Research: Categorization of digital anti-forensic tools used by cybercriminals
Even though information technologies have greatly enhanced our living standards, they have also offered criminals innovative means to commit their crimes. Cybercrimes represent a diverse group of illegal activities that include identity theft, hacking, online piracy, drug trafficking, money laundering, and others. To counteract cybercrimes, novel tools and techniques are frequently being utilized by digital forensics’ professionals. On the other hand, cybercriminals attempt to evade or manipulate digital forensic analysis of criminal activities via counter-techniques, known as anti-forensics.
A recently published paper analyzes some of the current popular anti-forensic tools, namely artifact wiping, data hiding, and trail obfuscation. Throughout this article, we will take a look at the different categories of anti-forensic techniques presented via this research paper.
What are anti-forensics?
Anti-forensics represent a group of tools that aim at disrupting or manipulating digital forensic tools. Anti-forensic tools have four main goals:
1- Avoiding detection of various malicious actions
2- Disrupting and manipulating the information obtained during digital forensic investigations
3- Increasing the time required to conduct digital forensic investigations
4- Reducing the validity of digital forensic reports
5- Uncovering the presence of active digital forensic tools
6- Attacking forensic investigators
7- Clearing any evidence or traces of the presence of anti-forensic tools
Understanding the nature of anti-forensic tools and techniques requires understanding the dynamics of the digital forensic investigation process. As shown in figure (1), the digital forensics investigation process is composed of three main stages: acquisition and preservation, analysis, and presentation. In addition to these main stages, pre-processing and post-processing stages help the investigator to maximize the integrity of the obtained evidence and results.
Figure (1): Stages of digital forensics investigation process
The digital forensic investigator obtains valuable evidence through the analysis stage from the data extracted throughout the acquisition stage. As such, anti-forensic tools and techniques target mainly this stage. Some anti-forensic tools target the pre-processing and post-processing stages as well.
New anti-forensic tools have emerged lately. The popular “Metasploit” bundle now includes some anti-forensic tools including Timestomp, Slacker, Transmogrify, and Sam Juicer in the MAFIA (Metasploit Anti Forensic Investigation Arsenal).
Categories of anti-forensic tools and techniques:
Most researchers categorize anti-forensic tools into four main categories: data hiding, trail obfuscation, artifact wiping, and attacks against digital forensic techniques and tools.
1- Data hiding:
Data hiding tools and techniques utilize the file system, memory, or network capabilities of the machine’s operating system in order to hide digital data. Hiding tools, encryption, and steganography are closely related. Nevertheless, data hiding represents a broader concept, while steganography, rootkits, and encryption are special forms of hiding techniques. Some previous studies have proposed subcategories of data hiding techniques including data contraception, hard disk manipulation, file system manipulation, network based hiding, and memory hiding.
a. File system data hiding tools:
The Microsoft Windows NTFS file system is a representative file system. NTFS organizes a “volume” of a disk into a boot sector, a master file table, file system data, and a master file table copy. The master file table represents the most essential part of an NTFS volume for digital forensic purposes. When data of a file is less than a cluster size, unused space will be present, while if a file’s data is larger than a cluster size, it will be fragmented. A cybercriminal can hide data via storing it onto unused spaces which would be present when file system data does not fill records or when it is fragmented.
The Linux operating systems use blocks for organizing data of the file system, and unused or slack space will be present at the data block portion of the EXT4 file system. Slack space serves as a place for hiding data in both the Microsoft and Linux file system structures. Hiding data into unused or slack space is more effective in Windows operating systems. Previous studies have shown that a successful data hiding should:
– hide data from the standard utilities of the operating system
– have low potential of being overwritten
– hide from the user interface
– store a reasonable amount of data
Slack space data hiding techniques achieve these goals. MAFIA (Metasploit Anti Forensic Investigation Arsenal) includes a tool for slack space hiding, Slacker, within the Metasploit framework. Slacker was first introduced in the Metasploit bundle in 2006.
b. Memory data hiding, or live hiding, tools:
“Live hiding” tools conceal data in the system’s main memory. Even though the main memory is highly volatile, retrieval of the hidden data is possible as long as there is electricity to maintain memory data on the memory cells. Retrieval techniques depend on hardware and software, and they are rather easy to deploy because anti-forensic tools operating on the main memory do not attempt to hide themselves very much.
c. Network based hiding tools:
Network based data hiding tools hide data inside one of the layers of the Internet Protocol Stack model. Techniques include protocol bending, covert channeling, and packet crafting.
