Anti Forensic Tales from the gAtO

gAtO iSa gRaY hAt thinker so the Forensic investigation world looks different to me than normal people let me explain. On linkedIn I am having a great discussion about offensive security to go after the people that hacked you and it’s overwhelming the white hats play by the rules. gAtO is happy with that for 2 reasons one I am glad that people in this profession have honor, integrity and do the right thing that speaks volume for our field. The flip side is out of the box thinking is not included in security mindset so bad guy’s can get around thing better because they don’t follow the rules. The rules are our guide for civilize interaction in cyberspace but we need to look at the gray area were most bad guy’s operate.

“power is not only what you have but what your enemy thinks you have”

First off in any forensic investigation the first thing that you go for is the firewall logs and/or every log that you can get your hands on to find the attackers to your network. The bad news with new encrypted network protocols such as Tor-.onion network my entry point is useless to an investigator unless you have access to my exit node, you really cannot find my ip let alone a VPN or as the saying goes behind 7 proxies. 

Hackers sometimes leave digital breadcrumbs for the forensic investigator to extract all kinds of information about the attacker, so overwriting metadata on everything I leave behind is a simple deterrent to you finding my were about what version of word I used or user name and a few more details -metadata information leaks so much information about the users unknown to the average Jane/Joe. When we turn this around, we apply metadata scarping to my target corporate website I can get all sorts of information, user names, directory structure, email and all sort of information can be gathered by attackers doing revers forensic on the target. This is why anti-forensic is such an interesting subject and we are only scratching the surface.

If we get into your system we can make sure that we do secure data deletion on any device that stores information that I play with including the logs if I can, I just make sure that I follow protocol like -DoD standard 5220.22-M.- data deletion and you will be hard pressed to find anything I left behind. One thing I may point out today’s hackers use miss-direction and anything left behind could be something to throw your investigation off. I may miss-direct and leave digital breadcrumbs tracks back to were I want you to, to blame my enemies or a friend -mEoW. This is a newer pattern that has surfaced in hacktivist today.  

One of the new defensive posture is to let cyber-criminals steal decoy files. 

Of course if we do write something into your devices I will make sure it’s encrypted (ex: AES 256), today there are so many ways to encrypt data or obfuscate my code to make life really hard for investigators. Of course add Steganography to the mix and it’s a whole new game, it may make it more challenging for you but it will hide my actions very well. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion.

Another aspect to hackers today is in knowing cyber law. In the forensic market we are sometimes limited to our scope of work due to legalities of the discovery and/or due-diligence, the lawyers set the parameters on what can be seen and what cannot be touched. It’s lawyer stuff, I don’t understand it – but it restrict proper cyber forensic reporting when they tie the cyber forensic investigators hands. One of the new tool for the Judicial sector in crime fighting that is scary is the “forensic cyber psychologist” these guy’s can detect criminal actions and understand criminal minds (wOw were can I get my PhD). So what your trying to say is “you gotta think like a crook to catch a crook” we all know that. But these Forensic Cyber-Psychologist can predict crime thought?? Remember the movie the “Minority Report” were they would arrest you for what you were thinking, that’s scary stuff for the judicial department to bring out. Lot’s of power in one person, I just don’t feel comfortable with that one.

Power is not only what you have but what your enemy thinks you have, and today hacktivist are a new breed of hackers they Make it personal, and make it big.…, and make it loud.??? Misdirection by planting data that the forensic investigator will find can often be a rouse to mis-direct and control your offensive movements in the investigation. Activist groups -:It should come as no surprise that hacktivist motives differ sharply from the mainly money-driven masses of active cyber-criminals. Also unlike other types of threat agents, hacktivists do not typically hail from Eastern Europe and Asia. Those behind most of the breaches are from Western Europe and North America. 

Hacktivist targeted data-dense assets like databases and web applications and often stole much more at one time than other types of threat agents. Also fitting with that goal was their interest in personal information and authentication credentials, which they stole far more often than anything else. This is a new more intelligent hacker credentials can give that trust-to-trust relation that companies need to do business so stealing this object is a new level of sophistication of attackers in the hacktivist world.

A (Verizon 2012 DBIR report) In terms of the vectors through which hacktivist attacks took place, web applications win hands down (65%), while remote admin services like ssh were a distant second (18%). Hacktivist stole more certificate which is a little more sophisticated attacker. Take your local linux administrator at work, guess what he knows??? she/he knows how to protect your system and they know the  basic flaws// we deal with the patches and fixes and work-arounds every day in the life of an administrator — working late into the weekend with no credit… -basic security 101 be nice to admin people they know too much shit…. —// Add a social -cyber Fame-/ element to this administrators life // and these are the real (insider threat) cyber leaders of the hacktivist movements. They are smart, and they have a social heart in the new cyber generation. It is interesting to note that two of the four incidents in the (Verizon only) dataset that met our “High” difficulty criteria were attributed to activist groups. All of these attacks were, unsurprisingly, considered to be targeted rather than opportunistic.

sudo mEoW- mEoW >>| gAtO will now get off the hacktivist hackers soapbox now —

Further obfuscation -old fashion data padding

If I want to make things more interesting? If you want to keep your data from being discovered, or at least make it more difficult to be detected, you could add padding to your hidden secret. In this technique, detection is thwarted by the addition of bogus data, basically muddying the waters and making the detective determine what is the real data and what is not. Of course, it should be noted that padding additional data increases the likelihood that someone will look in the first place for hidden information. access timestamps and other details to watch. One major reason is that anti-malware and anti-virus software updates the last access time on files as it examines them.

Let’s not forget generic data hiding that is invisible like Host Protected Areas (HPA) and DCO (device configuration overlay) yes I do know that this data can be extracted but if we apply some of the anti-forensic policies above this data may become useless.

Disk imaging, Data Recovery, Disk Analysis, metadata extraction and network forensic these are the basic global forensic tools that we use to look at attacks and in most cases they work, and will help you find the information that you need, to find out what cyber criminal did and werethey came from. But beware one method does not apply to all – black hats, elite hackers, script kiddies, noobs, blue hats, hacktivist, state actors and commercial criminals “one size does not fit all”, think critical:

-gAtO oUt


steganography image – it has a secret message – I used iSteg program and the password is -password what else from a security gAtO

Firewire reads windows 7 memory leave it to Microsoft.

One thing I found out while doing research for this post was reading memory of a device to get passwords and such information – FireWire has access to physical memory – So I can write a little code (too late found one written already- open source) in linux box and plug into any Windows machine thru the firewire port with a cable and and —>>> read all memory so there are way to get around and grab the admin password too. Plug and play they say. bypass Windows 7 memory users access / firewire memory access..


Today with a simple Tails a USB bootable Tor Program –  I can do my work and never leave a trail to follow and that can make life hard for any forensic investigator.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: