This document discusses counterforensics techniques used by insiders to evade detection. It describes how counterforensics is derived from counterintelligence and aims to prevent or thwart investigations. Common tactics discussed include hiding and concealing activities and data through steganography, encryption, and destroying evidence by deleting files and overwriting data. The document also recommends tools for user behavior monitoring and activity replay to help reveal hidden insider tracks.

1. Confidential
Patrick Knight
Sr. Dir. Cyber Strategy and
Product Management

2. Confidential
Counterforensics
How Insiders Evade Forensics &
How to Reveal Their Hidden
Tracks

3. What is Counterforensics?
 aka - Anti-Forensics
 Derived from Counterintelligence:
“activities designed to prevent or thwart spying, intelligence
gathering, and sabotage by an enemy or other foreign entity.”
 Counterforensics
“activities designed to prevent or thwart forensics
investigations through data destruction, data and activity
concealment, deception or sabotage.”

4. Confidential
• Hiding/concealing
activities
• Deception
• Destroying evidence
• Sabotage
Counterforensics
Tactics

5. Hiding/Concealing
Activities and Data
 Steganography
 Utilize common file
formats/channels – hide in
plain sight
 File concatenation
 File/data encryption
 Encrypted comms channels
This Photo by Unknown Author is licensed under CC BY

6. Confidential
 Video and image files typically are large enough to carry
additional data (e.g. messages, files)
 Casual viewer will never know message/data is present
 Can transport encrypted messages/data
 Intended recipient can be difficult to identify
 Anti-virus and endpoint security typically do not scan for
hidden messages
Why Steganography?

7. Confidential
# ping -p feedfacedeadbeef Dest-B
# tcpdump -i eth0 host Dest-B -x
21:03:32.601102 IP Source-A > Dest-B: icmp 64: echo request seq 56
0x0000: 4500 0054 0038 4000 4001 6e1c 4655 1fe9 E..T.8@.@.n.FU..
0x0010: 4655 1fc2 0800 8120 5006 0038 e414 9942 FU......P..8...B
0x0020: 142a 0900 feed face dead beef feed face .*..............
0x0030: dead beef feed face dead beef feed face ................
0x0040: dead beef feed face dead beef feed face ................
0x0050: dead ..
 IPV4 Max Size 65535 bytes - headers = 65507 bytes for messages via ICMP
Concealed message in ICMP

8. Hiding Activities in Plain Sight
 Google Chrome extension -
Netflix Hangouts
 Watch Netflix at work,
while appearing to be on a
conference call

9. Hiding/Concealing
Activities and Data:
Encryption
 Use of non-sanctioned encryption tools
to encrypt files and data
 Use encryption tools to obscure
communications
 Tor Browser or Tor proxy
 Command line tools: OpenSSL, cryptcat

10. Destroying Evidence
• Deleting files
• Deleting records
• Overwrite/wipe files
• Overwrite/wipe selective records/data
• Overwrite/wipe entire disks/external
media

11. Deceptive Tactics
 Alter timestamps/timelines
 Alter logs or other data
 Obfuscation of data, URLs, commands, etc.
 C:>cmd.exe /c c^^a^^l^^c^^.^^e^^x^^e
 Stolen credential use

12. Destroying Evidence
 Deleting data
 Deleting browser history - incognito
mode
 Disk and data wiping

13. Deleting Alone May Not Destroy the
Data
 Filesystems usually free the location of a deleted file, but do not overwrite/destro
 Email servers typically free the location of a deleted email, but do not
overwrite/destroy
 Secure deletion can include:
 Overwriting/wiping one or more times
 Defragmenting
 Overwriting/wiping all free and slack space
 Webmail and SaaS products are typically under the control of the service provider

14. Data Wiping Tools
 Sdelete
 KillDisk
 BCWipe
 Darik’s Boot and Nuke (DBAN)
 Format.exe (Windows tool)
 Secure Eraser
 100’s more…

15. Sabotage
 Denial Of Service (DOS)
 Intentional malware/ransomware infection
 Logic/time bombs

16. What can you do?
 Visibility into activities when they happen
 Full crime scene playback
 Alert on suspicious activities
 malicious application use
 suspect website access
 Tor Browser activity

17. What can you do?
 Block access to unwanted sites and network
applications
 Inventory sanctioned tools - know what is
allowed and by whom
 disk encryption
 data deletion policies
 cloud file storage
 Employee Monitoring & User Behavior
Analytics tools

18. User & Entity Behavioral Analytics (UEBA)
&
User Activity Monitoring (UAM)

19. Seeing
Exactly What Happened (UAM)
• Time-Capsule DVR video review
• See all onscreen actions
• Play it back like your DVR
• Export as BMP, JPG or AVI
Video Playback

20. Confidential
The Global Leader
Technology Financial Health
8
out of 10
7
out of 10
6
out of 10
in 110+ countries
In 3,000+ enterprises & thousands of SMBs
DeployedThe Biggest & Best
use Veriato

21. Confidential
Thank You!
pknight@Veriato.com