litigation • Being able to show what was destroyed and when can be as damaging as what was contained within it Page 17
Master Title Questions? Read my blog here:  Hackingexposedcomputerforensicsblog.blogspot.com Follow me on twitter  @hecfblog Be my buddy of facebook  Hacking Exposed Computer Forensics fan page Email me your questions  dcowen@g-cpartners.com Page 18

Recommended

Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Useful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical CommunicatorsUseful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical CommunicatorsSTC-Philadelphia Metro Chapter
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 

Recommended

Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Useful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical CommunicatorsUseful Shareware / Freeware for Technical Communicators
Useful Shareware / Freeware for Technical CommunicatorsSTC-Philadelphia Metro Chapter
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
Preventing data loss
Preventing data lossPreventing data loss
Preventing data lossIUPUI
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
BACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the serverBACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the servertmccurry
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"EPAM Systems
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Lesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and LibrariesLesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and LibrariesGene Carboni
 
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Tim Butler
 
Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016dilahkmpk
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Ed Marshall
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 

More Related Content

Similar to Ceic 2012 anti-anti-forensics

Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
Preventing data loss
Preventing data lossPreventing data loss
Preventing data lossIUPUI
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
BACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the serverBACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the servertmccurry
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)PROIDEA
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"EPAM Systems
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Lesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and LibrariesLesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and LibrariesGene Carboni
 
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Tim Butler
 
Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016dilahkmpk
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Ed Marshall
 

Similar to Ceic 2012 anti-anti-forensics (20)

Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on Eduonix
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
Preventing data loss
Preventing data lossPreventing data loss
Preventing data loss
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
BACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the serverBACKFiL Finding Files you left on the server
BACKFiL Finding Files you left on the server
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)CONFidence 2017: Hiding in plain sight (Adam Burt)
CONFidence 2017: Hiding in plain sight (Adam Burt)
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Lesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and LibrariesLesson 4 - Managing Applications, Services, Folders, and Libraries
Lesson 4 - Managing Applications, Services, Folders, and Libraries
 
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
 
Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016Week9 chapter 02_2.6.1.2_up_2016
Week9 chapter 02_2.6.1.2_up_2016
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...
 

More from Jose Moruno Cadima

Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short descriptionJose Moruno Cadima
 
Explotando Add-Ons de Mozilla Firefox
Explotando Add-Ons de Mozilla Firefox Explotando Add-Ons de Mozilla Firefox
Explotando Add-Ons de Mozilla Firefox Jose Moruno Cadima
 
Análisis de Metadatos con la Foca
Análisis de Metadatos con la FocaAnálisis de Metadatos con la Foca
Análisis de Metadatos con la FocaJose Moruno Cadima
 

More from Jose Moruno Cadima (7)

Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox Comparison
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Bash Cheat Sheet - SniferL4bs
Bash Cheat Sheet - SniferL4bsBash Cheat Sheet - SniferL4bs
Bash Cheat Sheet - SniferL4bs
 
Explotando Add-Ons de Mozilla Firefox
Explotando Add-Ons de Mozilla Firefox Explotando Add-Ons de Mozilla Firefox
Explotando Add-Ons de Mozilla Firefox
 
Análisis de Metadatos con la Foca
Análisis de Metadatos con la FocaAnálisis de Metadatos con la Foca
Análisis de Metadatos con la Foca
 
Conociendo a tux
Conociendo a tuxConociendo a tux
Conociendo a tux
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Ceic 2012 anti-anti-forensics

  • 1. Anti-Anti Forensics David Cowen, CISSP G-C Partners, LLC
  • 2. Anti-Anti Forensics Introduction Who am I? Things I’ve written you might have seen  Hacking Exposed: Computer Forensics  Anti Hacker Toolkit, Third edition  Computer Forensics, A beginners guide  Hacking Exposed Computer Forensics Blog  This presentation Page 2
  • 3. Master Title What does Anti-Anti Forensics mean? 1. It’s a joke from the movie ‘The Big Hit’ 2. It means defeating Anti Forensics tools from two perspectives 1. Determining what was destroyed for use in a spoliation motion 2. Determining what tool was destroyed and when it was done 3. Defeating the tool be recovering what was destroyed Page 3
  • 4. Master Title Outline Session Objectives: Our goal is help you 1. Determine if wiping has occurred 2. Determine the number of files wiped 3. Determine if a system cleaner has run 4. Determine what the system cleaner has removed 5. Determine the time the system cleaner ran 6. Determine what the capabilities of the tool are 7. Possibly recover what was destroyed Page 4
  • 5. Master Title Two types of Anti forensic tools discussed • Wipers, that do no include system cleaners • System cleaners, that may include wipers Page 5
  • 6. Master Title Identifying wiping • Wiping a whole disk • Wiping a partition • Wiping individual files Page 6
  • 7. Master Title Determine the number of files wiped • Most Wipers do three things to obfuscate what they have wiped • Rename the file to a random file name • Fill the file to overwrite the prior contents • Reset the dates back to a fictitious time • Find the block of file names that match these criteria all accessed within in seconds of each other and you’ve found the wiped files. • Count the number of these files and you’ve identified how many have been wiped Page 7
  • 8. Master Title Lab: Determine the number of files wiped Page 8
  • 9. Master Title Determine if a system cleaner has run • The one thing system cleaners don’t clean, is their own install • While they may wipe out system settings, registry files, histories, etc… they don’t wipe out their own programs and configuration files • Look for files created around the time of the clean, which will determine how to do on the next slide • Most have obvious names: • Ccleaner • Evidence Eliminator • System Soap Page 9
  • 10. Master Title Determine what the system cleaner has removed • Check for the presence of the following areas that should have data by default • Check the creation date of the user’s profile directory to determine the time range of data missing  User Assist *MRUs • TypedUrls *Restore Points • Recent Lnks *Event Logs • Internet History • Recycle Bin • Jump Lists Page 10
  • 11. Master Title When did the cleaner run? The first entry in the list of forensic sources from the prior tab marks the first entry after the cleaner was run. By default the cleaner will destroy all records from the time the user first logged in until the time it was run. Page 11
  • 12. Master Title Lab: Documenting the destruction Page 12
  • 13. Master Title Determine what the capabilities of the cleaner is • Once you’ve identified the cleaner in the prior slides, do some web research on its capabilities and if it creates any logging. • Download the program and test it in a vm to see what artifacts it leaves behind • Make screenshots the website, its capabilities and if it costs money to buy. • If it costs money to buy you might find a fragment of data left showing the purchase, or request they produce one Page 13
  • 14. Master Title Recover what was destroyed • Restore Points • Volume Shadow Copies • Online backups • NTFS $logfile Page 14
  • 15. Master Title NTFS $Logfile • Keeps track of all file system changes • Keeps track of all files created and their complete MFT records • Keeps a record of renames, including old and new file names • Contains time stamps for some records • Holds up to 32,000 records Page 15
  • 16. Master Title Lab: Parsing the $Logfile Page 16
  • 17. Master Title Conclusions • What can determine how much data was wiped • We may be able to determine what files exactly were wiped • We rarely can recovery the contents of the files that were wiped • We can document and show what was destroyed for use either in a corporate hr disciplinary meeting or litigation • Being able to show what was destroyed and when can be as damaging as what was contained within it Page 17
  • 18. Master Title Questions? Read my blog here:  Hackingexposedcomputerforensicsblog.blogspot.com Follow me on twitter  @hecfblog Be my buddy of facebook  Hacking Exposed Computer Forensics fan page Email me your questions  dcowen@g-cpartners.com Page 18