Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Anti-Forensics Tools Thwart Police

Posted by CowboyNeal on from the knowing-thine-enemy dept.

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

5 of 528 comments (clear)

  1. Print version by Anonymous Coward · · Score: 4, Informative

    http://www.cio.com/article/print/114550 - Print version so you don't have to go through ten pages to read it all.

    Anonymous coward so no Karma whoring today. :)

  2. Re:Pfft. by the+unbeliever · · Score: 4, Informative

    Data can still be recovered. It may only be bits and pieces of files, but it can still be recovered. Clean room data recovery can do some pretty amazing things now.

    The only "sure" way is to melt down the platters and make pretty jewelry with them.

  3. Re:interesting by enrevanche · · Score: 4, Informative

    The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.

  4. Re:oh geez... the "police" by Kjella · · Score: 4, Informative

    Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
    1) Point them to "interesting" catalogs on most operating systems
    2) Read pretty much any filesystem, including the odd Linux/BSD variants
    3) Scan for files (keywords, against a hash db etc.) without booting your OS

    Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

    Examples:
    Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
    above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
      File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
    (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
    NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
    TiVo® 1 and TiVo 2 file systems.
      EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
    and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
    environment.
      Dynamic Disk Support for Windows 2000/XP/2003 Server.
      Ability to preview and acquire select Palm devices.
      Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
    formats.

    Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
    PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
    information once exposed. EnCase automatically displays these internal files, file structures, data and
    metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
    and extracted in a number of different ways.

    File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
    or an entire case, looking for predefined or custom file types. This feature differs from the standard
    search, because it looks through the defined areas for the file header information and sometimes the
    footer.

    Analysis: EnCase software has the ability to find, parse, analyze, display and document various
    types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
    Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
    Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
    EnCase can recover deleted files and depending on the email format, the status of the machine.

    Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
    artifacts that can be done by device, browser type or user. EnCase can automatically parse,
    analyze and display various types of Internet and Windows history artifacts logged when websites
    or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
    Opera and Safari.

    --
    Live today, because you never know what tomorrow brings
  5. Re:Epically bad. by Anonymous Coward · · Score: 5, Informative

    I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

    Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

    One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

    Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

    One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

    The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

    Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.