Chapter 6

Anti-forensics

Abstract

Digital forensic success stories are becoming widely known. That has created a keen interest in obstructing these types of investigations. Some of these obstructive techniques are so effective that they can make recovering the information virtually impossible. This is of grave concern especially in the context of public safety. To combat these anti-forensics techniques, examiners must become familiar with the various ways to hide and destroy data. They must also master the tools and methods at their disposal to overcome anti-forensic efforts.

Keywords

Encryption

Password Cracking

Steganography

Encrypting File System

(EFS)

Brute Force Attack

Symmetric Encryption

Asymmetric Encryption

Plain Text

Dictionary Attack

Cipher Text

“There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.”

—Bruce Schneier

Information in this chapter

• Introduction of Encryption Technology and the Threat It Poses

• Attacks Used to Break Encryption

• Techniques Used to Hide and Destroy Data

Introduction

Computer examinations and the resulting evidence make regular appearances in police blotters all across the country. To counter these relatively new forensic advances, anti-forensic tools and techniques are cropping up in significant numbers. They are being used by criminals, terrorists, and corporate executives alike. In February 2011, Valerie Caproni, the General Counsel for the FBI, addressed the House Subcommittee on Crime, Terrorism, and Homeland Security. Regarding encryption and the threat it represents, she told the subcommittee, “As the gap between authority and capability widens, the government is increasingly unable to collect valuable evidence in cases ranging from child exploitation and pornography to organized crime and drug trafficking to terrorism and espionage—evidence that a court has authorized the government to collect. This gap poses a growing threat to public safety” (Caproni, 2011).

There are many definitions for the term anti-forensics. John Barbera defines it this way: “an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time[-]consuming, or virtually impossible” (Barbera, 2008).

There was a website devoted to the subject, and they weren’t not the least bit subtle about their objectives. anti-forensics.com was a “community dedicated to the research and sharing of methods, tools, and information that can be used to frustrate computer forensic investigations and forensic examiners.” It goes on to describe the website’s purpose, at the time, saying, “A major goal of some anti-forensics software, and the focus of Anti-Forensics.com, was to make the analysis and examination of digital evidence as difficult, confusing, and time[-]consuming as possible” (Anti-Forensics.com).

The use of anti-forensics techniques is not limited to terrorists and pedophiles. Corporate executives have put them to use as well, using these tools and techniques to hide or destroy incriminating e-mails, financial records, and so on. Even everyday applications such as web browsers have features that could be used to obstruct a forensic examination—clearing the Internet history or browser cache, for example. Most newer browsers come with a “private browsing” mode that doesn’t record things such as websites visited or searches. In the latest version of Firefox, running in private mode will no longer save visited pages, form and search bar entries, passwords, download list entries, cookies, and web cache files (Mozilla, 2011). See Figure 6.1.

Figure 6.1 The “Start Private Browsing” menu option in Firefox 6.0. Also note the option to “Clear Recent History.”

In this chapter, we’re going to take a look at several techniques used to hide or destroy digital evidence. As you’ll see, some of these techniques are highly effective when used properly. Other techniques have little or no impact on a forensic examination. Even using one of the commercially available drive-wiping tools is no guarantee that the data will truly disappear.

From an investigative perspective, it’s important to know that there are legitimate uses of these anti-forensic tools and techniques. Proving intent, therefore, is critical. Suspects could assert that the wiping application was used only to protect their privacy or they used the defragmentation utility to improve performance. That’s possible. However, that defense gets a little tougher to swallow if the tool was only used once and that was three hours after the target became aware of the investigation.

Hiding data

Hiding techniques range from the simple to the very complex. Changing file names and extensions, burying files deep within seemingly unrelated directories, hiding files within files, and using encryption are some of the most common hiding techniques. The last two techniques are what can cause digital forensics practitioners to lose sleep at night.

Encryption

We all have secrets. Companies, governments, and individuals share this universal truth. The Colonel’s recipe for fried chicken, our bank account numbers, and the Army’s plans for war are just a few examples of information that has to be kept from under wraps. Before our world became such a wired one, keeping this material safe was, in many respects, a lot less complicated.

