Anti Forensics Techniques

 

What are Anti-Forensics?

Anti-forensics (also known as counter forensics) is a common term for a set of techniques aimed at preventing a proper forensics investigation process. They may reduce the quantity and quality of digital evidence available.

Goals of Anti-Forensics:

  • To interrupt and prevent the gathering of information.
  • Make it more difficult for investigators to find evidence.
  • To hide traces of crime or illegal activity.
  • To use the forensics tool itself for malicious purposes.
  • To delete or wipe evidence that an anti-forensics tool has been used.

Techniques for Anti-Forensics

  • Data/File Deletion
  • Password Protection
  • Steganography
  • Data Hiding in File System Structures (HPA & DCO)
  • Artifact Wiping
  • Overwriting Data/Metadata
  • Encryption
  • Reducing Footprint

Challenges Faced by Digital Forensics Due to Anti-Forensics Techniques

The anti-forensic methods employed by attackers or cybercriminals make it difficult for investigators to obtain and examine digital data during forensic examinations. Anti-forensics involves several methods intended to destroy the digital footprint, obstruct evidence gathering, and mislead the investigative process.

 

The following are the various challenges posed by anti-forensic techniques in forensic investigations.

  • Investigators face difficulties in accessing and analyzing encrypted data without the necessary decryption keys. In the end, this limits their ability to perform data analysis.
  • Attackers securely wipe or delete data from the evidence source or overwrite crucial text and metadata, preventing forensic investigators from accessing and recovering the data for analysis.
  • Attackers hide important data by renaming files and file extensions, preventing detection by forensic investigators.
  • Misleading evidence compromises the integrity and accuracy of findings by introducing falsified evidence, ultimately redirecting forensic investigators to wrong conclusions.
  • Attackers obfuscate executable code using program packers to avoid detection using antimalware solutions. Other methods such as hiding files within files or utilizing encrypted containers can also make it difficult for forensic investigators to accurately analyze and obtain insights from data. Because anti-forensic techniques such as IP spoofing and onion routing keep the attacker’s identity anonymous, forensic investigators find it challenging to track an attacker.
  • If an attacker hides the data within images and audio files, the data remains undetected when forensic investigators analyze them using various standard forensic methodologies.

 

Data/File Deletion

When a file is deleted from the hard drive, the pointer to the file is removed by the operating system (OS), and the sectors containing the deleted data are marked as available, which means that the contents of the deleted data remain on the hard disk until they are overwritten by new data. Forensic investigators can use data-recovery tools such as Recover My Files, FTK, Ease US Data Recovery Wizard, and R-Studio to scan hard drives and analyze file systems for successful data-recovery.

 

What Happens When a File is Deleted in Windows?

When a user deletes a file, the operating system does not actually delete the file but marks the file entry as unallocated in the master file table (MFT) and allocates a special character. This indicates that the space is ready for use.

 

FAT File System

  • The OS replaces the first letter of a deleted file name with a hex byte code: E5h.
  • E5h is a unique tag that indicates that the file has been deleted.
  • The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the information until it is overwritten

 

NTFS File System

  • When a user deletes a file, the OS marks the file as deleted in the master file table (MFT).
  • The clusters allocated to the deleted file are marked as free in the $BitMap ($BitMap file is a record of all used and unused clusters).
  • The computer now notices those empty clusters and avails that space for storing a new file
  • The deleted file can be recovered if the space is not allocated to any other file.

Note: On a Windows system, performing normal Delete operation sends the files to the Recycle Bin. Whereas performing the Shift+Delete operation bypasses the Recycle Bin.

 

Recycle Bin in Windows

  • The Recycle Bin is a temporary storage location for deleted files, which is located on the Windows desktop.
  • The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file.
  • Items can be restored to their original positions with the help of the Restore all items option of the Recycle Bin.

Note: Deleting a file or folder from a network drive or from a USB drive may delete them permanently instead of being stored in the Recycle Bin.

 

 

Storage Locations of Recycle Bin in FAT and NTFS file systems

  • The actual location of the Recycle Bin depends on the type of OS and file system. On older FAT file systems (Windows 98 and prior), it is in Drive:\RECYCLED
  • On NTFS file systems:
    • On Windows 2000, NT, and XP it is in Drive:\RECYCLER
    • On Windows Vista and later versions, it is in Drive: \$Recycle.Bin
  • All recycled files on the FAT system are dumped into a single C:\RECYCLED directory, while recycled files on the NTFS system are categorized into directories named as C:\RECYCLER\S-…. (prior to Windows Vista) and C:\$Recycle.Bin\S-…. based on the user’s Windows Security Identifier (SID)
  • There is no size limit for Recycle Bin in Vista and later versions of Windows, whereas in older versions it was limited to a maximum of 3.99 GB; items larger than the storage capacity of the Recycle Bin cannot be stored in the Recycle Bin.

Note: The system permanently deletes the oldest files to make space when the Recycle Bin reaches its maximum storage limit.

 

How the Recycle bin Works

  • Each hard disk has a hidden folder named:
    • Recycled (FAT file system – Windows 98 and prior)
    • Recycler (NTFS file system – Windows 2000, NT, and XP)
    • $Recycle.Bin (NTFS file system – Windows Vista and later versions)
  • This folder contains files deleted in Windows Explorer or My Computer, or in Windows-based programs
  • Each deleted file in the folder is renamed

 

When a file is deleted, the complete path of the file and its name is stored in a hidden file called INFO or INFO2 (Windows 98) in the Recycled folder. This information is used to restore the deleted files to their original locations.

Prior to Windows Vista, a file in the Recycle Bin was stored in its physical location and renamed as Dxy.ext

  • D denotes that a file has been deleted
  • x is the letter of the drive where the file is located
  • y denotes a sequential number starting from 0
  • .ext denotes the original file extension, such as .doc or .pdf

Since the advent of Windows Vista, the metadata of each file is saved as $I<number>.<original> and the original file is renamed to $R<number>.<original extension>

File Recovery Tools: Windows

  • Recover My Files: Recovers deleted files emptied from the Windows Recycle Bin, files lost due to the format or reinstallation of a hard drive, or files removed by a virus, malware, unexpected system shutdown or software failure.
  • EaseUS Data Recovery Wizard: Hard drive data recovery software to recover lost data from PC, laptop or other storage media due to deletion, formatting, partition loss, OS crash, virus attacks, etc.

 

File Recovery in Mac OS X

  • Deleting a file in Mac just removes it from the directory of files in the folder
  • This de-allocates the space allocated to the file deleted, creating free space to store a new file

 

Methods to recover deleted files in MAC OS X:

  • The deleted files are moved to the “Trash” folder in MAC. To restore, right-click the file and click on the Put Back option.
  • Time Machine is the built-in backup feature of MAC OS X 10.5 or newer versions. The investigator must check if he/she can restore files from the Time Machine backup.
  • Another way to restore deleted files is by using third-party software such as Mac Data Recovery, MacKeeper Files Recovery etc.

 

File Recovery in Linux

  • In Linux, files that are deleted using the command /bin/rm remain on the disk.
  • If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space.
  • The second extended file system is designed in such a way that it shows multiple locations where data can be hidden.
  • It is important to remember that if an executable deleted itself, its contents can be recovered from a /proc memory image. The command cp /proc/$PID/exe/tmp/file creates a copy of a file in /tmp.
  • Deleted files from Linux can be recovered using third- party applications like R-Studio for Linux and Stellar Phoenix Linux Dara Recovery.

Recovering Deleted Partitions

  • Deleting a hard drive partition does not mean deleting everything, but just the parameters that mark how the partition is set up.
  • The deleted partition can be recovered, as it is not originally deleted, by using software that re-establishes those parameters.

Method 1:

  • Restart the system with a Windows install DVD on it. Then press the keys on the screen to go to the BIOS.
  • In the BIOS, check the menu for “boot priority” or “boot order” to set the DVD as the first boot device.
  • Restart the system and let Windows start the installation process accept all the choices to let Windows install but choose “Repair” instead of “Install”.
  • When a DOS-like screen appears, type “fixboot” and press “Enter”.
  • Finally, restart the system and check if the deleted partition is restored.

Method 2:

  • Use a third-party partition recovery software to recover the drive.
  • Once restored, copy the files of the drive that had the partition recovered onto another drive.

 

RAID Recovery Tools

Investigators can use various tools to recover RAID during forensic investigations. Some tools that can be used for this purpose include DiskInternals RAID Recovery, R-Studio, and RAID Reconstructor. Investigators can use this tool to recover software and hardware RAID during an investigation. It can create disk images and recover files from damaged RAID. In addition, this tool can export the restored files and folders to local or remote locations using FTP. In addition, virtual drives can be mounted as local disks that can be accessed via Windows Explorer.

 

Anti-Forensics Techniques: Password Protection

  • Investigators often come across password protected systems or files during the investigation process
  • In such cases, they use specialized password cracking software to get around security.
  • Time taken to crack passwords depends on their password strength.
  • Weak passwords could be broken in less than a second, while strong passwords would take years to crack.

Password Types

Cleartext Passwords:

  • A cleartext password is typed and saved in a medium unaltered, or it can be transmitted via wire. For example, the automatic logon password is stored in the windows Registry (HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\ Windows NT\ CurrentVersion\ Winlogon)
  • Cleartext passwords can be sniffed using Cain and Ettercap.

 

Password Cracker and its Working

Password cracker is a software program that is used to recover lost or forgotten passwords of a system, network resource, or an application.

 

How it Works?

  • A dictionary generator program is used to create a word list, which is then hashed or encrypted.
  • The hashed word list is compared against the target hashed password, generally one word at a time.
  • If the two match, the password has been cracked, and the password cracker shows the password in its unencrypted form.

Note: The target hashed password can be obtained by sniffing it from a wired network, wireless network, directly from the Security Accounts Manager (SAM) database, or shadow password files on the hard drive of a system.

 

 

Password Cracking Techniques

  • Dictionary Attack: A dictionary file is loaded into the cracking software that runs against user accounts.
  • Brute Forcing Attacks: The program attempts every possible character’s combination until the password is cracked.
  • Rule-based Attack: This attack is used when some information about the password is known.

Default Passwords

  • A default password is one that the manufacturer provides with new, password protected equipment (such as switches and routers).
  • Default passwords from dictionaries or lists of words used in password guessing attacks can be utilized.

Online tools to search default passwords:

How Hash Passwords Are Stored in Windows SAM?

“LM hashes have been disabled in Windows Vista and later Windows operating systems; LM will be blank in those systems.”

Cracking System Software Passwords

System software includes low-level programs that communicate with the PC at a fundamental level, such as operating systems, compilers, utilities that control system resources, etc.

  • System software password cracking is defined as cracking the operating system and all other programs that allow a computer to operate.
  • Passwords for system software are created to restrict access to system files and other private data that is used during a system boot process.
  • Ways to access a system by cracking passwords: Bypassing the BIOS password Using tools to reset admin password.

Bypassing BIOS Passwords

  • BIOS (Basic Input Output System) is a firmware code that a computer runs when it is turned on. It is a type of boot loader.
  • The main function of BIOS is to identify and initialize system hardware of the system components, such as hard disk, floppy drive, and video display card.

Methods to Bypass/Reset BIOS Password

  1. Using a manufacturer’s backdoor password to access the BIOS
  2. Using password cracking software
  3. Resetting the CMOS using the jumpers or solder beads
  4. Removing the CMOS battery for at least 10 minutes
  5. Using a professional service
  6. Overloading the keyboard buffer

Using Manufacturer’s Backdoor Password to Access the BIOS

  • BIOS manufacturers provide a backup password that can be used to access the BIOS settings if the password is forgotten.
  • The passwords that manufacturers provide are case sensitive. If a particular backdoor password does not work, then various case sensitive combinations of the password should be tried.
  • The combinations may contain alphanumeric characters.
  • The manufacturers’ documentation must be read before trying the backdoor passwords, because BIOS combinations will lock the system completely if the password is typed wrong three times.

