Anti-Forensics Overview

On January 27, 2012, in Antiforensic posts, Computer forensics posts, by Michal Kedziora

©iStockphoto/Marc Dietrich

Anti-forensic techniques are actions which goal is to prevent proper forensic investigation process or make it much harder. These actions are aimed at reducing quantity and quality of digital evidence. These are deliberate actions of computer users , but also developers who write programs secured prior to methods of computer forensics. For the anti-forensic techniques, we can include activities such as e.g: intentional deletion of data by overwrite them with new data or protection tools against forensics analysis.

Anti-forensic techniques can be used to increase security, for example, erasing and overwriting data, so that they cannot be read by unauthorized persons. These techniques can however be misused by perpetrators of computer crimes in order to protect against disclosure of their actions. Users of anti-forensic tools can also become computer users who want to remove evidence of their criminal activities, such as hackers, terrorists, pedophiles, counterfeiters. Anti-forensic tools can be used by dishonest employees, who will be using it to destroy any data indicating that they could steal value company data, gaining unauthorized access to computer system or capture secure information and passwords.

.We can defined antiforensics according to wiki: One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”


Anti-Forensics Goals

Liu and Brown identify four primary goals for anti-forensics:

  • Avoiding detection that compromising event has taken place.

    Encryption – one of antiforensics methods

  • Disrupting and preventing from collection of information.
  • Increasing the time that an examiner needs to spend on a case.
  • Casting doubt on a forensic report or testimony (Liu and Brown, 2006).

Other goals might include:

  • Subverting the forensic tool (e.g., using the forensic tool itself to attack the organization in which it is running).
  • Leaving no evidence that an anti-forensic tool has been run.


Sample techniques:

Data Destruction

  • Wiping – Securely deleting data, so that it cannot be restored even with forensic software. It can be done by special software like “eraser” or build in operation system function (e.g. secure erase in Mac OS X)
  • Changing MAC attributes – changing or deleting file attributes to avoid time line analysis, freely available software to make this is called timestomp.


Data Contaception

In short Data Contraception means using software that is not creating hardly any evidences:

Syscall Proxying – is a technique where a local program transparently proxies a process’s system call to a remote server. Method was invented by Maximiliano Caceres.

Memory resident compiler/assemblers – are used when an attacker wants to send remote code fragments from a remote device to the compiler/assembler residing in the memory of the local (compromised) device. This technique allows tools to be compiled for the compromised platform, but, more importantly, to be compiled on the fly in memory (inside a hijacked process) so as not to leave a trace on the local disk.

Continue reading »

Defense Cyber Crime Center

Defense Cyber Crime Center

On December 15 Department of Defense Cyber Crime Center DC3 announced new edition of Digital Forensics Challenge.
I believe it is great opportunity to practice, research and learn about computer forensics.

From DC3 website: The objectives of the Annual Digital Forensics Challenge are to establish relationships; resolve technological issues; and develop new tools, techniques, and methodologies for the digital forensic community.

More information: DC3 Challenge 2012


Hacking Web Applications Mind Map

While I was preparing for some new lectures on University, I created mind map for my students on “Hacking Web Applications” based on CEH (Certified Ethical Hacker) study materials. It is interesting and broad topic so it can help if you are lost… Please feel free to use it:

PDF: Hacking Web Applications Mind Map CEH

SSD Forensic

On July 13, 2011, in Antiforensic posts, Computer forensics posts, by Michal Kedziora

What is an impact of SSD on Computer Forensics?


SSD Forensic

Solid State Drive

Well, it turns out that quite different mechanisms to write and store information on the SSD disks causing a number of implications for computer forensics. There is an increasing amount of information on this issues in the press and publications, unfortunately, a large proportion of them are based on wrong information and outdated test results. Let’s try to present the analysis of the characteristics of Solid State Drive and then analyze their impact on efficient erasing and recover of data.

Characteristics of solid state media:

I will describe three main characteristics of SSD media which effects digital forensics.

Writing and storing data on SSD.

One group of issues is connected with characteristic of semiconductor memory cells which is you can make them change operation bits specified number of times followed by exhaustion leading to cell damage and loss of credibility of the data stored in it. The older generations of SSD, had strength not rarely only 10,000 cycles. This was often raised argument criticizing the SSD drives. In later generations, this value was improved to approximately 100,000 cycles, however, was

Continue reading »

USB Write Protect Defeating

On January 23, 2011, in Antiforensic posts, security, tutorial, by Michal Kedziora


There is a trend to block USB ports in corporate computers. For sure there are some security arguments to do so… What is interesting, there is simple method to bypass this protection e.g by vmware tool. Virtualization is becoming more popular and necessary in our work, and often virtualization software is installed. Even if machine has USB ports set to read only, when you mount external drive from vmware virtual machine you can use USB port in full read and write mode.

In forensics two example application can be:

  1. Knowledge to always analyze virtual machines and applications, hopefully it is becoming standard.
  2. In live Forensic it can be fast method to copy captured data from evidence machine when all other possibilities are blocked.

Office Open XML Hacking

On January 11, 2011, in Computer forensics posts, tutorial, by Michal Kedziora

Office Open XML

Well maybe not exactly hacking, but I have just found bug/feature which able to recover EXIF/Metadata information from images inserted into MS Word 2007/2010 documents.

There was revolutionary change made by Microsoft to use Office Open XML format instead of old doc/xls/ppt.  The Office Open XML file formats are files that actually are a ZIP-compatible packages containing XML text documents and other files and resources.

What is Computer Forensic application?

If there are images placed in office document we would like to check its EXIF and Meta information to find some interesting information and potential traces. It wasn’t possible in old formats but now to export EXIF/META information about images and other files placed inside docx documents you just have to:

  1. Rename docx extention into zip
  2. Open zip file, find images in folder /word/media/
  3. Use any proper tool to view and export EXIF information

As the Office Open XML is becoming standard in electronic documents, I am sure this simple knowledge will be used by forensic investigators often.

There are several methods to detect time manipulation by e.g. log analysis or examining the MAC dates of the restore point records in the System Volume Information Directory… There is another simple method, I think it can be useful.

Goal is to examine Registry User Assist keys. if a Control Panel Date&Time Application was run there will be information about it.

User Assist in Digital Investigation

User Assist Registry Key

User Assist is a function which helps explorer to put most often used applications in Start Menu. To work properly run of any application in windows is recorded in registry. Beside of name and path to application we have also information about number of previous runs, and date of the last run. UserAssist is located in key:


I have placed example screenshot. After lunching Time and Date Control Application – timedate.cpl we will receive something like it.

Continue reading »

DoD Cyber Crime Center

Great news and great opportunity to practice, research and learn

This week Department of Defense Cyber Crime Center DC3 announced  Digital Forensics Challenge 2011

From DC3 website: The objectives of the Annual Digital Forensics Challenge are to establish relationships; resolve technological issues; and develop new tools, techniques, and methodologies for the digital forensic community.

It is good to know that there are bonus points for early submission.

More information: DC3 Challenge 2011

FTK Imager 3.0 (new version)

On November 14, 2010, in Computer forensics posts, by Michal Kedziora

On October 8, 2010 new version of FTK Imager by Accessdata was published. FTK imager always has been  good and useful free forensic software. It’s main application was live forensic (live ram and hard drive acquisition). Second application was a free tool to mount E01 images to perform simple triage without using more advanced (and high price) tools such as Encase, FTK or X-Ways.

FTK Imager 3.0
FTK Imager 3.0

Since now FTK imager can be used in new useful way during forensic investigations.  It can  mount a forensic Image (AFF/DD/RAW/001/E01/S01) as a physical device or logically as a drive letter. Once mounted we can freely use 3rd party applications like Antivirus software (all standard computer forensic investigations should include Virus/Trojan search on acquired data), or carving and data recovery tools (I strongly recommend R-Studio it is the Best and many times helped me to recover files that any other data recovery program couldn’t)

FTK Imager can be also use as a snapshot/RAM acquisition utility. In 3.0 version RAM acquiring is really easy you only have to click Capture Memory icon. Unfortunately only install version is available but after installing it in any computer you can copy program folder to pen drive and then you have tool for live forensic. You can download FTK Imager 3.0 from Accessdata

Encoded Time Stamps Search

On October 24, 2010, in Computer forensics posts, tutorial, by Michal Kedziora

Another Computer Forensic case and another success… so why I am writing about it?  Well.. during analysis process I used kind new evidence searching technique (It’s a little big to say new, but I haven’t heard about it earlier and I think in some situation it can be useful).

Forensic date time
Time Formats in CF

Task was to find any trace of known file on NTFS system.

Standard solution is to make hash compare analysis then keyword search, mft, recycle bin and time line analysis, all this has given no success in this case.

I decided to search unallocated space with encoded date and time values…. Bingo! several hits found, and some of them identified as part of evidence I was looking…. now how it worked:
Operation systems saves time stamps in different formats: Unix time format is number of seconds since 00:00 1 Jan 1970

Example date and time: 2010-10-05 10:04:20
Unix: 32 bit hex value (Little Endian) : 24 F8 AA 4C
Unix epoch: 1286273060

In Microsoft Windows there are several time formats The FILETIME format is the number of 100-nanosecond intervals, since 00:00 1 Jan, 1601 (UTC/GMT).

Windows 64 bit Hex value (Little Endian): 00 AA 7F AD 76 64 CB 01
Filetime Text: 2910824960:30106740

On Fat file systems we can find also different time formats:

Continue reading »