Home
7 min read read

Art of Anti-Forensics

Anti-Forensics Digital Forensics DFIR Detection Prevention Red Team
Cover: Art of Anti-Forensics

Table of Contents

  • Introduction
    1. Trail Obfuscation Techniques
    1. Data Destruction Techniques
    1. Encryption Techniques
    1. Steganography Techniques

Introduction

Anti-forensics techniques are methods used by attackers to obscure digital traces and hinder investigation efforts. This post covers trail obfuscation, data destruction, encryption, and steganography, with detection and prevention strategies for each.

1. Trail Obfuscation Techniques

What Is Trail Obfuscation?

Trail obfuscation involves modifying or masking digital traces to confuse forensic analysis. This can include altering file metadata, modifying log files, or changing network footprints. Attackers use these techniques to erase their digital footprints, making it harder for investigators to reconstruct activities.

Common Techniques

1. Timestomping

Description: Timestomping alters the timestamps (modification, access, and creation times) of files to mislead investigators about when files were created or accessed.

How-To: Modify timestamps using touch:

   touch -t 201708150101 file.txt

Or use Metasploit’s timestomp tool:

   timestomp file.txt -m "01/01/2017 12:00:00"

When to Use: Useful when attackers want to make their activities appear as though they occurred at a different time or align with legitimate activities.

Detection and Prevention:

  • Detect: Use auditd to track timestamp changes:
   auditctl -w /path/to/important_file -p wa -k timestomp_alert
  • Prevent: Make important files append-only using chattr:
   chattr +a file.txt

2. Shell History Manipulation

Description: Attackers often modify or delete shell history to hide executed commands, preventing investigators from understanding their actions.

How-To:

  • Delete specific commands from history: history -d <command_number>
  • Clear entire shell history: history -c

When to Use: Typically used before closing a session to hide tracks or after executing sensitive commands.

Detection and Prevention:

  • Prevent: Make shell history immutable: chattr +a ~/.bash_history
  • Detect: Check for sudden gaps in ~/.bash_history.

3. Log File Manipulation

Description: Attackers often modify, delete, or inject entries into logs to confuse investigators.

How-To: Use sed to remove specific entries:

   sed -i '/pattern_to_delete/d' /var/log/auth.log

When to Use: To hide unauthorized login attempts, file modifications, or privilege escalations.

Detection and Prevention:

  • Detect: Use hash-based monitoring: sha256sum /var/log/auth.log > /var/log/auth.log.sha256
  • Prevent: Enable remote logging with rsyslog: *.* @@remote-log-server:514

4. MAC Address Spoofing

Description: Attackers change the MAC address of a network interface to mask their identity and avoid detection by network security systems.

How-To:

  1. Using ifconfig: ifconfig eth0 hw ether 00:11:22:33:44:55
  2. Using macchanger: macchanger -r eth0 (use -r for random MAC address)

When to Use: Useful for bypassing MAC-based access control lists or hiding in a network with known devices.

Detection and Prevention:

  • Detect: Use arpwatch or ip monitor link to track changes in MAC addresses: ip monitor link
  • Prevent: Restrict macchanger and disable MAC address modification with chattr on configuration files: chattr +i /etc/network/interfaces

5. Process Hiding Using LD_PRELOAD

Description: Attackers use the LD_PRELOAD environment variable to load malicious shared libraries that can intercept and modify system calls, making certain processes invisible.

How-To: Use a custom shared object to hide processes: LD_PRELOAD=/path/to/malicious.so <command>. The shared library modifies outputs like ps, top, or ls.

When to Use: Useful when attackers want to run malicious processes in the background without being detected by system administrators.

Detection and Prevention:

  • Detect: Compare ps output with direct /proc directory inspection:
   ls /proc | grep [0-9] | while read pid; do if ! ps -p $pid; then echo "Hidden Process: $pid"; fi; done
  • Prevent: Restrict environment variable usage in /etc/environment and disable LD_PRELOAD by sanitizing user shell environments.

2. Data Destruction Techniques

What Is Data Destruction?

Data destruction refers to securely deleting data to prevent its recovery, either through overwriting files or using special utilities that make data unrecoverable. This is used to eliminate sensitive data that attackers don’t want to fall into the hands of investigators.

Common Techniques

1. Shredding Files with Multiple Passes

Description: Overwrites the contents of a file multiple times to make it irrecoverable.

How-To:

   shred -n 35 -z -u sensitive_file.txt
  • -n 35: Overwrites file 35 times
  • -z: Overwrite with zeroes at the end
  • -u: Delete after shredding

When to Use: Before disconnecting or when a file contains incriminating evidence.

Detection and Prevention:

  • Detect: Monitor shred command usage: auditctl -w /usr/bin/shred -p x -k shred_usage
  • Prevent: Restrict access to shred and other data wiping tools: chmod 700 /usr/bin/shred

2. Secure Erase for SSDs

Description: Perform a secure erase of an SSD to reset all data.

How-To: hdparm --security-erase NULL /dev/sdX

When to Use: When fast and complete destruction of data on SSDs is necessary.

Detection and Prevention: Prevent: Implement hardware policies that lock down secure erase features. Detect: Monitor ATA commands on SSDs using smartctl.