The legitimate use of encryption has enabled us to enjoy many of the Internet services that we now take for granted. For example, encryption used in e-commerce permits us to buy our favorite books and book our summer vacations. It keeps our businesses running and our country safe. These modern conveniences, however, are not without a cost. Encryption is a double-edged sword with serious consequences when used by criminals, terrorists, unfriendly nations, and crooked CEOs alike.

Today, we have less direct control over these secrets as they travel over the Internet or fly through the air on a wireless network. It is encryption that provides us with both the mechanism and confidence to store and transmit our most sensitive digital information. In this book, however, the focus is on the darker side of this technology and the threat that it poses. Its value is certainly not lost on many people with bad intentions. Take terrorists, for example; despite their seemingly low-tech lifestyle, they are embracing technology including encryption. If done properly, encryption can keep examiners at bay until hell freezes over, literally.

“To a greater and greater degree, terrorist groups, including Hezbollah, Hamas, and bin Laden’s al Qaida group, are using computerized files, e-mail, and encryption to support their operations,” wrote then-CIA Director George Tenet last March to the Senate Foreign Relations Committee. Ramzi Yousef, the architect of the 1993 World Trade Center bombing, is one of those terrorists putting encryption to use. Yousef saved detailed plans to destroy U.S. airliners encrypted on his laptop (Dick, 2001).

What is encryption?

Encryption is the conversion of data into a form, called cipher text, that cannot be easily understood by unauthorized people (Bauchie, Hazen, Lund, Oakley, and Rundatz, 2000). Encryption starts with Plain Text. Plain Text is the original, unencrypted message. The Plain Text message is in the clear and can be read by anyone. A cryptographic algorithm is then applied to the Plain Text, producing cipher text. Cipher text is basically a scrambled version of Plain Text that is unintelligible. The algorithm is the method used to encrypt the message. The key is data used to encrypt and decrypt the information. A password or passphrase is commonly used as the key.

Early encryption

Encryption itself isn’t a by-product of computer technology alone. It’s been around for thousands of years in one form or another. One of the earliest and best-known encryption schemes is the Caesar Cipher. The Caesar Cipher is a shift cipher and encrypts the data by replacing the original letters with “x” number of characters ahead in the alphabet. For example, using the Caesar Cipher and a key of five, an “A” would become an “F.” Table 6.1 shows the entire alphabet both as plain text and as cipher text after the same cipher has been applied. Note that each letter has been shifted five spaces below or past its original position.

Table 6.1

The Alphabet with Simple Encryption (Caesar Cipher). The Key in This Example is Five.

Plain text	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Cipher text	F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

Now let’s encrypt “forensics” using the Caesar Cipher with a key of eight. Table 6.2 shows us the conversion of Plain Text to cipher text.

Table 6.2

A Letter-by-Letter Conversion Using the Caesar Cipher and a Key of Eight

Plain text	F	O	R	E	N	S	I	C	S
Cipher text	N	W	Z	M	V	A	Q	K	A

This simple process is still employed today. It’s frequently used to obfuscate computer code. At first glance, it appears that the terms encryption and obfuscate are interchangeable. They are similar enough to sometimes be confused, but the differences are significant enough to merit clarification. Obfuscation and encryption are both intended to make things harder to understand. Obfuscation, however, is used to protect computer code, rather than the data itself (Tyma, 2003). Obfuscation also protects code from reverse engineering. Encryption can’t be used in this way because it would render the code totally unreadable to the computer.

ROT13 is a modern version of the Caesar Cipher in use today for obfuscation. In ROT13, letters are shifted by 13 positions. In this scheme, an “A” becomes an “N” and so on. Table 6.3 shows an excerpt from Lincoln’s Gettysburg Address after ROT13 has been applied.

