anti forensics-techniques-for-browsing-artifacts
DESCRIPTION
Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.TRANSCRIPT
Anti-Forensics Techniques for
browsing artifacts
By: Gaurang Patel
www.cyberworldhere.com
Page 2
Outline
Introduction to cybercrime
What is Cyber Forensics
Branches of Digital Forensics
Why Browser Forensics ?
Test and Analysis
Proposed Research Flow
Forensics Vs. Anti-Forensics
Why Anti-Forensics ?
Anti-Forensics Test and Analysis Flow
Anti-Forensics Techniques
Analysis of Results
Conclusion
References
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 3
Introduction to cybercrime
Digital crime (also called cybercrime, e-crime, hi-tech crime and electronic
crime) generally refers to criminal activity here computer or network is the
source, tool, target, or place of a crime. Cybercrime is a term for any illegal
activity that uses a computer as its primary means of commission
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 4
What is Cyber Forensics
Computer forensics is the application of investigation and analysis
techniques to gather and preserve evidence from a particular computing
device in a way that is suitable for presentation in a court of law. The goal of
computer forensics is to perform a structured investigation while
maintaining a documented chain of evidence to find out exactly what
happened on a computing device and who was responsible for it
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 5
Branches of Digital Forensics
1. Disk Forensics
2. Printer Forensics
3. Network Forensics
4. Mobile Device Forensics
5. Database Forensics
6. Digital Music Device Forensics
7. Scanner Forensics
8. Browser Forensics
9. Social networking Forensics
10. PDA Forensics
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 6
Why Browser Forensics ?
People uses Web Browsers to search for information, shop online,
banking and investing, communicate through emails or instant messaging,
and join online blogs or social networks, and many other functions.
Crimes Through browsers
Losses due to crimes
Important to collect trails as an evidence
Forensics Investigation to get browsing related data from computer
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 7
Test and Analysis
Test Conduction in two modes
1) Normal Browsing Mode
2) Private Browsing Mode
Tools Used:
* AccessData® FTK® Imager 3.1.3.2
* Autopsy 3.0.6
* Web browser Forensic Analyzer, version 1.2
* Cache, History and Cookie viewers by Nirsoft
* Fsutil
* Eraser Secure Deletion tool
* Any Linux Distribution Live Diskette
Browsers Used:
* Mozilla Firefox version 25.0.1
* Google Chrome version 17.0.963.12
* Internet Explorer version 9.0.8112.16421
System Used: Dell Xps 15 machine with 6 GB RAM, Windows 7 Professional and 750 GB
hard-disk formatted with NTFS. Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 8
Proposed Research Flow
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 9
Normal Browsing Test:
Unique URLs and the Keywords used during the test
URLs Keyword used in Search and opened
link
Google.com Cyber securityopened first Wikipedia
page on cyber security standards
Yahoo.com Virusattackopened
home.mcafee.com/VirusInfo
msn.com Threatopened first Wikipedia page
Youtube.com Hacking
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 10
Cache, history and cookie places of Firefox have traces of normal browsing activities.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 11
Cache, history and cookie places of Chrome have traces of normal browsing activities
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 12
Cache, history and cookie places of IE have traces of normal browsing activities.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 13
Evidence collected using WEFA (Web browser Forensic Analyzer)
All the History, Cache and cookies based artifacts found by WEFA.
Also gives some interesting evidences like
– Local File accessed by the user on the computer
– Search outline of all the browsers with URL hit status (Direct or Indirect)
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 14
Forensically sound tool- WEFA
Shows URL behavior like search, blog, news, video etc.
Shows URL hit status (Direct or Indirect)
WEFA recovers the deleted web browser log files
WEFA collects the artifacts from all the browsers at single time.
Carving index.dat files
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 15
Carving index.dat file shows the old History
Actual Test Performed on 4-12-2013
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 16
Carved File Analysis by Autopsy
How can we say that it is the Result of Carving of index.dat files.
To cross check we opened the carved files of WEFA in Autopsy.
It shows the same URL as shown in history.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 17
Private Browsing
Why Private Browsing ?
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 18
Private Browsing
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 19
Private Browsing Test:
Unique URLs and the Keywords used during the test
Firefox (Private):
Chrome (Incognito):
Internet Explorer (In-Private):
URLs Keyword Used in search
Forbes.com Security
Food.com Salad
Timesofindia.indiatimes.com Exploit
Djmaza.com Singh saab the great
URLs Keyword Used in search
Youtube.com Forensics
Bing.com Social networking
Play.google.com Angry birds
URLs Keyword Used in search
Hotmail.com -
Filehippo.com Chat
Torrentz.com Mickey virus
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 20
Searching For Artifacts
Search Was Performed
Terminating the Private Browsing Session by closing browser
Common places of history, caches, cookies doesn’t leaves any trails
Used several tools but not found any trails of Private Browsing.