3. dd Disk Wiping

Description: The dd command is used to perform low-level copying and overwriting of data on a disk or partition. Attackers use it to zero-fill or randomize entire disks, making recovery extremely difficult.

How-To:

  1. Zero Fill Entire Disk: dd if=/dev/zero of=/dev/sdX bs=1M status=progress
  2. Random Data Overwrite: dd if=/dev/urandom of=/dev/sdX bs=1M status=progress
    • bs: Block size (1MB blocks for faster performance)
    • of: Output device (the target disk)
    • if: Input file (zero or random data)

When to Use: When attackers want to ensure complete destruction of data before disconnecting from a system or decommissioning a device.

Detection and Prevention:

  • Detect: Monitor dd usage with auditd: auditctl -w /usr/bin/dd -p x -k dd_usage
  • Prevent: Limit access to dd and implement hardware write-protection mechanisms.

4. srm for Secure Deletion

Description: The srm (Secure Remove) command is part of the secure-delete suite that overwrites files with random data multiple times, making recovery nearly impossible.

How-To: Securely remove files: srm -rv /path/to/directory (use -v for verbose output, -r to recursively delete directories).

When to Use: Recommended for securely deleting sensitive files without leaving recoverable traces.

Detection and Prevention:

  • Detect: Monitor usage with auditd: auditctl -w /usr/bin/srm -p x -k srm_usage
  • Prevent: Restrict access to srm and monitor system logs for signs of its use.

5. sfill for Free Space Wiping

Description: sfill is used to overwrite all free space on a disk, ensuring that deleted files cannot be recovered by scanning for residual data.

How-To: Wipe free space: sfill -z -v /home/ (-v: verbose mode, -z: zero out free space at the end).

When to Use: Often used after file deletion to ensure no residual data remains.

Detection and Prevention: Prevent: Implement write-protection and monitor for excessive disk activity. Detect: Monitor disk I/O usage during idle periods with iostat or iftop.

3. Encryption Techniques

What Is Encryption?

Encryption is the process of encoding data to prevent unauthorized access. Attackers often use encryption to render sensitive files inaccessible to investigators or to protect communication channels.

Common Techniques

1. File Encryption with gpg

Description: Encrypt individual files using AES-256.

How-To: gpg --cipher-algo AES256 -c sensitive.txt

When to Use: To protect sensitive files before transferring or storing them.

Detection and Prevention:

  • Detect: Search for encrypted file headers using binwalk: binwalk sensitive.txt
  • Prevent: Monitor for encryption commands with auditctl: auditctl -w /usr/bin/gpg -p x -k encryption_alert

2. Disk Encryption with cryptsetup

Description: Encrypt full partitions using LUKS.

How-To:

   cryptsetup luksFormat /dev/sdX
cryptsetup luksOpen /dev/sdX secure_partition

When to Use: Encrypt entire partitions to protect large data sets.

Detection and Prevention: Prevent: Implement encryption monitoring and restrict cryptsetup use. Detect: Identify encrypted partitions using lsblk -f.

3. Encrypt Files with openssl

Description: OpenSSL can encrypt files using public key infrastructure (PKI) to ensure only authorized recipients can access sensitive information.

How-To: Encrypt a file using RSA:

   openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.enc
  • -out: Output encrypted file
  • -in: Input file
  • -pubin: Specify it’s a public key
  • -inkey: Input public key file
  • -encrypt: Perform encryption

When to Use: To protect individual files before transferring over insecure channels.

Detection and Prevention:

  • Detect: Look for encrypted headers using file command: file file.enc
  • Prevent: Restrict access to OpenSSL commands or perform network-level monitoring for suspicious encryption activity.

4. Using bulk_extractor

Description: bulk_extractor scans disk images for hidden data, encryption headers, and evidence of steganography.

How-To: Analyze disk image: bulk_extractor -o output_dir /path/to/disk_image.img

When to Use: When performing forensic analysis on a disk image to identify hidden data or encryption.

Detection and Prevention: Prevent: Implement disk image protection using write-blockers and ensure secure access control on digital forensic workstations.

4. Steganography Techniques

What Is Steganography?

Steganography is the practice of hiding data within other files, such as images, audio, or video, making it invisible to casual observers.

Common Techniques

1. Hide Data in Images Using steghide

Description: Embed a secret file into an image.

How-To: steghide embed -cf image.jpg -ef secret.txt -p "passphrase"

When to Use: Hide sensitive text or files within harmless-looking images.

Detection and Prevention:

  • Detect: Use stegdetect to find hidden data: stegdetect -t 10 image.jpg
  • Prevent: Disallow image uploads or perform regular integrity checks.

2. Binary Data Hiding Using outguess

Description: Hide data within JPEG file markers.

How-To: outguess -d "Secret Data" -k "passphrase" input.jpg output.jpg

When to Use: Conceal large datasets within images.

Detection and Prevention: Prevent: Use metadata analysis tools like exiftool to identify anomalies. Detect: Check JPEG files for unusual markers.

Implementing these detection and prevention strategies is crucial for maintaining digital evidence integrity and countering advanced anti-forensics techniques effectively.