SlideShare ist ein Scribd-Unternehmen logo

DEFCON20 Anti-Forensics Techniques and Countermeasures

Michael Smith
Michael Smith

These slides discuss anti-forensic techniques and how to mitigate them. The document outlines 10 techniques such as data saturation, non-standard RAIDs, file signature masking, rendering the National Software Reference Library useless, scrambled MAC times, restricted filenames, circular references using Lotus Notes, hash collisions, dummy hard drives, and questions for discussion. It then provides recommendations for mitigating each technique, such as parallelizing acquisition, ignoring dates, searching instead of filtering, and checking for USB drives.

Technologie
1 von 44
Downloaden Sie, um offline zu lesen
Preliminary Slides These are rough rough drafts of my final slides The most up-to-date version that was used at DEFCON20 will be posted online 1
Anti-Forensics and Anti-Anti-Forensics by Michael Perklin (But not Anti-Anti-Anti-Forensics) ...or Uncle-Forensics... 2
Anti-Forensic Techniques and Countermeasures by Michael Perklin DEFCON 20 - Friday July 27 3
Outline Techniques that can complicate digital-forensic examinations Methodologies to mitigate these techniques Open discussion on digital complications 4
Michael Perklin Digital Forensic Examiner Corporate Investigator Computer Programmer eDiscovery Consultant Basically - A computer geek + legal support hybrid 5
Typical Methodologies: Copy First, Ask Questions Later; or Assess relevance first, copy if necessary; or Remote analysis of live system, copy targeted evidence only 6
The approach of Private Firms Copy everything; leave originals with the client (unless repossession is part of the job) Have to respect the property of custodians 7
The approach of Public Agencies “Gung Ho” Seize everything that may be relevant Copy everything when safely in their lab on their own time Less pressure to return items Typically longer turnaround times 8
Typical Workflow 9 Create Working Copy ! - Image the HDD ! - Copy files remotely for analysis Process Data ! - Hash files ! - Analyze Signatures Separate Wheat ! - De-NIST or De-NSRL ! - Known File Filter (KFF) ! - Keyword Searches Analyze For Relevance ! - Good hits or false positives? ! - Look at photos, read documents, analyze spreadsheets ! - Export files for native analysis ! - Bookmark, Flag, or otherwise list useful things Prepare Report ! - Include thumbnails, snapshots, or snippets ! - Write-up procedures (Copy/Paste from similar case to speed up workload) ! - Attach appendices, lists, etc Archive Data ! - Store images on central NAS ! - Shelve HDDs for future use
#1. Create a Working Copy Confounding the first stage of the process 10
AF Technique #1 Data Saturation Let’s start simple Own a LOT of media Stop throwing out devices Use each device/container for a small piece of your crimes Investigators will need to go through everything 11
Mitigating Data Saturation Parallelize the acquisition process Multiple Acquisition machines (limit is your budget) Write-Blocking Linux Boot Disks can use their hardware to your advantage. (limit is # of suspect devices, which could equal the #targets) 12
AF Technique #2 Non-Standard RAID Common RAIDs share stripe patterns, block sizes, and other parameters This hack is simple: Use uncommon settings! Use uncommon hardware RAID controllers (HP Smart Array P420) Use firmware with poor Linux support. Don’t flash that BIOS! 13 Non-standard RAID controllers sometimes allow you to choose arbitrary blocksizes (not 128 or 256, but how about 287?) This can force an examiner to take a logical copy using seized hardware Less damaging for Public sector, can be very expensive for Private sector
[Diagram/screenshot of improperly- reassembled stripes] Odd or Even? 1, 2, 3, 4? 2, 4, 1, 3? Little Endian or Big Endian? 14
Mitigating Non-Standard RAIDs De-RAID volumes on their own system Use boot discs Their hardware reassembles it for you! If it doesn’t support Linux, use Windows! Windows-Live CD! Image the volume, not the HDDs 15
#2. Process Data for Analysis Confounding the processing stage 16
AF Technique #3 File Signature Masking File Signatures are identified by file headers/footers “Hollow Out” a file and store your crime inside Encode data and paste in middle of a binary file 17 MZ for EXEs PDF for PDFs PK for Zips
JPG File Internals 18
Mitigating File Signature Masking Use “Fuzzy Hashing” to identify potentially interesting files FTK supports this out-of-the-box Analyze all “Recent” lists of common apps for curious entries 19
