Tuesday, January 08, 2008

Response to "antiforensics"

On one of the online forums this evening, someone posted about reading the latest issue of 2600 and finding an article that mentions the use of "antiforensics" techniques, specifically with regards to one forensic analysis application in particular.

My response was this:

[Most of] these techniques don't defeat tools...they defeat examiners.

Thoughts?

13 comments:

jkoppe@RIT said...

I definitely agree with you on this one. I recently completed a project/presentation with a classmate on a tool similar to what the metasploit people called, transmogrify. The tool doesn't defeat signature analysis; rather it makes it harder for the examiner to find files of a known file type.

These types of tools heighten my concern for examiners because an examiner that thinks forensic tools are comprehensive has been misled. Fortunately, awareness increases as we move forward thanks to people like you, Harlan. By the way, thanks for authoring and publishing WFA and the WFA tools.

Keydet89 said...

jkoppe,

I'm always glad to help where I can...thanks for taking the time to comment.

H

Cosimo said...

I agree only in part, as I believe it depends on the "antiforensics" tool/technique you are considering.
For instance, take the MojoPac application. You can certainly tell that somebody plugged in a MojoPac-enabled USB pen, and ran MojoPac from it (for instance, by looking at artefacts into the registry or in the .pf files), but it seems (from the test I did and from reports I've read elsewhere) that you will not be able to reconstruct the actions that the person performed, as they will be stored into the virtual disks defined in the MojoPac virtual machine. We can argue that this is due to a lack of knowledge, and as such it is a fault of the examiner, but if nobody possess the required knowledge to reconstruct what happened on a system, are we sure that it is a fault of the examiner?

Keydet89 said...

We can argue that this is due to a lack of knowledge, and as such it is a fault of the examiner, but if nobody possess the required knowledge to reconstruct what happened on a system, are we sure that it is a fault of the examiner?

A great many examiners today do not "possess the required knowledge to reconstruct what happened on a system". Look at any of the forums..."forensic examiners" and "practitioners" are posting all the time, asking questions that could be answered with a simple Google query.

However, there are a good many topics that simply aren't covered. Take P2P apps...questions abound, and there is very little out there that is documented. I don't know how you'd structure such a thing, but I do think that someone could make a great deal of money researching artifacts for P2P and IM apps, exploits, etc. However, in many cases (particularly with regards to P2P), you see the same questions asked again and again.

So, do we blame the examiner b/c someone else hasn't already published the information they need to perform their analysis? No, of course not. However, perhaps we should blame the examiner for being too tool-centric and not doing his or her own research.

cosimo said...

Sorry, I didn't explain myself clearly. What I meant is that sometimes there is simply no way to ascertain what happened (for instance, with the MojoPac application I mentioned in my previous post), and in that case even the most clever, expert, and keen examiner will not be able to acquire that knowledge because ... it simply does not exist. So, there are some "antiforensic" techniques that -- unfortunately -- may be impossible to subvert. My major concern is that it is becoming increasingly simple to use these tools. For instance, using timestomp or slacker is not trivial (although doable with a reasonable effort by a technically savvy person), but using MojoPac is dreadfully easy even for inexperienced users.
By the way, I totally agree with you about the tool-centric approach that most examiners use. And, in their "ask before do your own research" attitude I see a very old bad habit, that you probably know from the old computer-science joke "when all else fails, read the manual". Anyhow, I think that there are good and bad examiners, and that bad examiners won't survive market selection in the medium-to-long run.

Keydet89 said...

What I meant is that sometimes there is simply no way to ascertain what happened...

This is very true, and not just with this issue, but also with others.

However, MojoPac isn't described as an anti-forensic thingy...it's more meant for privacy.

In truth, there's quite a bit that can be done to truly make life difficult for attorneys. This stuff really doesn't make my job harder...my job is to present the facts. If I can't answer a customer or attorney's specific question b/c MojoPac was used...that's my answer, as long as I can support it with hard facts.

...bad examiners won't survive market selection in the medium-to-long run.

We'll see.

Thanks for the comments!

hogfly said...

Cosimo,
Ah you see there is the rub. I've said this before that antiforensics attacks the human dimension and that's where the focus should be. Using your arguement against you...

Mojopac (which I've done some work on) is not itself the problem. The examiner looking at a system where there exists proof of mojopac execution is. The investigation doesn't begin and end on the disk in the system. You've got the clues right in front of you. The registry will tell you the USB key you're looking for, there are other traces that will point in the right direction. These are the artifacts we as examiners are looking for. Now we have a USB key or other removable device to search for and that will contain what we are looking for. Mojopac is not antiforensic in nature, many tools used are not antiforensic in nature. They perform a limited amount of cleansing and not much else.

http://forensicir.blogspot.com

Keydet89 said...

hogfly has brought it closer to home...

If something can't be shown...it can't be shown. There's a thread on another forum right now where the OP is looking to show files that were "uploaded or downloaded from a flash drive"...off-line comms w/ the OP last night revealed that what he was referring to was if files were copied from the flash drive. While file MAC time analysis may give some indication of this, without the flash drive itself to examine, one cannot say definitively which files were copied from the flash drive.

The point is, if it can't be shown, then it can't be shown. End of story. When speaking to a customer regarding user activity on a system, I generally refer to what was done by whomever was using the user account, not to the user themselves.

If something can't be shown, then that's one thing. However, if the facts are not found and displayed for the customer due to a lack of knowledge on the part of the examiner, neither one is an "antiforensics" technique.

cosimo said...

Hogfly,

I think we should distinguish between "antiforensic tools" and "antiforensic techniques". While MojoPac is not an antiforensic tool, using it to conceal your actions is -- in my opinion -- an antiforensic technique. If a technique is not properly used (for instance, you do not hide well enough your MojoPac USB device), then evidence may be recovered, but if you use it properly, there is nothing an examiner can do.
BTW, I'm aware of the work you did with MojoPac (and it was one of the other reports in mentioned in my first post), as I read your blog on a regular basis and found it very informative.

Harlan,
once more, I couldn't agree more with you. And for this reason I always insist with my students that the important thing is knowledge and methodology, and not specific tools. Unfortunately, GUI-based tools and "Nintendo forensics" (to borrow your expression that I found really appropriate) give the illusion to many prospective examiners that CF is just a matter of using the right tool and to push the right button. This is, in my opnion, the consequence of the fact that everything that is mediated by a computer (even a crime) does look more virtual than real, so "nintendo forensics" looks like a nice videogame on which one can become more skilled by learning the right button combination without understanding what the tool is actually doing. As you often said, education is the right way to subvert this situation.

JimmyWeg said...

Take P2P apps...questions abound, and there is very little out there that is documented. I don't know how you'd structure such a thing, but I do think that someone could make a great deal of money researching artifacts for P2P and IM apps, exploits, etc. However, in many cases (particularly with regards to P2P), you see the same questions asked again and again.

There are a number of rather good papers or other resources addressing the major P2Ps and instant messaging apps. LimeWire, Kazaa, Hello, MSN Messenger, Windows Live Messenger are some that come to mind. Some resources are, unfortunately, available exclusively on LE-only forums. However, the ForensicWiki contains some superb information and is available to the folks who post here.

You're still correct about the repetitive posts-in-lieu-of-research. I do it myself now and then. In fairness, I think that some or most of this stems from a need for some quick guidance, which, I hope, leads to more detailed research and empirical testing before drawing conclusions.

One challenge, perhaps a Catch-22, is to keep up on the yet unknown. Isn't it a goal of zero-day exploits to capitalize on that dilemma?

Keydet89 said...

There are a number of rather good papers or other resources addressing the major P2Ps and instant messaging apps. LimeWire, Kazaa, Hello, MSN Messenger, Windows Live Messenger are some that come to mind. Some resources are, unfortunately, available exclusively on LE-only forums.

Interesting...every time I get a question about Limewire or Kazaa, it's from a LEO.

...some or most of this stems from a need for some quick guidance, which, I hope, leads to more detailed research and empirical testing before drawing conclusions.

I'm not sure how I see how asking the questions and looking for quick guidance leads to the "more detailed research". For the most part, I don't see the original poster (OP) doing that research, and I also don't see someone else stepping up to do it...I just see the questions being asked time and again.

One challenge, perhaps a Catch-22, is to keep up on the yet unknown. Isn't it a goal of zero-day exploits to capitalize on that dilemma?

Zero-days can't keep up with a thorough process or methodology. If an examiner's process is to go online for "quick guidance" whenever faced with something new, then yes, zero-days are an issue. This is because the examiner's approach is to push buttons to get their data. However, with a thorough methodology and understanding, zero-days aren't as much an issue as they are a source of something for the examiner to write up and share with others.

JimmyWeg said...

Interesting...every time I get a question about Limewire or Kazaa, it's from a LEO.

I'm saying that there are papers and the like available, not that we are taking advantage of them. Asking questions and looking for quick guidance is not, necessarily, a precursor to research. I said that I hoped that it would be. When I read a paper, I generally go through the corresponding application or subject data and check out what I've read. If, for no other reason, "A picture is worth . . ."

You're seeing more questions from LE because, I think, we make up the substantial majority of this profession. It's just a matter or numbers and the odds. Since we're focusing on P2P for the moment, I'll hazard a guess that P2P/IM centered cases fall within the LE realm to a far greater extent than they arrive at the private sector's door. The converse may be true for intrusions and what I suspect you do, and admirably well, on a daily basis.

I don't think that anyone can conclude that the OP hasn't done further research after getting some help. Sometimes, quick guidance serves as reminder of what we know, but forgot. I'll rephrase my thought and say that an examiner, presented with guidance, should consider the source and validate the advice. Yes, maybe we should research the research before the easy-post, but I also could open a debate about workloads, time, other excuses (perhaps valid ones),etc. (I'll save "push-button" forensics for another day.)

Keydet89 said...

'm saying that there are papers and the like available...

Understood. I was trying to make the point...obliquely...that they aren't searched for, nor are they taken advantage of.

It's just a matter or numbers and the odds.

I can see that, sure. I'm sure there are other reasons, as well...for example, the particular venue. There are some venues where the predominant questions center around, "how do I get into the forensics arena?" and "I'm in uni, what project can I do?" ;-)

I still think that there is an opportunity for a clearinghouse for forensic artifacts and other information. Perhaps even on a contract basis. I don't know if it would be enough for a "service" to survive on its own, but some companies make their name and money from research into vulnerabilities...why couldn't someone else do the same by looking at the a successful exploit, but from the inside?