Wrapping tools represent a good example of network based anti-forensic tools. They are popular and are relatively easy to deploy. The UNIX Stunnel tool is a popular SSL network level wrapper tool. It wraps unencrypted data packets into an SSL tunnel. This tool was initially developed to provide a secure communication route for insecure TCP/IP protocols. Nonetheless, attackers can use it to hide data.
Terminal emulators are other forms of network based anti-forensic tools. Nevertheless, terminal emulators need root or administrator privileges to be installed on a client machine. Popular network emulators that can hide data include Indigo Terminal Emulator, AbsoluteTelnet, and SecureCRT.
d. Steganography techniques:
Steganography techniques represent techniques to hide information in image, audio, video or text files in a manner that renders the information undetectable by the naked eye. Distortion and spread-spectrum techniques are forms of audio steganography, and substitution techniques are techniques of image steganography. In all steganography techniques, encryption can be used on top to provide added protection against steganalysis. Even though encryption alters the content of the message to an undecipherable form, steganography only hides the message without altering its content.
Rootkits are unique code snippets that hide within the operating-system kernel. Rootkits are special forms of malicious code that run at the inner levels of an operating system. Cybercriminals use rootkits not only to hide data, but also to log the victim’s network activity, record keystrokes, and control registry entries.
2- Artifact wiping
Artifact wiping represents an effective means for the destruction of digital evidence. Methods of artifact wiping include:
– Disk wiping deletes data from a disk securely. There are multiple publicly available disk wiping tools which include Blancoo 5, WipeDisk, and DBAN. Recent research has proven that these tools are easy to use, and subsequent retrieval of data is quite difficult.
– Disk degaussing tools act to overwrite data magnetically with zeros or random values. It is hard to accomplish today, yet on older magnetic hard disks, the Gutmann patterns enable investigators to recover data via means of magnetic force microscopy.
– Physical destruction techniques such as shredding, melting, and incarnating.
– File wiping is relatively similar to disk wiping, yet it is focused on deleting files. Sdelete is the most popular tool.
– Generic data wiping tools are different from file wiping tools in that they focus on deleting artifacts such as temporary data, cookies, and internet browsing history. A popular generic data-wiping tool is CCleaner.
– Metadata wiping tools: Metadata refers to data that describes files’ data. Metadata of a given file stores timestamps, ownership, format, size, etc. An example tool for metadata wiping is Timestomp, which is a part of the Metasploit bundle. Metadata wiping requires experience, extensive knowledge, and the ability to find an exploit at the victim’s target system.
– The Windows registry is a special database that records the settings of the Windows’ operating system and its specific applications. Registry wiping tools erase unused, wrong, or broken registry entries.
3- Trail obfuscation:
This method is also referred to as “counterfeiting”. Trail obfuscation misdirects digital evidence. Misdirection includes file defragmentation, timestamp modification, and manipulation of log files. Any inconsistencies associated with these would denote a trail obfuscation activity.
4- Attacks against digital forensic processes and tools:
Analysis represents the most important stage of digital forensic investigation, and file integrity is pivotal for a proper forensic analysis. An attacker, by detecting either image creation or analysis of the logical partitions (of files or directories), can disrupt the integrity of the evidence. Denial of service attacks (DDoS) is another effective attack type against digital forensic tools. By depleting resources such the RAM and CPU processor required by the tools, an attacker can disrupt forensic analysis. Anti-reverse engineering represents another effective method against digital forensic tools. One method is compression bombs. Current forensic tools often open compressed files like “zip” files during the process of analysis of the file system. Compression bombs are compressed files that when extracted get extremely bigger than the tool can handle, which results in failure of the forensic analysis tool.