Forensics is the branch of computer science that seeks to discover evidence of activity in computers, digital storage media, and networks. Most hacking activities and tools leave direct or indirect evidence that can be discovered by a forensic investigator. The following table summarizes some popular cyber forensics tools.
Anti-forensics is the process of disrupting or impeding a forensic investigation. You can do this by:
- Negatively affecting the quality, quantity, or integrity of evidence.
- Making forensic analysis more difficult or impossible.
- Deceiving forensic investigators.
The purpose of forensics is to discover who did something and how. Therefore, an attacker will likely have one or more of the following reasons for disrupting that process:
- To escape notice while they are still inside the perimeter.
- To eliminate themselves as a suspect after they have concluded the attack.
- To frame another person or group of people as suspects.
- To waste the organization’s time and resources.
In a pen test, anti-forensics is important because it goes beyond just demonstrating to the organization that it has specific weaknesses that can be exploited. The organization may also be failing its own response operations and personnel, whereas it should be enabling them to perform as effectively as possible. The pen test, through anti-forensics, can assess any such issues.
Note: Consider all of the hacking tools and techniques you have learned in this course. What possible digital evidence might they leave behind that you would want to erase to cover your tracks?
The anti-forensics process relies on weaknesses inherent in computer systems, forensic tools, and the human investigators themselves. There are several techniques available to the attacker that can exploit these weaknesses. The following are examples of anti-forensics techniques that disrupt forensic processes or confuse or deceive investigators:
- Buffer overflow and heap spraying. You may be able to initiate a buffer overflow on an investigator’s forensic tools when they use them. This is often done by setting a malicious file as a trap—when the investigator opens the file, it causes the forensic tool to hang or crash, making it or related files difficult to examine. One tactic is to craft a file that exploits vulnerable dynamic-link libraries (DLLs) to create an infinite loop in memory. Another tactic is heap spraying, in which malicious code is injected into an application’s memory heap in specific places. When an investigator opens a file (e.g., a bitmap) in their forensic tool, the file forces the tool to read memory from the sprayed heap, executing the malicious code. Note that most up-to-date forensic tools include protections against buffer overflows and heap spraying.
- Memory residents. This describes code whose location in memory the OS is not allowed to swap to permanent storage. Malware can run as a memory resident to stay active even while the application it is normally attached to is no longer running. This may fool an investigator or their automated tools into believing that a computer has no trace of malware, despite the malware still being active. Note that modern forensic tools can scan a system’s memory for malicious code.
- Program packing. This is a method of compression in which an executable is mostly compressed, and the part that isn’t compressed includes code to decompress the executable. In other words, a packed program is a type of self-extracting archive that makes reverse engineering its contents more difficult. Packed malware, until it’s unpacked, can mask string literals and modify its signatures to avoid triggering signature-based scanners. So a forensic analyst may be unable to ascertain the nature of a packed program until it runs and potentially infects the system. Note that unpacking the executable in a controlled sandbox environment can help an analyst get around this problem.
- VM detection. Analysts use VMs to create a sandbox with which to safely examine and run malware. However, some clever malware can detect that it’s running in a sandbox by exploiting unpatched zero-day vulnerabilities in the sandbox software, or by detecting that the sandbox has direct hooks into the malware so that it can monitor the malware for system calls. Malware that knows it’s in a sandbox can alter its behavior to fool an investigator into thinking it’s benign, like only activating when it detects human behavior such as mouse movement.
- Alternate data streams (ADSs). This is a feature of Microsoft’s NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. Apps like File Explorer won’t display any changes in file size or other attributes when observing the file being forked to. So, a malicious executable that injects itself as a stream into a legitimate program can remain hidden to everyday end-user tools. More advanced tools will be able to detect ADSs, however. Also note that, starting with Windows 7, the ability to execute a file with ADS is disabled by default.
Covering Your Tracks
The most common anti-forensics technique is covering one’s tracks. An attacker will try to make it as difficult as possible for forensic investigators to identify how the attack commenced, and who is responsible. In some cases, the attacker may even be able to erase any evidence that an attack has taken place. Covering tracks is made possible by obfuscating the source of a malicious event and removing any residual traces of that event before leaving the target environment. Covering tracks is also viable in situations where the attack persists after the main exploit phase; this helps the attacker hide their initial exploits as well as their ongoing compromise.
In a pen test, you aren’t going to truly hide your attack from the organization—after all, you were hired to report vulnerabilities to the client, not to keep them secret. However, you can still try to cover your tracks at the end of the test to demonstrate to the client that they’ll have serious difficulties handling an incident. If you’re authorized to go through with this type of anti-forensics attack, then you should first make sure that you’ve recorded all of the data you’ll need for your final report. You don’t want to delete all evidence of your attack, only to later be unable to present that evidence to the organization as proof of compromise. You should also be careful not to cause any collateral damage and erase important data that wasn’t part of the attack.
Check out timestomp in mimikatz:
Techniques for Covering Your Tracks
The following are some example techniques you can use to cover your tracks:
- Clearing whole event logs. Tools like Metasploit include commands for clearing an entire event log on a machine that you’re currently exploiting. Because it clears every log rather than specific ones, this may raise suspicion; however, it can still make it harder for a forensic analyst to do their job. In a Meterpreter session, clearev will clear all Windows event logs. If you have a direct command shell, you can also clear individual log categories. For example: wevtutil cl Application clears the application log. To clear logs on a Linux system, you can use one of several methods that you’d use to clear any text file. For example, to clear the syslog: echo “” > /var/log/syslog.
- Clearing specific event log entries. Rather than wiping a log entirely and giving investigators something to be suspicious about, you can instead remove specific entries that would reveal your attack. For example, say you’ve logged in to a Linux system using a backdoor account called “backdr”. Before leaving, you could wipe any entries in auth.log that show the account logging in, rather than clearing the entire log. You can use a variety of methods to do this. The following example uses sed to delete all lines matching the given string while keeping the other lines intact: sed -i ‘/backdr/d’ /var/log/auth.log.
- Changing or forging event log entries. Rather than directly removing an entry or an entire log, it may be more beneficial to simply alter entries. For example, altering a user logon entry in Windows security logs may enable you to frame another individual. You could also forge an event by stealing a privileged user’s token and then performing a malicious task; the event will be recorded as if it were performed by the user whose token you stole. You can steal a Windows user’s token in Meterpreter by entering steal_token <PID> where <PID> is the process ID of a process that is owned by the user whose token you want to steal.
- Erasing shell history. Certain shells, like Bash shells on Linux, store the last n commands in history. A forensic analyst can retrieve this history and piece together your executed commands. However, you can cover your tracks by setting the command history to zero before executing the commands. For a Bash shell, this command is export HISTSIZE=0. In case the system has already recorded a shell history and you want to delete it, you can enter echo “” > ~/.bash_history and history -c. On Windows, you can clear the history of cmd.exe by pressing Alt+F7 or by simply terminating the process. You clear the history in PowerShell by using the Clear-History cmdlet.
- Shredding files or erasing data securely. Since simply deleting a file using standard OS features won’t erase that file securely, you may want to perform data wiping techniques to prevent forensic investigators from recovering the incriminating information. On Linux systems, this is known as shredding, because the shred command can overwrite files on storage to ensure complete removal. For example, the command shred -zu /root/keylog.bin will overwrite the file with zeros to hide the fact that it was shredded, then the file will be removed. Windows doesn’t have a built-in command-line equivalent to file-based shredding, but you can overwrite an entire volume with zeros by formatting the volume: format d: /fs:NTFS /p:1 where the /p switch indicates how many passes the zeroing operation will do.
- Changing timestamp values. Good forensic investigators will attempt to reconstruct a narrative of events by correlating event data. One of the most important attributes in event correlation is time. If you can modify the time that certain events are recorded, you can deceive investigators into believing a false narrative. Changing time-based values is not just limited to event logs, either. Altering a file’s MACE (modified, accessed, created, entry modified) metadata can confuse and misdirect investigators into thinking that your attack happened at a different time, or has lasted for a longer or shorter amount of time than it actually has. You can use the timestomp command in Meterpreter to change MACE values. The command timestomp file.docx -z “07/21/2018 16:21:05” changes all four MACE values for a file to the specified time.
Guidelines for Using Anti-Forensics Techniques
When using anti-forensics techniques:
- Assess the organization’s susceptibility to anti-forensics techniques.
- Leverage buffer overflows to disrupt forensic tools.
- Leverage techniques like memory residents and VM detection to hide the existence or purpose of malware.
- Cover your tracks to avoid being identified or having your attack detected.
- Keep in mind that you need to deliver a report to the client and shouldn’t truly hide the attack.
- Ensure you aren’t causing collateral damage when covering your tracks.
- Clear, modify, or falsify event logs to mislead analysts looking for a record of malicious activity.
- Erase shell history to remove traces of the commands you executed.
- Shred or securely erase files to remove traces from the system.
- Change timestamp values in events and files to make it more difficult for analysts to formulate a coherent narrative.