Captured the RAM (Volatile Memory) and swapping File
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 21
Private Browsing Artifacts Found From RAM
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 22
Entries in RAM
Browser URLs entries in RAM Keyword entries in RAM
Mozilla Firefox- Private Forbes.com – 38 entries Security - 7 entries
Food.com - 51 entries Salad - 47 entries
Timesofindia.indiatimes.com – 17 Exploit - 8 entries
Djmaza.com – 15 entries Singh saab the great - 9
Google Chrome- Incognito Youtube.com - 13 entries Forensics - 7 entries
Bing.com - 150 entries Social networking - 14
Play.google.com – 200 entries Angry birds - 39 entries
Internet Explorer-In-Private Hotmail.com – 20 entries -
Filehippo.com - 38 entries Chat - 10 entries
Torrentz.com - 30 entries Mickey virus - 25 entries
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 23
Capture and Analysis of RAM and Paging File in Different Phases
Evidence found on the running machine acquired image
Quick Restart the System and acquired image again
Evidence still found in RAM after quick restart
Powered off machine for few (4-5) minutes and powered on again
Acquired image of RAM and Paging File again
No evidences found from the RAM dump. But some evidences found from
the Paging file (Pagefile.sys).
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 24
Page File having Private Browsing Artifacts
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 25
Private Browsing is not so Private
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 26
Forensics Vs. Anti-Forensics
Essentially, anti-forensics refers to any technique, gadget or software
designed to hamper a computer investigation.
Achieve Security using Anti Forensics.
Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 27
Why Anti-Forensics ?
Anti-Forensics mainly for the security purpose.
For confidentiality of Information or Securing the Web-Transaction.
Smart Criminals are using it to Harden the forensic Investigation.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 28
Anti-Forensics Test and Analysis Flow
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 29
Continued..
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 30
Anti-Forensics Techniques
Disable Page File
It affects our computer performance and slow down the computing for
less RAM
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 31
Encrypt Page File
We encrypted the content of pagefile and acquired the image
again to analyse using the Forensics tools
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 32
Capturing Pagefile
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 33
Encrypted Page File
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 34
Clear the windows page file
You can tell your computer to erase the pagefile on every shut down. Open
the Registry by typing the regedit inside run and move to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionMa
nager\Memory Management\ Inside that Change the DWORD value of
‘ClearPageFileAtShutdown’ from 0 to 1
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 35
Cleared Page File
No browsing evidences found from the machine and it
only shows the cleared pagefile
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 36
Using the Linux Live CD or USB to browse the Web securely
* We booted the existing machine with the Linux but not mounted the cd
with Read/Write. Only we booted up and directly performed the browsing
activities.
* All the Linux file system get stored inside RAM and we restarted the
machine there is no artifacts found from the machine.
* So it is one of the best way to use Linux distribution to perform private
browsing without leaving the artifacts behind.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 37
Secure Wiping the browsing activities
Normally deletion - not originally
deleted, only the file reference is deleted
from the system table and data remains in
hard disk until it’s been overwritten by
other data and can be recovered by
several tools
But if we securely wiping the data of
browsing activities using multiple passes
then it cannot be recovered back. So it is
the best Anti-Forensics Technique.
Forget to turn on the Private browsing mode ?-Don’t Worry..
Artifacts can be found from several history, cookies locations on the
computer.
we have used the tool named Eraser which securely wipe the
contents from the hard disk which cannot be recoverable by any of
the forensics tools.Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 38
Analysis of Results
Disabling Paging
File
Encrypt Paging
File
Clear Page File Using Linux
Distribution
Secure Wiping
(Using Several
Passes)
Performance Hit? Yes- We found
serious
degradation on
performance after
disabling the
paging file
because this swap
storage is used for
the faster indexing
of the data. So it is
not the effective
Anti-forensics
Technique if you
want quick
response.
Yes-Performance
hit due to the
nature of
encryption (EFS).
EFS uses public
key encryption in
conjunction with
symmetric key
encryption. It slow
down the
Computing and
takes more time
to power on-off
machine.
Little- We have
cleared the
windows paging
file and use the
computer again
and we found the
little performance
affection because
page file stores
the computing
data as swap
storage and when
we access the
same data again
it gives the quick
response if it
resides in swap.
No- To secure our
browsing we used
the Linux live disk
and perform the
web activity and
then removed the
cd from windows
machine and here
we doesn’t require
to
clear/wipe/encrypt
the paging file. So
computer
performance
remains as it is.
No- Here we are
wiping the
browsing content
(history, cookies,
cache, Index.dat
etc.) after normal
browsing and not
dealing with page
file. So there is no
performance
affection.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 39
Analysis of Results… Continued
Disabling Paging
File
Encrypt Paging
File
Clear Page File Using Linux
Distribution
Secure Wiping
(Using Several
Passes)
Evidence
Remnant?
No- No evidences
because we
disabled the page
file creation.
(Fig-16)
No (Restart
Required)-
Evidence Content
stored in
Encrypted form
so nobody can
read it
(Fig-19)
No (Restart
Required)-
After clearing the
Paging file, no
evidences found
from the Page
file. Just found
‘0’s.
(Fig-20)
No- No browsing
evidences found
from the windows
machine because
we used the Linux
distribution to
perform the web
activities.
No- Secure
wiping the
evidence removes
the traces from
the computer by
removing the
entries using
several passes
(we used 35
passes).
Removes the file
from hard disk
and not recovered
by any of the
recovery tool.
(Fig-21)
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 40
Analysis of Results… Continued
Disabling
Paging File
Encrypt Paging
File
Clear Page File Using Linux
Distribution
Secure Wiping
(Using Several
Passes)
Evidence
Remains in RAM
after Restart?
Yes- RAM
contains the
evidences after
restart. (Fig- 12)
Yes- RAM
contains the
evidences after
restart.
(RAM store as in
unencrypted form)
(Fig- 12)
Yes- RAM
contains the
evidences after
restart.
(We cleared page
file not the RAM.)
(Fig- 12)
No- RAM
contains no
evidences after
restart because
we ran the Linux
over the windows
to browse the
web.
Yes- RAM
contains the
evidences after
restart.
Evidence
Remains in RAM
After Power off
& On (After 4-5
Min.)?
No- Power off &
on (after few
minutes)
completely wipe
the evidences.
No- No
unencrypted
evidence found.
No- No evidence
found from RAM
after Power Off-
On
No- There are no
traces found in
windows machine
RAM.
No- Evidence
removed from
RAM but it is
required to handle
the Page file to
remove traces.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 41
Analysis of Results… Continued
Disabling
Paging File
Encrypt Paging
File
Clear Page File Using Linux
Distribution
Secure Wiping
(Using Several
Passes)
Evidence
Recovered (After
Private
Browsing)?
No No No No No
Best For Private
Browsing?
Yes
(Recommended)
Average Average Yes
(Recommended)
No
Best For Normal
Browsing?
Yes (Not Enough-
Required More
Action to Remove
Other Traces )
Yes (Not Enough-
Required More
Action to Remove
Other Traces )
Yes (Not Enough-
Required More
Action to Remove
Other Traces )
Yes Yes
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 42
Recommended from Above Comparison
Here we recommend to use Technique “Disable page file and Use Private
Browsing” because after private browsing we need to handle only Swap
storage and only one time Disable does not create the paging storage file
(size=As RAM Size) and we does not require additional restarts as we
need in Page file encryption and Page file Clear. (Power Off machine for
few minutes after Private browsing is required to remove evidences
completely from RAM)
Another Recommendation from above comparison is to use “Linux live
distribution in any of the browsing mode (Private/Normal)” and which does
not leaves any traces behind.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 43
CONCLUSION
Before moving directly to the Anti-Forensics it is important to understand
the Forensics methodology first. This research used proper test methods
and examined the normal and private browsing activities on three popular
web browsers to collect evidences like browsing history, caches, and
cookies forensically and then we used the several Anti-Forensics
techniques to mitigate or remove the trails after browsing activities. So if
you want to achieve the end-level security then don’t forget to use the
Anti-Forensics. We have concluded the Latest Firefox (Private) is the
secured one than the other browsers. We have also proposed the proper
method to achieve the more security by the use of Anti-Forensics and
tested every technique using that method to check for the effectiveness
and finally concluded the best Anti-forensic technique. Further research
can be done in Anonymity browsers like TOR to analyse which level of
privacy they give to us.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 44
References
[1] Muhammad Kamran Ahmed, Mukhtar Hussain, Asad Raza,“ An Automated User Transparent Approach to log Web URLs
for Forensic Analysis”, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.
[2] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi and Mario Guimaraes,“ Forensic Analysis of Private Browsing
Artifacts”, 2011 International Conference on Innovations in Information Technology
[3] Andrew Marrington, Ibrahim Baggili, Talal Al Ismail, Ali Al Kaf, “Portable Web Browser Forensics: A forensic examination of
the privacy benefits of portable web browsers”, Computer Systems and Industrial Informatics (ICCSII), 2012 International
Conference.
[4] Aljaedi, A. Lindskog, D. ; Zavarsky, P. ; Ruhl, R. ; Almari, F., “Comparative Analysis of Volatile Memory Forensics: Live
Response vs. Memory Imaging ”, Privacy, security, risk and trust (passat), 2011 ieee third international conference on and
2011 ieee third international conference on social computing (socialcom).
[5] Harry Parsonage January 2010, “Web Browser Session Restore Forensics”, Retrieved
fromhttp://computerforensics.parsonage.co.uk/downloads/WebBrowserSessionRestoreForensics.pdf (1 December 2013).
[6] SeungBong Lee Jewan Bang ; KyungSoo Lim ; Jongsung Kim ; Sangjin Lee ,“A Stepwise Methodology for Tracing
Computer Usage”, INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference.
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 45
References
[7] Hong Guo Bo Jin ; Wei Qian, “Analysis of Email Header for Forensics Purpose ”, Communication Systems and Network
Technologies (CSNT), 2013 International Conference.
[8] Selamat, S.R. Yusof, R. ; Sahib, S. ; Hassan, N.H. ; Abdollah, M.F. ; Abidin, Z.Z., “Traceability in digital forensic
investigation process”, Open Systems (ICOS), 2011 IEEE Conference.
[9] Van Staden, F.R. Venter, H.S., “Adding digital forensic readiness to the email trace header”, Information Security for South
Africa (ISSA), 2010.
[10] Kaushik, A.K. Pilli, E.S. ; Joshi, R.C., “Network forensic system for port scanning attack”, Advance Computing Conference
(IACC), 2010 IEEE 2nd International.
[11] Zhong Xiu-yu, “A model of online attack detection for computer forensics ”, Computer Application and System Modeling
(ICCASM), 2010 International Conference.
[12] Keith J. Jones, “Forensic Analysis of Microsoft Internet Explorer Cookie Files”, Retrieved from http://www.index-
of.es/Forensic/Forensic%20Analysis%20of%20Microsoft%20Internet%20Explorer%20Cookie%20Files.pdf (16 November
2013).
[13] Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington , “Forensic artifacts of Facebook‟s instant
messaging service”, 6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011,
Abu Dhabi, United Arab Emirates.
[14] Stamm, M.C. Tjoa, S.K. ; Lin, W.S. ; Liu, K.J.R., “Anti-forensics of JPEG compression ”, Acoustics Speech and Signal
Processing (ICASSP), 2010 IEEE International Conference.
[15] Belani, R., Jones, K., (2005, March, 29). “Web browser forensics”, Retrieved from
http://www.symantec.com/connect/articles/web-browser-forensics-part-1 (1 December, 2013).
[16] Belani, R., Jones, K., (10 May 2005). “Web Browser Forensics”, Retrieved from
http://www.symantec.com/connect/articles/web-browser-forensics-part-2 (1 December, 2013).
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 46
References
[17] Brookman, J. (2010, December). “Browser privacy features: a work in progress. Center for Democracy & Technology”,
Retrieved from http://cdt.org/files/pdfs/20101209_browser_rpt.pdf (3 December 2013).
[18] Aggarwal, G., Boneh, D., Bursztein, E., & Jackson, C. (2010). “An analysis of private browsing modes in modern
browsers”. Stanford University”, Retrieved from http://www.usenix.org/events/sec10/tech/ ( 4 December 2013).
[19] Bas Kloet, Hoffmann Investigations September 2010, “Advanced file carving”, Retrieved from http://computer-
forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf (4
December 2013).
[20] Rich Murphey, “Automated Windows event log forensics”, Retrieved from http://www.dfrws.org/2007/proceedings/p92-
murphey.pdf (5 December 2013)
[21] “Anti-forensic_techniques”, Retrieved from http://www.forensicswiki.org, (25 January 2014)
[22] “Anti-forensic-project-listing”, Retrieved from https://www.anti-forensics.com/anti-forensic-project-listing/ (2 February 2014)
[23] “How Computer Forensics Works”, Retrieved from http://computer.howstuffworks.com/computer-forensic3.htm (16
February 2014)
[24] “How EFS Works”, Retrieved from http://technet.microsoft.com/en-us/library/cc962103.aspx (26 February 2014)
[25] “Anti-forensics”, Retrieved http://resources.infosecinstitute.com (18 March 2014)
[26] “Anti-forensics Encryption”, Retrieved from
http://www.reddit.com/r/antiforensics/comments/yhfw2/encrypt_your_swap_space/ (2 April 2014)
[27] “Swap Space Handling”, Retrieved From http://support.microsoft.com/kb/314834 (15 April 2014)
[28] “Anti-Forensics using Linux Distribution”, https://www.anti-forensics.com/leave-no-artifacts-behind-linux-live-cds/ (2 May
2014)
[29] “Anti-Forensics Techniques”, https://www.anti-forensics.com/anti-forensic-project-listing/ (5 May 2014)
Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 47 Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com
Page 48 Copyright © http://www.cyberworldhere.com
Copyright © http://www.cyberworldhere.com