#3. Separate Wheat from Chaff Confounding the sifting process 20 Talk about NRSL, date filtering, deduplication and other sifting/culling techniques
Background: NSRL National Software Reference Library Huge databases of hash values They strive for complete coverage of all commercially available software Every dll, exe, hlp, pdf, dat file installed by every commercial installer Used by investigators to filter “typical” stuff 21
AF Technique #4 Rendering NSRL Useless Modify all system and program files Modify a string in the file Recalculate and update the embedded CRCs Turn off Data Execution Prevention (DEP) NSRL will no longer match anything 22 National Software Reference Library
Data Execution Prevention Validates system files Stops unsafe code Protects integrity 23
Mitigating Rendering NSRL Useless Search, don’t filter Identify useful files rather than eliminating useless files (i.e. Whitelist approach vs Blacklist) 24
AF Technique #5 Scrambled MAC Times All files store multiple timestamps Modified - the last write Accessed - the last read Created - the file’s birthday Randomize every timestamp (ie Timestomp) Disable time updates in registry Randomize BIOS time regularly 25
Mitigating Scrambled MAC Times Ignore dates on all metadata Look for dates within files themselves Identify sets of similar times Infer mini timelines for each set Use deduction to order sets chronologically 26
[Histogram] 27
#4. Analyze Data Confounding file analysis 28 Sometimes files can’t be analyzed completely inside FTK/Encase/tool Files are commonly exported to a temporary folder for external analysis with other tools Badguy files exist on the analysis machine natively instead of isolated within an image This can cause problems, and not just the obvious problems with viruses...
AF Technique #6 Restricted Filenames Even Windows 7 still has holdovers from DOS days: Restricted filenames CON PRN AUX NUL COM# LPT# Use these filenames liberally 29
Mitigating Restricted Filenames Never export files with native filenames Always specify a different name FTK does this by default (1.jpg) Export by FileID or autogen’d name 30
AF Technique #7 Circular References Folders in folders have typical limit of 255 characters on NTFS “Symbolic Links” or “Junctions” can point to a parent C:ParentChildParentChild.... Store criminal data in multiple nested files/folders 31
Circular References Many tools that recursively scan folders are affected by this attack Some tools don’t bat an eye (FTK4) 32
Mitigating Circular References Do not export folders for analysis Only export files themselves “Flatten” the export of all nested files into one common folder 33
AF Technique #8 Use Lotus Notes NSF files and their .id files always give problems There are many tools to deal with NSFs Every one of them has its own problems 34
Lotus Notes [Diagram comparing notes dll use] Most apps that support .NSF files use the same IBM Lotus Notes dll If anyone knows how to use their API, it’s IBM themselves 35
Mitigating Lotus Notes Train yourself on Lotus Notes itself Do not rely on NSF conversion tools Lotus Notes is the best NSF parser but has its quirks Once you know the quirks you can navigate around them 36
#5. Report Your Findings Confounding the reporting process 37
AF Technique #9 HASH Collisions MD5 and SHA1 hashes are used to identify files in reports Add dummy data to your criminal files so its MD5 hash matches known good files Searches for files by hash will yield unexpected results 38 rundll.dll
Hash Collisions Of course, this would only be useful in a select few cases: i.e. you stole company data and stored on a volume they could seize/search 39
Mitigating HASH Collisions Use a hash function with fewer collisions (SHA1, SHA256, Whirlpool) Doublecheck your findings by opening each matched file to verify the search was REALLY a success boy would your face be red! 40
AF Technique #10 Dummy HDD Have a PC with an HDD that isn’t used USB-boot and ignore the HDD for everyday use Store work on cloud/remote machine Manually connect to address each day Automate dummy writes to local HDD to simulate regular usage 41
Mitigating Dummy HDDs Always check for USB drives They can be SMALL these days... Pagefile on USB drive may point to network locations (if the OS was paging at all...) If possible, monitor network traffic before seizure to detect remote drive location 42
Questions Have you encountered frustration in your examinations? How did you deal with it? I’d love to hear about it in the speaker room! 43
Thanks! Thanks DEFCON for letting me speak Thanks: Forensic Friends (Josh, Joel, Nick) Dad, Brother, Sister Coworkers You! 44

Empfohlen

Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Backx0rz x0rz
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 

Empfohlen

Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Backx0rz x0rz
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274Erol Dizdar
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools Dr. Richard Adams
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revisedpeterchanws
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShellJared Atkinson
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Seguridad en laptops
Seguridad en laptopsSeguridad en laptops
Seguridad en laptopsDionisio Nieto
 
Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012Ntino Krampis
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSarwar Hossain Rafsan
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsRoberto Ellis
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 

Weitere ähnliche Inhalte

Was ist angesagt?

Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274Erol Dizdar
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on LinuxAnton Chuvakin
 
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revisedpeterchanws
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShellJared Atkinson
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012Ntino Krampis
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 

Was ist angesagt? (15)

Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274Reverse engineering-microsoft-exfat-file-system 33274
Reverse engineering-microsoft-exfat-file-system 33274
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Forensic imaging tools
Forensic imaging tools Forensic imaging tools
Forensic imaging tools
 
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisLO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis
 
Data hiding and finding on Linux
Data hiding and finding on LinuxData hiding and finding on Linux
Data hiding and finding on Linux
 
Workshop 2 revised
Workshop 2 revisedWorkshop 2 revised
Workshop 2 revised
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Seguridad en laptops
Seguridad en laptopsSeguridad en laptops
Seguridad en laptops
 
Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012Ntino Cloud BioLinux Barcelona Spain 2012
Ntino Cloud BioLinux Barcelona Spain 2012
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
 

Andere mochten auch

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 

Andere mochten auch (8)

Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 

Ähnlich wie DEFCON20 Anti-Forensics Techniques and Countermeasures

Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
VistA GT.M & Linux Security 062506
VistA GT.M & Linux Security 062506VistA GT.M & Linux Security 062506
VistA GT.M & Linux Security 062506ckuyehar
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helixJeff Carroll
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboardsDenis Ristic
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersNéstor Salceda
 
Key-value databases in practice Redis @ DotNetToscana
Key-value databases in practice Redis @ DotNetToscanaKey-value databases in practice Redis @ DotNetToscana
Key-value databases in practice Redis @ DotNetToscanaMatteo Baglini
 
Fast and Scalable Python
Fast and Scalable PythonFast and Scalable Python
Fast and Scalable PythonTravis Oliphant
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Eliminating Silent Data Corruption with Oracle Linux
Eliminating Silent Data Corruption with Oracle Linux Eliminating Silent Data Corruption with Oracle Linux
Eliminating Silent Data Corruption with Oracle Linux Terry Wang
 

Ähnlich wie DEFCON20 Anti-Forensics Techniques and Countermeasures (20)

Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
VistA GT.M & Linux Security 062506
VistA GT.M & Linux Security 062506VistA GT.M & Linux Security 062506
VistA GT.M & Linux Security 062506
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Group project linux helix
Group project linux helixGroup project linux helix
Group project linux helix
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Deft
DeftDeft
Deft
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Walking around linux kernel
Walking around linux kernelWalking around linux kernel
Walking around linux kernel
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
Key-value databases in practice Redis @ DotNetToscana
Key-value databases in practice Redis @ DotNetToscanaKey-value databases in practice Redis @ DotNetToscana
Key-value databases in practice Redis @ DotNetToscana
 
Fast and Scalable Python
Fast and Scalable PythonFast and Scalable Python
Fast and Scalable Python
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Eliminating Silent Data Corruption with Oracle Linux
Eliminating Silent Data Corruption with Oracle Linux Eliminating Silent Data Corruption with Oracle Linux
Eliminating Silent Data Corruption with Oracle Linux
 

Mehr von Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingMichael Smith
 

Mehr von Michael Smith (20)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAKDefCon 2012 - Firmware Vulnerability Hunting with FRAK
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Kürzlich hochgeladen

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Kürzlich hochgeladen (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

DEFCON20 Anti-Forensics Techniques and Countermeasures

  • 1. Preliminary Slides These are rough rough drafts of my final slides The most up-to-date version that was used at DEFCON20 will be posted online 1
  • 2. Anti-Forensics and Anti-Anti-Forensics by Michael Perklin (But not Anti-Anti-Anti-Forensics) ...or Uncle-Forensics... 2
  • 3. Anti-Forensic Techniques and Countermeasures by Michael Perklin DEFCON 20 - Friday July 27 3
  • 4. Outline Techniques that can complicate digital-forensic examinations Methodologies to mitigate these techniques Open discussion on digital complications 4
  • 5. Michael Perklin Digital Forensic Examiner Corporate Investigator Computer Programmer eDiscovery Consultant Basically - A computer geek + legal support hybrid 5
  • 6. Typical Methodologies: Copy First, Ask Questions Later; or Assess relevance first, copy if necessary; or Remote analysis of live system, copy targeted evidence only 6
  • 7. The approach of Private Firms Copy everything; leave originals with the client (unless repossession is part of the job) Have to respect the property of custodians 7
  • 8. The approach of Public Agencies “Gung Ho” Seize everything that may be relevant Copy everything when safely in their lab on their own time Less pressure to return items Typically longer turnaround times 8
  • 9. Typical Workflow 9 Create Working Copy ! - Image the HDD ! - Copy files remotely for analysis Process Data ! - Hash files ! - Analyze Signatures Separate Wheat ! - De-NIST or De-NSRL ! - Known File Filter (KFF) ! - Keyword Searches Analyze For Relevance ! - Good hits or false positives? ! - Look at photos, read documents, analyze spreadsheets ! - Export files for native analysis ! - Bookmark, Flag, or otherwise list useful things Prepare Report ! - Include thumbnails, snapshots, or snippets ! - Write-up procedures (Copy/Paste from similar case to speed up workload) ! - Attach appendices, lists, etc Archive Data ! - Store images on central NAS ! - Shelve HDDs for future use
  • 10. #1. Create a Working Copy Confounding the first stage of the process 10
  • 11. AF Technique #1 Data Saturation Let’s start simple Own a LOT of media Stop throwing out devices Use each device/container for a small piece of your crimes Investigators will need to go through everything 11
  • 12. Mitigating Data Saturation Parallelize the acquisition process Multiple Acquisition machines (limit is your budget) Write-Blocking Linux Boot Disks can use their hardware to your advantage. (limit is # of suspect devices, which could equal the #targets) 12
  • 13. AF Technique #2 Non-Standard RAID Common RAIDs share stripe patterns, block sizes, and other parameters This hack is simple: Use uncommon settings! Use uncommon hardware RAID controllers (HP Smart Array P420) Use firmware with poor Linux support. Don’t flash that BIOS! 13 Non-standard RAID controllers sometimes allow you to choose arbitrary blocksizes (not 128 or 256, but how about 287?) This can force an examiner to take a logical copy using seized hardware Less damaging for Public sector, can be very expensive for Private sector
  • 14. [Diagram/screenshot of improperly- reassembled stripes] Odd or Even? 1, 2, 3, 4? 2, 4, 1, 3? Little Endian or Big Endian? 14
  • 15. Mitigating Non-Standard RAIDs De-RAID volumes on their own system Use boot discs Their hardware reassembles it for you! If it doesn’t support Linux, use Windows! Windows-Live CD! Image the volume, not the HDDs 15
  • 16. #2. Process Data for Analysis Confounding the processing stage 16
  • 17. AF Technique #3 File Signature Masking File Signatures are identified by file headers/footers “Hollow Out” a file and store your crime inside Encode data and paste in middle of a binary file 17 MZ for EXEs PDF for PDFs PK for Zips
  • 19. Mitigating File Signature Masking Use “Fuzzy Hashing” to identify potentially interesting files FTK supports this out-of-the-box Analyze all “Recent” lists of common apps for curious entries 19
  • 20. #3. Separate Wheat from Chaff Confounding the sifting process 20 Talk about NRSL, date filtering, deduplication and other sifting/culling techniques
  • 21. Background: NSRL National Software Reference Library Huge databases of hash values They strive for complete coverage of all commercially available software Every dll, exe, hlp, pdf, dat file installed by every commercial installer Used by investigators to filter “typical” stuff 21
