New Anti-Forensics Tools Thwart Police

← Back to Stories (view on slashdot.org)

New Anti-Forensics Tools Thwart Police

Posted by CowboyNeal on Thursday May 31, 2007 @02:15PM from the knowing-thine-enemy dept.

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

14 of 528 comments (clear)

Min score:

Reason:

Sort:

Never trust the computer! by Trifthen · 2007-05-31 14:27 · Score: 4, Insightful

Timestomp? Now I've heard everything.

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.

Now that I think about it, that might be a good idea. I got some work to do. ;)

--
Read: Rabbit Rue - Free serial nove
1. Re:Never trust the computer! by _Sprocket_ · 2007-05-31 15:09 · Score: 4, Insightful
  
  Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.
  
  And that seems to be the point - how many of these types actually know how to use touch or find... much less put together a perl script? By "hobbiest" they're not talking about our level of knowledge... they're talking average punk who thinks double-clicking a rootkit is advanced hacking. Criminals aren't always the sharpest crayons in the box.
  
  I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.
  
  That basic precautions are showing up enough to give investigators a problem says something both about the attackers and the investigations.
2. Re:Never trust the computer! by Kjella · 2007-05-31 16:46 · Score: 4, Insightful
  
  I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.
  
  <advocate client="Devil">
  So that means one of two things:
  1. Smart people aren't trading in child pornography or
  2. Smart people weren't caught to begin with, and still aren't
  
  And it probably shows just how stillborn general encryption of mail is. If average people don't learn that under threats of years in prison, what could possibly make regular people do it?
  </advocate>
  
  --
  Live today, because you never know what tomorrow brings
So... by X0563511 · 2007-05-31 14:31 · Score: 4, Insightful

The obvious message to law enforcement is that people don't like others going through their things.

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)

Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Persuasion by gillbates · 2007-05-31 15:16 · Score: 4, Insightful

In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.

'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?

--
The society for a thought-free internet welcomes you.
1. Re:Persuasion by Mr2001 · 2007-05-31 16:05 · Score: 4, Insightful
  
  That's what packages like TrueCrypt with hidden volume support are good for. The Man tortures you, you give up a key, and he finds some fake secret files, while your real secret files are still safely hidden.
  
  --
  Visual IRC: Fast. Powerful. Free.
Re:Macs... by Anonymous Coward · 2007-05-31 15:23 · Score: 4, Insightful

Mind you, criminals are not usually noted for their cunning and intelligence....

Well, you only hear about the ones that get caught.
Re:Here's a real good one by Anonymous Coward · 2007-05-31 16:41 · Score: 5, Insightful

You'd have to be careful about the choice of encryption algorithms when you do this. There are good reasons (which I can't cite off the top of my head; I'm no cryptographer) why triple DES, for example, has an encrypt-decrypt-encrypt pattern, rather than encrypt-encrypt-encrypt. Even then, all you achieve is a doubling of the effective key length, not a tripling (and remember that the actual key is three times as long - each step uses a different key).

Cryptography is hard. I know enough to know that I know nothing about it, and that I'd screw the pooch on any crypto system I might implement. If you haven't a very solid maths background, and a lot of experience breaking cyphers (and I'm talking about more than just the simple Julius shift here), odds are extremely high that there's a flaw you've overlooked in your system.
Re:Here's a real good one by Fulcrum+of+Evil · 2007-05-31 16:45 · Score: 4, Insightful

Sure it does - 2DES ~= DES in terms of security, while 3DES is better. Naturally, this means that the 3 level encryption scheme is dependent on the actual algorithm and serves mainly as a method for frustrating forensics. Probably AES - block shuffle - AES (different key) would make for some fun, but that assumes that they just want to convict you of something. If they think you can get at the data and want it bad enough, they'll just work you for it.

--
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Re:Pfft. by plover · 2007-05-31 16:49 · Score: 5, Insightful

At work the standard we gave our service vendor for destroying failed drives involved a drill press and epoxy. We're concerned about data thieves, not Three Letter Agencies.
For my personal drives at home, I just use a three pound hammer. A scraped, smashed and warped platter hitting the trash bin is effectively unreadable, and all I'm really concerned about is a bad guy finding bank account information. If someone official really wanted a working drive of mine, pajama-clad ninjas would probably come for it in the middle of the day while I was at work anyway.

--
John
Epically bad. by rjh · 2007-05-31 17:36 · Score: 5, Insightful

I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.

Your idea is quite terrible.

First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

You really need to do some basic research in crypto.
1. Re:Epically bad. by rjh · 2007-05-31 18:54 · Score: 4, Insightful
  
  What I love about Slashdot armchair lawyers is their naive faith in the criminal justice system.
  
  So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.
  
  You may want to look into Wen Ho Lee, Steven Hatfill, Richard Jewell and John De Lorean, all of whom had this exact thing happen to them.
  
  Hatfill has never been charged. Jewell was totally exonerated, as was De Lorean. Wen Ho Lee pleaded guilty to a minor count just to make the madness stop, and received a profuse apology from the bench for how he was mistreated.
  
  Also, have you been following what happened in Durham, North Carolina recently with respect to prosecutorial misconduct in a rape case?
  
  You really, really need to acquaint your beliefs on how the law works with the reality of how the law works.
2. Re:Epically bad. by asninn · 2007-05-31 23:15 · Score: 4, Insightful
  
  But the law and the legal system *did* work in these cases; it was society, the media etc. that didn't. Not that it helps the victims, of course, but you need to recognise that this is a failure of society, not one of the criminal justice system, if you want to fix it.
  
  --
  butter the donkey
It's nonsense by Paul+Crowley · 2007-05-31 21:37 · Score: 4, Insightful

Encrypt once using a good algorithm. Multiple encryption is Hollywood-style security.

--
Xenu loves you!