Few BIOS manufacturers and their default passwords are listed below:

  • Dell – Dell
  • Biostar – Biostar
  • Compaq – Compaq
  • Enox – xo11nE
  • Epox – central
  • Freetech – Posterie
  • Jetway – spooml
  • Packard Bell – bell9
  • QDI – QDI

 

Using Password Cracking Software

The following software can be used to either crack or reset the BIOS on many chipsets

CmosPwd:  Decrypts password stored in CMOS, which is used to access BIOS SETUP

DaveGrohl: It is a multithreaded, distributed password cracker. It aims at brute forcing OS X user passwords.

 

Note: If your PC is locked with a BIOS administrator password that does not allow access to the floppy drive, these utilities may not work.

Resetting the CMOS using Jumpers or Solder Beads

Resetting the CMOS using Jumpers

  • All custom settings, including BIOS passwords, can be removed by modifying a motherboard’s jumpers or dipswitches.
  • If the documentation is not available, by default the jumper position is across pins 1 and 2. Shut down the system and unplug the power cord.
  • Move the jumper from its default position so that it is across pins 2 and 3; this clears the BIOS/CMOS settings. Now, turn on the machine to verify that the password has been reset.
  • Once cleared, turn off the computer and return the jumper to its original position.

 

Resetting the CMOS using Solder Beads

  • CMOS can be reset by connecting or jumping specific solder beads on the chipset.
  • There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads varies depending on the manufacturer, so please check the computer and motherboard documentation for details.

 

Removing CMOS Battery

  1. Turn off the computer and unplug the power supply.
  2. Locate the CMOS Battery (silver circular battery) on the motherboard by opening the CPU cabinet.
  3. Remove the CMOS battery from the socket and keep it out for 20 to 30 minutes. This flushes out the CMOS memory that stores BIOS passwords and other configurations.
  4. Replace the battery and start the system normally.

Note: Manufacturers occasionally employ capacitors to supply the CMOS battery with backup power. Therefore, leave the battery out for 24 hours if the first try doesn’t work.

Tool to Reset Admin Password: Active Password Changer

  • Active Password Changer is designed for resetting local administrators and user’s passwords on Windows operating system in case an Administrator’s password is forgotten.
  • You can use Active Password Changer to log in as an Administrator or a specific user with a blank password.

 

Tool to Reset Admin Password: Windows Password Recovery Bootdisk

  • Windows Password Recovery Bootdisk removes the administrator password and, thus, allows login to the account.
  • The program makes a bootdisk or a bootable USB stick, and writes a unique Linux-like OS there
  • Booting from such a disk allows you to remove a Windows account password or recover its hash for further retrieval of forgetten passwords.

 

Application Password Cracking Tools

Applications software, sometimes referred to as end-user applications (such as word processors, graphics software, etc.), allow a user to perform their everyday tasks on the PC like sending email, editing photos, creating a webpage, etc.

 

Passware Kit Forensic: The electronic evidence discovery tool Passware Kit Forensic reports and decrypts all password-protected files on a computer.

Advanced Office Password Recovery: Recovers, replaces, removes or circumvents passwords instantly, protecting or locking documents created with Microsoft Office applications

Office Password Recovery Toolbox: A complete solution for recovering passwords for MS Word, Excel, Outlook, Access, and PowerPoint.

Office Multi-document Password Cracker: Recovers forgotten passwords to multiple MS Office documents. It scans the drive for protected documents, and restores or deletes passwords from all Word, Excel, PowerPoint, Access, and Outlook files it finds.

 

Word Password Recovery Tools: Word Password Recovery Master, Accent WORD Password Recovery

PowerPoint Password Recovery Tools: SmartKey PowerPoint Password Recovery, PowerPoint Password Recovery

Excel Password Recovery Tools: PDS Excel Password Recovery, Accent EXCEL Password Recovery

PDF Password Recovery Tools: Advanced PDF Password Recovery, PDF Password Cracker

ZIP/RAR Password Recovery Tool: Advanced Archive Password Recovery

 

Other Password Cracking Tools

Cain & Abel: It allows recovery of various kinds of passwords by sniffing the network, and cracking encrypted passwords using dictionary and brute- force.

RainbowCrack: RainbowCrack uses rainbow tables to crack hashes. It uses time-memory tradeoff technique to crack hashes.

Anti-Forensics Techniques: Steganography

  • Steganography is one of the anti-forensics’ techniques. It hides a secret message inside a regular message, which is then extracted at the destination to preserve data confidentiality.
  • Often, intruders use the steganography technique to hide information about their illegal activity such as a list of the compromised servers, source code for the hacking tool, plans for future attacks, etc.
  • The most common way to hide data in files is to use a graphic picture as a cover.
  • Steganography disrupts the process of forensics investigation, which can, however, be overcome by using steganalysis tools and techniques.

 

Types of Steganography

  • Image Steganography
  • Document Steganography
  • Folder Steganography
  • Video Steganography
  • Audio Steganography
  • White space Steganography
  • Web Steganography
  • Spam/email Steganography
  • Hidden OS Steganography

Steganalysis

Steganalysis is the process of finding hidden information in a medium. It is the reverse process of steganography, wherein a steganalyst attempts to detect hidden messages embedded in images, text, audio, and video carrier media. Steganalysis helps locate the encoded hidden message and recover it, if recovery is possible. It can identify hidden messages by comparing the differences in the bit patterns of the files.

 

Challenge of Steganalysis

  • The message may have been encrypted before being inserted into a file or signal.
  • It is challenging to detect hidden content within digital images efficiently and accurately.
  • Some of the suspect signals or files may contain irrelevant data or noise encoded into them.

 

Detecting Steganography

Software Clues on the Computer

  • Steganographic investigators need to be familiar with the names of popular steganographic software and related terminology, and websites about steganography.
  • Investigators search for file names, browser cookie, history files, registry key entries, email messages, chat messaging logs, comments made by the suspect or receipts that refer to steganography.
  • These will provide hard clues for the investigator so they can look deeper.

 

Additional Program Files

  • Non-steganographic software may provide hints that the suspect hides files inside other files.
  • Users with binary (Hex) editors, disk wiping software, or specialized chat software may exhibit a propensity to modify files and conceal information.

Multimedia Files

  • Check for a high volume of appropriate carrier files.
  • A computer system with an especially large number of files could be steganographic carriers and are potential suspects.
  • This is especially true if there are a significant number of seemingly duplicate “carrier” files.

Type of Crime

  • The type of crime being investigated may also make an investigator think more about steganography than other types of crime.
  • Child pornographers, for example, might use steganography to hide their wares when posting pictures on a website or sending them through email.
  • Crimes that involve business -type records are also examples where steganography might be used because the perpetrator can hide the files but still get access to them; consider accounting fraud, identity theft (lists of stolen credit cards), drugs, gambling, hacking, smuggling, terrorism, and more.

Text File

  • For text files, alterations are made to the character positions for hiding the data.
  • The alterations are detected by looking for text patterns or disturbances, language used, and an unusual number of blank spaces.

Image Files

  • The hidden data in an image can be detected by determining changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data.
  • Statistical analysis methods are used for image scanning.

Audio File

  • Statistical analysis method can be used for detecting audio steganography as it involves Least Significant Bit (LSB) modifications
  • Inaudible frequencies can be searched for hidden information.
  • Odd distortions and patterns indicate the presence of secret data.

Video File

  • Detection of the secret data in video files involves a combination of methods used in image and audio files.
  • Special code signs and gestures can also be used to detect secret data.

Steganography Detection Tool: Gargoyle Investigator Forensic Pro

  • It provides inspectors with the ability to conduct quick searches on a given computer or machine for known contraband and malicious programs.
  • There are more than 20 categories in its signature collection, including keyloggers, encryption, steganography, botnets and Trojan horses. Using steganography programs such as BlindSide, WeavWav, and S-programs, it assists in identifying stego files.

Anti-Forensics Techniques: Data Hiding in File System Structures

Modern forensic tools frequently ignore the tools and techniques used by intruders to conceal data in different parts of a computer system, such as memory, slack space, hidden directories, hidden partitions, bad blocks, ADSs, etc.

  • Slacker — Part of the Metasploit framework that hides data in the slack space of NTFS file system.
  • FragFS — Hides data within the NTFS Master File Table (MFT).
  • RuneFS — Hides data in “bad blocks” inode.
  • KY FS — Hides data in null directory entries.
  • Waffen FS – Hides data in ext3 journal file.
  • Data Mule FS — Hides data in inode reserved space.

 

Other areas where data can be hidden include:

  • Host Protected Areas (HPA), and Device Configuration Overlay (DCO) are the areas of modern ATA hard drives.
  • Data hidden in these areas is not visible to BIOS or OS, but it can be extracted with specialized tools.

 

Anti-Forensics Techniques: Artifact Wiping

Artifact wiping involves several techniques aimed at permanent deletion of files or entire file systems. The process of wiping out artifacts involves:

 

Disk cleaning utilities

  • Disk cleaning tools employ a variety of techniques to replace the data that is currently stored on disks.
  • DriveScrubber and BCWipe Total WipeOut are a few of the frequently used disk cleaning programs.

File wiping utilities

  • Among the frequently used file wiping tools are BCWipe and R-Wipe & Clean
  • These tools remove specific files from an operating system.

 

Disk degaussing and destruction techniques

  • One of the most guaranteed data wiping is physical destruction of the device.
  • Disk degaussing is a process that applies a magnetic field to a digital media device, completely cleaning it of any previously stored data.
  • NIST suggests a few procedures for physically destroying digital material, such as melting, shredding and disintegration.
  • Cybercriminals employ disk degaussing and destruction methods to prevent forensic investigators from accessing the evidence.

 

Anti-Forensics Techniques: Overwriting Data/Metadata

  • Overwriting data on a storage device can be accomplished by hackers using a variety of programs, making recovery difficult or impossible. These programs have three modes of operation and can overwrite data, metadata, or both.
    • Overwrite entire media
    • Overwrite individual files
    • Overwrite deleted files on the media
  • Overwriting data can be accomplished by using disk sanitizers.

 

Overwriting Metadata:

  • Metadata is data about data. It is essential to the computer forensics investigation process.
  • Investigators can create a timeline for attacker actions by organizing all the computer’s timestamps in sequential order.
  • Therefore, attackers cover their tracks by overwriting the access times, rendering the construction of timeline difficult.
  • Examples are Timestomp is used to change MACE (Modified-Accessed-Entry) attributes of the file.
  • Another way to overwrite metadata is to access the computer in such a way that metadata is not created.

Examples: Mounting a partition as read-only, or accessing through the raw device, prevents the file access times from being updated Setting Windows registry key “HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate” to 1 disable updating of the last-accessed timestamp.

 

Anti-Forensics Techniques: Encryption

  • Data encryption is one of the popular techniques used to defeat forensics investigation process.
  • Intruders use strong encryption algorithms to encrypt data of investigative value, which renders it virtually unreadable without the assigned key.
  • Also, most encryption programs are capable to perform additional functions which include use of a key file, full-volume encryption, and plausible deniability, which makes the investigator’s job more challenging.
  • Microsoft’s built-in encryption tools for Windows 7 and later:
    • BitLocker encrypts the whole disk.
    • Individual files and directories are encrypted by the Encrypting File System.
  • VeraCrypt is one of the most popular tools for anti-forensics encryption.

Encrypting File System (EFS): Recovery Certificate

If an encryption key is lost or broken, you can use a recovery certificate to restore EFS-encrypted files.

