digital forensics
DESCRIPTION
Digital Forensics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #29 Information/Data Hiding and Counter-forensics November 5, 2007. Outline. Review of Lectures 27-28 - PowerPoint PPT PresentationTRANSCRIPT
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #29
Information/Data Hiding
and Counter-forensics
November 5, 2007
Outline
Review of Lectures 27-28 Discussion of the papers on Information/Data Hiding and
Counter/Anti forensics
Review of Lectures 27-28
Papers on Evidence Correlation Forensic feature extraction and cross-drive analysis
- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf md5bloom: Forensic file system hashing revisited
(OPTIONAL)
- http://dfrws.org/2006/proceedings/11-Roussev.pdf Identifying almost identical files using context triggered
piecewise hashing (OPTIONAL)
- http://dfrws.org/2006/proceedings/12-Kornblum.pdf A correlation method for establishing provenance of timestamps in
digital evidence
- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf Honeypot example (Grad student presentation)
Papers to discuss
Data Hiding in Journaling File Systems
- http://dfrws.org/2005/proceedings/eckstein_journal.pdf Evaluating Commercial Counter-Forensic Tools
- http://dfrws.org/2005/proceedings/geiger_couterforensics.pdf Automatically Creating Realistic Targets for Digital Forensics
Investigation
- http://dfrws.org/2005/proceedings/adelstein_falcon.pdf
Abstract of Paper 1
Data hiding is one technique by which system perpetrators store information while reducing the risk of being detected by system administrators. The first major section of this article structures and compares existing data hiding methods for UNIX file systems in terms of usability and countermeasures. It discusses variant techniques related to advanced file systems. The second section proposes a new technique that stores substantial amounts of data inside journaling file systems in a robust fashion with low detectability, which is demonstrated by means of a proof-of-concept implementation for the ext3 journaling file system.
Outline
Introduction Known Hiding Techniques New Scheme: Deliberate FS Inconsistencies Directions
Introduction
Several detection avoidance techniques
- Trojanizing system binaries or kernel, often referred to as introducing “backdoors”
- Purging of system audit and process accounting logs
- Data/Information hiding Data hiding used to hide incriminating data
- Sniffer or password collector log files or contraband such as pirated copies of programs or media files.
Known Hiding Techniques
Media Management Layer File System Layer Application Layer
Media Management Layer Using unused media
- Usability for the attacker an attacker has to reduce the size of one of the partitions on
the medium
- Countermeasures Regular checking of partition size
Mounting on nonempty directories
- Usability for the attacker The data to be hidden is stored in files in a directory. The
attacker mounts an existing filesystem – or a newly created one, using loopback mounting – onto this directory
- Countermeasures Detecting the use of existing partition mounts has to rely on
auditing the (remote) system log for subsequent unmount and mount operations
File System Layer
File System Category
- data structures may not use an entire logical disk block. Data unit category: Slack space
- file system organizing storage media sectors into individually adressable data units, referred to as “logical disk blocks.” Slack space is defined as the unused part of a file's last data
Metadata category: Use reserved inodes
- data structures commonly referred to in UNIX file systems as “inodes” organize per-file metadata such as timestamps, ownership, access rights etc. An attacker may use inodes which the operating system itself will not use
File System Layer
Metadata category: Extended file attributes
- UNIX file systems recently have introduced additional file attributes for data storage. They are easy to use for the attacker and easy to detect for the system administrator using commands provided by the operating system.
File name category: special file names
- , a file system stores and processes data to assign human-recognizable names to files and directories. Human perception can be deceived in the file name category through creating filenames consisting of space characters or spaces and dots
File name category: removal of open files Metadata/file name category: Hide in deleted inodes plus
trojan fsck
File System Layer
File name category: removal of open files
- attackers have been known to hide both program and data files by removing them while the program in question was still running. Upon deletion of an open file the operating system immediately removes the filename from the directory but delays removal of metadata and content until all referring file descriptors have been closed.
Metadata/file name category: Hide in deleted inodes plus trojan fsck
- The fundamental idea is to use a trojanized version of the file system checking program (fsck). At boot time the trojanized fsck/rc script combo “undeletes” and spawns the malicious software, for example a sniffer, then “removes” the sniffer executable and the sniffer log file again.
Applications Layer
Obfuscated Loopback Filesystems
- A simple, but effective method to obfuscate the real purpose of the image file is to use the offset option of the loopback mount command
Unused spaces in application file formats
- file formats contain unused sections, for example the comment field in a jpeg image format. Space is quite limited and largely depends on the number of available application files.
