Professional Documents
Culture Documents
#2
thekazagami@gmail.com
rm.khalilprasetyo@gmail.com
I. INTRODUCTION
With the development of rapid information technology, as
well as in the world of Digital Forensic. In the case of
cybercrime, computer hard drive often analyzed for evidence
valid for cases of cybercrime. When inspectors find
potentially incriminating either in the form of data format
.jpgs, .docx, .doc, .mp3, or .mp4, a timeline can usually be
established regarding when they were created. Their
respective timestamps form the basis for the timeline. On an
NTFS file system, timestamps are stored in the Master File
Table (MFT) and are comprised of a Last Modified Time (M),
a Last Accessed Time (A), a File Created Time (C), and the
Entry Modified Time (E). Although originally intended to be
used for accounting purposes by the operating system,
timestamps are relied upon by examiners and investigators to
establish timelines of criminal activity. For instance, since the
C-timestamp is updated when a file is created, this is
probative information that someone had access to the
computer. Potentially, this may be sufficient presumptive
evidence to incriminate a subject if he can be placed within
II. METHODOLOGIES
This project collects the data from the test cases and uses these
data to ensure that Anti-forensic tools and techniques are working in
sufficient way. The project contains many tasks that need to be
accomplished before making sure that the anti-forensic
implementations are working properly. These tasks can be divided
into five steps. Build up test cases Apply anti-forensic tools and
techniques on these test cases apply the forensic tools Report
findings Comparison between tools used .,
2.1 Creating test cases
Anti forensic techniques will be examined by creating testing
cases; each test case gives a diverse tactic to hide or erased by the
hackers to hide their activities from the investigators. These
examination cases can be done by changing file extension and saving
it and wiping the hard disk, thumbnail caching and windows registry
2.2 Applying anti forensic tools and techniques
In general anti forensic techniques can be classified in to five
major areas, they are elimination of source, data hiding, data
destruction, data contraception, and attack of the forensic tools and
process, but in the Paper we will disucuss to the Three main
techniques of anti forensics that Data Destruction, Data Hiding And
Data Contraception,
1. Data Destruction
Data destruction is the process of destroying data stored on
tapes, hard disks and other forms of electronic media so that it
is completely unreadable and cannot be accessed or used for
unauthorized purposes. Data Desctruction si the most basic set
of techniques in anti-forensics consist of the physical and
logical destruction of data bor evidence. Physical destruction
can be accomplished with the use of magnetic techniques such
as the degaussing of media or through the application of brute
force.
2.
Data Hiding
The simplest and the best basic example of anti-forensics could
be the data hiding. Consider the logical partition and the
physical partition. Once a logical partition is created on a drive,
the logical size of the partition is often smaller than the full size
of the physical partition. So, the results will be in slack space
that is to store data by the user. An additional benefit of
partitions is to hide data with in another partition after creating
a new partition. If the partition is erased; it does not truly delete
the data contained on the partition but eliminates the operating
system reference to the partition. Similar examine it. Therefore
Elimination of source technique has to be done before data
acquisition is applied by the investigators. For example, if the
evidence cannot be found, it will be neither investigated nor
stated. The advantage of data hiding is to sustain the
accessibility of these when there is necessity. Also we need to
applied Hiding data in slack space, on many media devices,
hard drives for example, the data is kept in clusters divided by
3.
Data Contraception
Data contraception is the attempt to limit the quantity and
quality offorensic evidence by keeping forensically valuable, or
useful, data off thedisk. To accomplish this there are two core
techniques for interacting with the operating system: firstly,
operate purely in memory, and secondly use common utilities
rather than custom crafted tools. In short Data Contraception
means using software that is not creating hardly any evidences
such as , Sycall Proxying,
Memory resident
compiler/assemblers
Direct Kernel Object Manipulation
(DKOM), Portable software, Live Distros.
Presence of data.
Result of experiment.
Efficiency of Technique
B. Steganography
Tool
Steghide
Experiment Tools
Manufacturer
Version
Free Software Foundation, 0.5.1.
Inc
License
Free
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Autopsy)
C. Data Hiding (Slack Spaces)
Blocks are specific sized containers used by file system to store
data. Blocks can also be defined as the smallest pieces of data that a
file system can use to store information. Files can consist of a single
or multiple blocks/clusters in order to fulfill the size requirements of
the file. When data is stored in these blocks two mutually exclusive
conditions can occur; The block is completely full, or the block is
partially full. If the block is completely full then the most optimal
situation for the file system has occurred. If the block is only
partially full then the area between the end of the file the end of the
container is referred to as slack space[6].
Experiment Tools
Tool
Manufacturer
Version
License
bmap
Free
Software 1.2.3
GNU General Public
Foundation, Inc
License version 3.0
(GPLv3)
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Digital Forensic
Framework)
D. Data Destruction
For this method, we use ErAce, ErAce is very easy to use
because you simply boot from it and then press one button to wipe
all the data from a Drive with DoD 5220.22-M Method. DoD
5220.22-M is a software based data sanitization method used in
various file shredder and data destruction programs to overwrite
existing information on a hard drive or other storage device.
Erasing a hard drive using the DoD 5220.22-M data sanitization
method will prevent all software based file recovery methods from
lifting information from the drive and should also prevent most if
not all hardware based recovery methods. The DoD 5220.22-M
method is often misspelled as DoD 5220.2-M (.2-M instead of .22M).[7]
We might also come across various iterations of DoD 5220.22M including DoD 5220.22-M (E), DoD 5220.22-M (ECE), or
others. Each will probably use a character and its compliment
(as in 1 and 0) and varying frequencies of verifications. Some
versions of DoD 5220.22-M write a 97 during the last pass.
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(FTK)
E. Data Contraception
To use The Method we we will use Remote Exec, Using gdb as
an IUD allows an attacker to be exploit agnost for anti-forensic
attacks. After using an arbitrary exploit to gain access to shell, an
attacker is able to execute any binar without creating aforensic trace.
By the same token, once an attacker has shell access to a host, he is
able to execute an artibtrary command without leaving anyevidence
of forensic value. An IUD seperate from an exploited process allows
an attacker to use anti-forensic attacks at any point after owning a
box, rather than only during the initial exploitation phase[6].
Experiment Tools
Tool
Remote Exec
Manufacturer
Phrack Inc
Manufacturer
Erace.it
Version
1.0
License
Free
License
Free
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Autopsy)
Method Use
Steganography
Forensic
Tool
Used
Steghide
Data
Hiding
(Slack Spaces)
Bmap
Data
ErAce
Experiment Tools
Tool
ErAce
Version
1.0
Presence
Of Data
Detected
the
Previosly
Data Or
Not
Detected
Data that
Hidden
Detected
Hidden
Data
/
Not
Detected
Data
Result
Efficiency
Of
Technique
Destruction
Data
Contraception
Remote
Exec
Exist
/
Data Not
Exist
Data
Exist
/
Not Exist
V. CONCLUSIONS
Due to the rapid and great progress of information
technology development, Examiners must be fully aware of
the great development in information technology, where they
must develop themselves in the field of cyber crime to
overcome anti forensics technique. Examiner who is aware of
the recent techniques, would be able to resolve new issues
Which include the latest methods of ant forensics. In this
paper covers only the commonly used techniques in antiforensics currently in use. Nonetheless, criminals use other
methods that are more sophisticated than the highlighted in
their operations. As technology keeps advancing, so do such
ways and means, as criminals try to design more solid and
complex methods of hiding their identity and committing
crime. Specifically, the goal of anti-forensic technology is to
confuse investigations. Therefore, in future, most
organizations might ban their use and perhaps even
possession. However, this move faces a myriad of challenges,
as many technological developers have look to include high
quality anti-forensic technology in consumer operating
systems, aimed at promoting data
privacy. In this
experimental, only four forensics tools out of several
techniques were identified by the forensic tools such as FTK
Imager, DFF,and Autopsy. We have used different antiforensics techniques and tools such as steganography, active
11,
2007,
from
stachliu.com/files/InfoSecWorld_2006-K2-Bleeding_Edge_
AntiForensics.ppt
[3]. Berinato, S. (2007). The Rise of Anti Forensics. Retrieved
April 19, 2008.
[4] Palmer, C., Newsham, T., Stamos, A., & Ridder, C. (2007,
August 1). Breaking Forensics Software:Weaknesses in Critical
Evidence Collection. Abstract of presentation at Black Hat
USA 2007.
[5] Ahsan, K. (2002). Covert Channel Analysis and Data Hiding in
TCP/IP.
[6] Sartin, B.: Anti-forensics, distorting the evidence. Journal of
Computer Fraud and Security (5), 46 (2006)
[7] Brian Carrier, Defining Digital Forensic Examination and
Analysis Research Workshop II, 2002.
http://www.dfrws.org.
Available at: