Anti Forensic Techniques
image pattern pattern

” Absence of evidence is not evidence of absence. “

Digital Devices such as mobile phones, computer, laptops, PDAs . have been increasingly used to such an extent that our lives are dependent on these gadgets and, we cannot even imagine a single day without them. We are reliant on these digital gadgets, so criminals have also shifted from traditional to Cyber-crime. Cybercrime is a criminal activity that uses the computer, computer network or a networked device either as a weapon or a target to conduct any fraudulent activities.

Due to the evolving Cyber-crime, Digital forensics came into use to tackle criminal activities and investigate them to find the perpetrator. However, the criminals are also evolving out to be wiser as they know about all the investigation strategies and Digital Forensics methodology, so they have devised Anti-forensic activities to avoid detection and conceal their malicious intentions. Anti-forensic is defined as using a combination of tools and techniques to hide, delete or tamper data and metadata to avoid being detected and creating a nightmare for forensic professionals to extract the data and trace the evidence.

The standard anti-forensic techniques include- Data Hiding, Artifact Wiping, Encryption, and Trail Obfuscation. Each of these techniques has many sub-techniques.

Data Hiding-

This is one of the essential anti-forensic technique as it includes hiding the data, which means hiding the very presence of evidence. There are various techniques by which we can hide data which are as follows-

1. Steganography- 

Steganography is the technique of embedding a secret message in the original message to hide the presence of evidence and then extracting it at the destination to maintain its confidentiality. The working occurs by replacing the least significant bits of the data with the confidential data that we want to hide to keep the file size constant.

How do Steganography works?

Following are the steps representing the steganography work progress:

Steganography Process

Step 1: Alice embeds the secret message into the cover message (original message).
Step 2: Stego message (message containing secret message) is sent to Bob (receiver) via a covert channel.
Step 3: Bob receives the stego message through a key.
Step 4: Willie (third person), who observes the communication process between Alice and Bob, thinks that the message sent is the original message.

1.Alternate Data Stream- 

As the name suggests, “Alternate Data Stream” refers to the stream that stores metadata related to a file, including security information, the original author of the file, and other metadata in a file or folder without altering their actual functionality or content. It is designed for interoperability with Macintosh Hierarchical File System (HFS). HFS file system uses two forks to store data in files- data fork is used to keep file data, and resource fork is used to keep metadata of files such as icons, menus, or dialogue boxes. To ensure compatibility HFS file system, the NTFS file system allowed a file entry to have more than one $DATA attribute in the file’s MFT entry.

2. Hidden Partition- 

It depicts the hard disk portion that is hidden and does not display the part of the hard disk that cannot be used and generally cannot be accessed. A hidden partition is created in windows by using the disk management feature of windows. The data is stored there, and then that partition is deleted. If the evidence is hidden using proper technical tools and techniques, it is challenging for the forensic professional to extract the data with appropriate forensic investigations and strategies.

3. Slack space- 

Slack space is the space left at the end of the active file and the end of the cluster. Slack space is divided into two parts- RAM slack and FILE slack. RAM slack is the space between the end of the effectively allocated sector and the start of the new sector, whereas File slack is the space between the next sector and the end of the allocated cluster. Cluster sizes are determined by OS and are of different sizes for different file systems. For example, in the NTFS file system, the files are allocated in clusters, so 4096 bytes are allocated to one file, and since One sector comprises 512 bytes, so four sectors are allocated to each file, and since the entire space is not consumed mainly by all the files, so space is mostly left at the end of the effective file and that space is known as slack space. Any information in RAM, such as login IDs or passwords, is placed in slack space.



aft3

4. Artefact Wiping- 

Artefact wiping refers to wiping or erasing the data or evidence to avoid detection by erasing the trails leading to detection. The word “Artefact” means any fact or evidence that has been created by the user, and “wiping” means cleaning or erasing all the data. So together, it means clean erasing all the data on the disk. Deleting a file does not mean that all the file content will be removed from the disk. Deleting a file means only deallocate the “MFT” or “INODE”, so the deleted file can be recovered quickly. Wiping makes sure that the data cannot be retrieved by using any tools or techniques. In the process of Wiping, the drive gets overwritten several times to make the data present on it unreadable.

 

Department of Defense has laid out the protocol for disk wiping, which dictates that the disk should undergo a three or seven pass overwrite.

In a three-pass, overwrite data is overwritten by ‘0’s followed by ‘1’s followed by any random character to make the data illegible.

In the seven passes overwrite, the first three steps are similar to a three-pass overwrite, but in the 4th step, the data is overwritten by any second random character. In the 5th and 6th step, the data is overwritten by ‘0’s and ‘1’s. Finally, in the 7th step, the data is overwritten by any random character, and the verification pass confirms the information has been overwritten.

 

• Encryption – 

It is the art and science of converting plain text, i.e. readable text, into non-sense text or non-readable text to enhance the security of the data. Encryption converts readable or plain-text into non-readable or non-sense text by using various algorithms and keys. Decryption converts ciphertext, non-readable or non-sense text into plain-text or readable text using different algorithms and different keys. The cryptographic technique is divided into symmetric as well as asymmetric. In the symmetric approach, the same key is used for encryption and decryption, whereas in an asymmetric process, there are pair of keys in which one key is used for encryption, and another key is used for decryption of the text. The most commonly used encryption tool is Vera crypt and cipher shed, which allows virtual disk encryption.



aft4

• Trail Obfuscation- 

The basic meaning of trail obfuscation is obfuscating or manipulating the trail or traces left behind. This is done to confuse, mislead, divert, complicate, sidetrack and distract the forensic examination process. The process involves the different techniques and tools such as-

Timestamp Alteration- 

Timestamp of files and folders is essential for any forensic investigation. It provides Creation, Modification, Last Access time; this MACE time is used to link multiple pieces of evidence. Altering the timestamp breaks the link and misleads the forensic investigation by adding a fake timestamp.

Timestamp- This tool is used to manipulate the MACE timings, i.e., Modified, Access, Created, Entry Modified of a file.

Timestamping is an anti-forensic technique. There are two sets of timestamps that are tracked in the MFT.

These two sets are-

$ Standard_Information

$ File_Name

 

Both of them track

  • Modified
  • Access
  • Created
  • Entry modified

The $Standard_Information timestamps are usually viewed in windows explorer as well as forensic tools.

Most timestamping tools only change the $Standard_Information set but not the $File_Name

Using tools that display both the $Standard_Information and $File_Name attributes, we can compare the two sets to determine if a file may have been timestamped.

File Header Alteration

The most helpful thing to identify a file is its file header, so most digital forensic tools carry out data carving technique to identify file header. These tools identify the header and footer of a file and then recreate that file.
So anti-forensic techniques exploit this working technique of digital forensic tool and change the file header to another file type. Transmogrify tool changes the file header to another file type.