Steganography
- steganography is a research field, but from the file system centric or “lower level” point of view space is being offered largely depends on the number and size of “host files.”
New Scheme: Deliberate FS Inconsistencies
The new data hiding scheme that is proposed works by introducing deliberate file system inconsistencies.
It relies on a fundamental property of journaling file systems. Because the journal records all recent file system modifications,
the time required for the file system consistency check at boot time can be drastically reduced:
Instead of checking consistency amongst all categories of file system data, the modifications recorded in the journal are “replayed” to check whether all of them were executed successfully.
If, due to a system crash. not all recorded modifications were performed, the journal allows for a very efficient “roll back” to a clean file system state
Directions
Need to analyze how effective the new technique is? If so, we need to develop countermeasures
Need to develop additional techniques Does this not give ideas to the attacker? Classified research?
Abstract of Paper 2
Digital forensic analysts may find their task complicated by any of more than a dozen commercial software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators. In this paper, we review the performance of six counter-forensic tools and highlight operational shortfalls that could permit the recovery of significant evidentiary data. In addition, each tool creates a distinct operational fingerprint that an analyst may use to identify the application used and, thus, guide the search for residual data. These operational fingerprints may also help demonstrate the use of a tool in cases where such action has legal ramifications.
Outline
Introduction Testing Method Counter-forensics tool testing Analysis results Directions
Introduction
Many counter-forensic commercial tools claim to expunge all traces of information about specific computer usage, including documents and other files created, records of websites visited, images viewed and files downloaded.
To do this, counter-forensic tools must locate activity records scattered across the file system and erase them irretrievably, while leaving the rest of the operating system intact.
The technical challenge of finding and eliminating this data is complex
Rigorous testing and evaluation of these counter forensic tools are needed.
This paper attempts to do this
Testing Method
Test System
- The testing platform was a desktop machine with 128MB of RAM and Windows XP Professional installed on a 2.5GB partition.
Activity record
- Test activity on the system breaks down into two general categories: browsing and document creation and management. The activity covered a span of eight days.
Counter-forensics tool testing
- Tested six software packages: Window Washer 5.5, Windows & Internet Cleaner Professional 3.60, CyberScrub Professional 3.5, SecureClean 4, Evidence Eliminator 5.0 and Acronis Privacy Expert 7.0.
Analysis
All the counter-forensic tools failed to eradicate some potentially sensitive information – either data specifically targeted for wiping by the user or records that contained information the tool was designed to eliminate.
Some shortfalls were more serious than others. In one case, the tool failed to wipe, or overwrite, any of the files it deleted.
Paper describes a summary table with the areas of weakness and representative examples of data recovery.
These classifications are subjective
Directions
Is the approach described realistic? Does it work in a teal world environment
Are the assumptions valid? Are there better approaches for testing and analysis
Abstract of Paper 3
The need for computer forensics education continues to grow, as digital evidence is present in more crimes, whether the crimes directly involve computers or not. An essential component of training in computer forensics is hands-on, realistic laboratory assignments. Authors are developing FALCON (Frame-work for Laboratory Exercises Conducted Over Networks), an extensible framework that addresses the problem of creating, running, and evaluating detailed, realistic computer laboratory assignments in computer forensics. FALCON includes a component that enables instructors to set up scenarios on virtual target machines for the students to investigate. Existing tools for both “live” and “dead” machine investigations can be integrated into FALCON. In addition, FAL-CON logs all student activity for automated assessment of student performance.
Outline
Introduction Falcon Architecture Results Directions
Introduction
Introduction Falcon Architecture Results Directions
Architecture
Lab creation tool
- The FALCON Lab Creation Tool (LCT) will automatically configure a set of target machines for a lab exercise based on a specification that the instructor provides.
Lab environment execution
- The FALCON Lab Execution Environment (LEE) provides students with an inter-active environment, allowing them to conduct a forensic investigation.
Lab evaluation tool
- The FALCON Lab Evaluation Tool (LET) takes the audit log file generated by the LEE and analyzes it for certain patterns, providing metrics for objective lab assessment.
Results
The students were only told that the company, an ice cube company, was having problems with “penguin pornography,” which was defined in the assignment as any depiction of a penguin without a hat. The assignment was meant to parallel a child pornography investigation, while keeping the tone light. The students were given 11 questions to answer about details of the case (who did it, what did they do, how did they do it, what is the supplier’s site, what is the password to the site, etc.). The questions asked in the assignment appear below. The complete assignment is available at http://www.cs.uno.edu/~golden/FALCON/assignment1.pdf.
Directions
Need projects for university students Create an environment where professors can place their
assignments in a common repository Will discuss at the next DFRWS workshop