  • 22. AF Technique #4 Rendering NSRL Useless Modify all system and program files Modify a string in the file Recalculate and update the embedded CRCs Turn off Data Execution Prevention (DEP) NSRL will no longer match anything 22 National Software Reference Library
  • 23. Data Execution Prevention Validates system files Stops unsafe code Protects integrity 23
  • 24. Mitigating Rendering NSRL Useless Search, don’t filter Identify useful files rather than eliminating useless files (i.e. Whitelist approach vs Blacklist) 24
  • 25. AF Technique #5 Scrambled MAC Times All files store multiple timestamps Modified - the last write Accessed - the last read Created - the file’s birthday Randomize every timestamp (ie Timestomp) Disable time updates in registry Randomize BIOS time regularly 25
  • 26. Mitigating Scrambled MAC Times Ignore dates on all metadata Look for dates within files themselves Identify sets of similar times Infer mini timelines for each set Use deduction to order sets chronologically 26
  • 28. #4. Analyze Data Confounding file analysis 28 Sometimes files can’t be analyzed completely inside FTK/Encase/tool Files are commonly exported to a temporary folder for external analysis with other tools Badguy files exist on the analysis machine natively instead of isolated within an image This can cause problems, and not just the obvious problems with viruses...
  • 29. AF Technique #6 Restricted Filenames Even Windows 7 still has holdovers from DOS days: Restricted filenames CON PRN AUX NUL COM# LPT# Use these filenames liberally 29
  • 30. Mitigating Restricted Filenames Never export files with native filenames Always specify a different name FTK does this by default (1.jpg) Export by FileID or autogen’d name 30
  • 31. AF Technique #7 Circular References Folders in folders have typical limit of 255 characters on NTFS “Symbolic Links” or “Junctions” can point to a parent C:ParentChildParentChild.... Store criminal data in multiple nested files/folders 31
  • 32. Circular References Many tools that recursively scan folders are affected by this attack Some tools don’t bat an eye (FTK4) 32
  • 33. Mitigating Circular References Do not export folders for analysis Only export files themselves “Flatten” the export of all nested files into one common folder 33
  • 34. AF Technique #8 Use Lotus Notes NSF files and their .id files always give problems There are many tools to deal with NSFs Every one of them has its own problems 34
  • 35. Lotus Notes [Diagram comparing notes dll use] Most apps that support .NSF files use the same IBM Lotus Notes dll If anyone knows how to use their API, it’s IBM themselves 35
  • 36. Mitigating Lotus Notes Train yourself on Lotus Notes itself Do not rely on NSF conversion tools Lotus Notes is the best NSF parser but has its quirks Once you know the quirks you can navigate around them 36
  • 37. #5. Report Your Findings Confounding the reporting process 37
  • 38. AF Technique #9 HASH Collisions MD5 and SHA1 hashes are used to identify files in reports Add dummy data to your criminal files so its MD5 hash matches known good files Searches for files by hash will yield unexpected results 38 rundll.dll
  • 39. Hash Collisions Of course, this would only be useful in a select few cases: i.e. you stole company data and stored on a volume they could seize/search 39
  • 40. Mitigating HASH Collisions Use a hash function with fewer collisions (SHA1, SHA256, Whirlpool) Doublecheck your findings by opening each matched file to verify the search was REALLY a success boy would your face be red! 40
  • 41. AF Technique #10 Dummy HDD Have a PC with an HDD that isn’t used USB-boot and ignore the HDD for everyday use Store work on cloud/remote machine Manually connect to address each day Automate dummy writes to local HDD to simulate regular usage 41
  • 42. Mitigating Dummy HDDs Always check for USB drives They can be SMALL these days... Pagefile on USB drive may point to network locations (if the OS was paging at all...) If possible, monitor network traffic before seizure to detect remote drive location 42
  • 43. Questions Have you encountered frustration in your examinations? How did you deal with it? I’d love to hear about it in the speaker room! 43
  • 44. Thanks! Thanks DEFCON for letting me speak Thanks: Forensic Friends (Josh, Joel, Nick) Dad, Brother, Sister Coworkers You! 44