Note: To follow the instructions below, you must be logged in as an administrator. Additionally, the instructions provided do not work with Windows 7 (Starter, Home basic, and Home Premium).

 

Steps involved:

Create the recovery certificate

  • Open a Command Prompt window and insert a USB drive (removable media) to store the certificate.
  • Navigate to the directory on the removable media drive where you want to store the recovery certificate by typing in the removable media drive letter: and then press Enter
  • Type cipher /r: (file name is the name to be given for the recovery certificate), and press Enter install the recovery certificate.
  • Note: If prompted for an administrator password or confirmation, type the password or provide confirmation

Install the recovery certificate

  • Insert the removable media that contains the recovery certificate
  • In the Search box, type secpol.msc, and then press Enter

Install recovery certificate

  • In the left pane, double-click Public Key Policies, right-click Encrypting File System, and then click Add Data Recovery Agent wizard, click Next, and then navigate to the recovery certificate and then click Open.
  • When asked if you want to install the certificate, click Yes, click Next, and then click finish, now open a Command Prompt window, type gpupdate, and then press Enter.

Update previously encrypted files with new recovery certificate

  • Log on to the account used when the files were first encrypted
  • Open cmd, type cipher /u, and then press Enter.

Note: If you do not choose to update encrypted files with the new recovery certificate right at that time, the files will automatically be updated the next time you open them.

 

Advanced EFS Data Recovery Tool

Advanced EFS Data Recovery helps to recover EFS-encrypted files under various circumstances:

  • EFS-protected drive moved to a different PC.
  • Deleted users or user profiles.
  • User transferred to another domain without EFS consideration.
  • The system administrator resets the account password without EFS consideration.
  • Damaged disk, corrupt file system, or unbootable operating system.
  • Reinstalled Windows or computer updates.
  • Formatted system partitions with encrypted files remaining on another disk.

 

Anti-Forensics Techniques: Encrypted Network Protocols

  • For anti-forensics purposes, hackers use cryptographic encapsulation protocols like SSL/TLS and SSH. These methods encrypt network communication, protecting only its content. However, using intermediate means is necessary to guard against traffic analysis.
  • Onion routing combines both strategies with several encryption layers so that no third party is aware of the plaintext content, or both ends of the conversation.

 

Anti-Forensics Techniques: Program Packers

  • Packer is a program used to compress or encrypt executable programs.
  • Packers are used by hackers to conceal attack tools so that scanning or reverse engineering cannot find them.
  • Among the popular packers are PECompact, BurnEye, Exe Stealth Packer, Smart Packer Pro, etc.
  • Packed programs that require a password to be run are strong. However, those that don’t need a password are susceptible to static analysis.

 

Anti-Forensics Techniques: Rootkits

  • Rootkits are another data hiding technique that hackers frequently employ to hide their tracks and the existence of malicious applications or processes on the system.
  • Rootkits only work when the system being analyzed in real time.
  • Some of the most popular rootkits are Avatar, Necurs, Azazel, ZeroAccess, and others.
  • Types of rootkits: Hypervisor Level Rootkit, Hardware/Firmware Rootkit, Kernel Level Rootkit, Boot Loader Level Rootkit, Application-Level Rootkit and Library Level Rootkits.

 

Detecting Rootkits

Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known and reliable baseline.

Signature-Based Detection: This method matches a database of known rootkit fingerprints with the properties of all system processes and executable files.

Behavior Based Detection: Any changes to the typical operation or behavior of the system could be a sign that a rootkit is present.

Runtime Execution Path Profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection.

Cross View-Based Detection: Enumerates key elements in the computer system such as system files, processes, and registry keys, and compares them to an algorithm used to create a comparable data set that does not rely on the common APIs. Any differences between these two data sets indicate the presence of a rootkit.

 

Anti-Forensics Tools: QuickCrypto

QuickCrypto allows text files, image files, audio files, etc. to be hidden and encrypted prior to hiding.

reference

  1. Ec-Council CHFI Ebook