Table 6.3

The Opening of Lincoln’s Gettysburg Address Encrypted Using ROT13

Fourscore	and	seven	years	ago	our	fathers	brought	forth	on	this
Sbhefpber	naq	frira	lrnef	ntb	bhe	snguref	oebhtug	sbegu	ba	guvf
continent	a	new	nation	conceived		in	liberty	and	dedicated
pbagvarag	n	arj	angvba	pbaprvirq		va	yvoregl	naq	qrqvpngrq
to	the	proposition	that	all		men	are	created	equal
gb	gur	cebcbfvgvba	gung	nyy		zra	ner	perngrq	rdhny

Algorithms

For the mathematically challenged, like myself, just the word algorithm can cause some anxiety. The algorithms we use to send our credit card numbers across the Internet are exponentially more complex than the cipher Julius used in Rome. Although algorithms are complicated and well beyond the scope of this book, we can still get a handle on their basic use and functionality. Put simply, an algorithm is just a set of instructions used to accomplish a certain task. As an example, we can create an algorithm for sending an e-mail about an upcoming meeting.

1. Go to office.

2. Turn on computer.

3. Open Microsoft Outlook.

4. Click “New Email.”

5. Fill in the “To” information.

6. Type “Meeting” in the subject line.

7. Type the body of the message.

8. Press send.

Fundamentally, there are two types of encryption algorithms: symmetrical and asymmetrical. Symmetrical encryption uses the same key to encrypt and decrypt the data. In contrast, asymmetrical encryption uses two separate and distinct keys.

There are many encryption algorithms in use today serving a variety of purposes. You may have already heard of some of them. AES, TripleDES, Blowfish, and RSA are just a few.

Algorithms: it’s no secret

It may come as a surprise, but the algorithms themselves are open and well published. Why in the world would their creators put this information out there? It sure seems counterintuitive. Believe it or not, the answer is security. Best practice in cryptography states that the security of algorithms should be “independent of their secrecy” (Schneier, 2002).

This fundamental cryptographic principle has been around for quite some time. In 1883, Auguste Kerckhoffs, a Dutch linguist and cryptographer, said that, in any truly effective crypto system, the key should be the only secret. Any system that relies on the secrecy of the algorithm is less secure (Schneier, 2002).

“The #1 lesson I’ve learned from my work at AccessData is ‘you cannot trust closed-source crypto.’ You have no idea if it is secure or not,” said Nephi Allred, a cryptanalyst with AccessData. “I’ve reverse-engineered a lot of applications in my time: some good, some bad. While there are some good closed-source apps and some bad open-source apps (actually very few), the best apps are invariably open-source and the worst are invariably closed-source. Personally, I would never trust my own data to a closed source application” said Allred.

Key space

Key space is a metric that is often discussed when talking about the strength of a particular encryption scheme. The key space or key length has a direct impact on our ability to break the encryption, particularly with a brute force attack. A brute force attack tries to break the password by attempting every possible key combination until the right one is found.

This is where encryption gets particularly troubling when you consider all the possible key permutations and how long it would take to “guess” a password. An encryption scheme with a 128-bit key would have roughly 340,282,366,920,938,000,000,000,000,000,000,000,000 possible key combinations. How long would it take a computer to guess the password? Crunching some rough numbers will give us an idea. Using one computer, guessing 500,000 passwords per second would break that key in about 21,580,566,141,612,000,000,000,000,000 years. Let’s crank up the number of computers guessing passwords to 1,000. That gets us to a much more “manageable” wait time of only 21,580,566,141,612,000,000,000,000 years. Remember that these numbers represent rough estimates; the truth is that they can be much higher, depending on the algorithm used. Complex encryption schemes such as Pretty Good Privacy (PGP) can radically drop the number of attempts per second to only a few hundred (Schneier, 2007).

Some common types of encryption

With privacy being such a major concern, encryption tools are now included with some versions of the newer operating systems, including Windows 7 and Apple OS X. These tools are BitLocker and FileVault, respectively. These encryption schemes can be applied selectively, only encrypting certain files or folders. They can also be used to encrypt an entire drive. This is known as full or whole disk encryption.

Full disk encryption (FDE) has some noteworthy advantages. We know from previous chapters that operating systems in their course of normal operation will leave artifacts scattered across the drive. Take swap space, for example. Even though we encrypt an entire folder containing our sensitive files, remnants (or the entire file) could be located in the swap space. Full disk encryption takes care of these data “leaks.” The term full disk encryption is a little misleading. It doesn’t really encrypt the entire disk. To run BitLocker, there must be two partitions (sections) on the hard drive: one known as the operating system volume, and the other containing the files to boot the machine, system tools, and so on. The operating system volume contains everything else, including the vast majority of the items of most interest to us (Microsoft, 2009).

As the saying goes, there is no free lunch. FDE has some drawbacks as well. Performance is likely to suffer as the data are being encrypted and decrypted. This encryption/decryption is done “on the fly,” meaning that it occurs just before the data are saved or loaded into RAM. Passwords and keys are another concern. Recovering your data is dependent on having the proper authentication. If you lose or forget your password, you will very likely may never get your data back. Encryption cuts both ways.

Encrypting file system

Encrypting File System (EFS) is used to encrypt files and folders. EFS is easy to use, with nothing more than a check box in a file’s properties. It is “not fully supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium” (Microsoft, 2011c). EFS uses the Windows username and password as part of the encryption algorithm. EFS is a feature of the New Technology File System (NTFS), not the Windows operating system (Microsoft, 2011d).

Bitlocker

Unlike EFS, BitLocker can be used to encrypt an entire hard drive, whereas BitLocker To Go is used to encrypt removable media such as a USB drive (Microsoft Corporation). BitLocker isn’t available in all versions of Windows. Currently it’s only available on the Windows 7 Ultimate systems (Microsoft, 2011a). BitLocker doesn’t usually function alone. It normally works in conjunction with a piece of hardware called a Trusted Platform Module (TPM). The TPM is a microchip on the motherboard of a laptop or PC that is intended to deliver cryptographic functions (Microsoft, 2011a). The TPM generates and encrypts keys that can only be decrypted by the TPM. If configured to work without the TPM, the required keys are stored on a USB thumb drive.

BitLocker encryption is pretty stout, making decryption doubtful without the key.

Encountering a running BitLockered machine affords an examiner an excellent opportunity to recover data without having to defeat the BitLocker encryption. Files stored in a BitLocker-protected area of the hard drive are decrypted when they are requested by the system (Microsoft, 2009). Any time you can avoid going toe to toe with encryption, it’s a good thing.

When dealing with a running computer, recognizing the presence of BitLocker could make all the difference in a case. That running, BitLockered machine may very well represent the only chance you would have to recover any evidence from that computer.

Apple Filevault

Apple’s latest version of OS X, Yosemite, comes with FileVault 2. FileVault2 uses 128-bit AES encryption. With FileVault 2, you can encrypt the content of your entire drive. Apple gives customers the chance to store their recovery keys with Apple. Passwords stored with Apple could be retrievable with the proper legal search authority (Apple, Inc., 2011).

Truecrypt

TrueCrypt is a free, open source software that provides on-the-fly encryption functionality. In on-the-fly encryption, the data are automatically encrypted and decrypted as they are saved and opened. All of this is done behind the scenes without any user involvement. TrueCrypt is also capable of providing full disk encryption. This includes file names, folder names, and the contents of every file. It also includes those files that can contain sensitive data that the system creates on its own, such as log files, swap files, and registry entries. Decryption requires the correct password and or key file(s). TrueCrypt supports Windows, Mac, and Linux operating systems (TrueCrypt, 2011). TrueCrypt can use multiple encryption algorithms, including AES, Serpent, Twofish, or some combination of these three. The key space is 256 bits.

Breaking passwords

Breaking passwords, or cryptanalysis, can be daunting or practically impossible. To give us the best chance for success, we’ll need to use any advantage we can get. There are multiple ways to break passwords; some are technical, some are not. Sometimes it’s as simple as asking. Options include brute force attacks, dictionary attacks, and resetting passwords. These can all yield positive results. We’ll dig into these attacks more in an upcoming section.

The good news is that it’s not all gloom and doom. In most cases, we are still dealing with people, and they represent the weakest point in this entire process. Humans can be both lazy and careless, giving us the chance we need to crack the encryption. Far too many people use simple passwords that are easy to break. Some of the best include “password,” “letmein,” or the ever-popular “123.” Birthdays, pet names, or the name of a favorite sports team are also used routinely. Memorizing long, random passwords is not easy or convenient for the majority of us. Even if a strong password is used, it’s often written down on a Post-It note and stuck to the monitor. Furthermore, encryption keys can be left unsecured and subject to compromise.

People, being creatures of habit, quite often reuse at least a portion of their passwords. We can exploit this behavior to our advantage. If we can get one password, many times we can get them all. “Sometimes if we can go in and find one of those passwords, or two or three, I can start to figure out that in every password, you use the No. 3,” said Stuart Van Buren, a U.S. Secret Service agent (Homeland Security Newswire, 2011).

What exactly qualifies as a strong password? According to Microsoft, a strong password uses a variety of letters, numbers, punctuation, and symbols, and has a minimum length of fourteen characters (Microsoft, 2011c).

Examiners may get lucky and find a password in the swap space on a hard drive. Capturing the RAM of a running machine can also help in breaking passwords. You’ve probably entered a password on a website at one time or another. As you entered your password, dots appeared, concealing the text as you type. What you may not realize is that the actual password is recorded in RAM. Failing to grab the RAM from a running machine could truly be a missed opportunity.

When the need arises, we have special tools available to us that can break passwords through a variety of attacks. These tools can break some simple passwords in less than a second. One of the leading tools of this type is the Password Recovery Toolkit (PRTK) from AccessData, the Utah-based computer forensic software company. Other tools include John the Ripper and Cain and Abel.

Password attacks

Passwords can be attacked and broken in multiple ways, but avoiding encryption is always preferable to attacking passwords. There are tools and techniques we can use to increase our chances of success. One thing working in our favor is the vulnerability that humans bring to the table. Long, random strings of letters, numbers, and characters make for excellent passwords. Unfortunately, they are also tough for people to remember. That’s why most passwords are based on actual words, recognizable patterns, or both.

Brute force attacks

A brute force attack is just what it sounds like. We are using as much computing power as we can muster to guess the correct password. The more computers (or, more precisely, central processing units) we can throw at it, the faster we can break it. As you’ll see, “faster” is a relative term when it comes to breaking passwords. Products are available now that harness otherwise idle computers and use them against the encrypted file, folder, or drive. This is known as a distributed attack, since the computational burden is spread among multiple computers. Some agencies are getting quite creative in breaking encryption.

The digital forensic folks with the U.S. Immigration and Customs Enforcement Cybercrime Center are using networked Sony PS3 gaming consoles to attack passwords. This approach leverages the power of these devices, as well as their cost-effectiveness. “Bad guys are encrypting their stuff now, so we need a methodology of hacking on that to try to break passwords,” said Claude E. Davenport, an agent in the U.S. Immigration and Customs Enforcement Cyber Crimes Center. “The Playstation 3—its processing component—is perfect for large-scale library attacks” (Wawro, 2009).

Password reset

Sometimes we will go after the software rather than the password. Some applications have vulnerabilities that can be exploited to simply reset the password, giving us the access we need. Unfortunately, the password reset isn’t widely effective, because it works on only a relatively small number of applications. In instances where it becomes necessary to bypass Windows system passwords, bootable CDs can get the job done. They do this by overwriting data in the Security Account Manager (SAM) for short. Elcomsoft’s System Recovery tool is one of many products that fill this need (Elcomsoft, 2011).

Dictionary attack

A dictionary attack is more precise, using words and phrases that can be collected from multiple sources. For example, a forensic application can create an index of all the words found on a suspect’s hard drive. These words would come from both the allocated and unallocated space. Other dictionary sources could be terms commonly used in certain criminal circles, such as child pornography or narcotics trafficking. Dictionaries can also contain words from specific sources such as websites.

Intelligence, the background information on our suspect or target, can really increase our chances of success. This information can be used to build a dictionary of potential passwords. Gathering this information starts at the scene. We are not interested solely in the digital devices alone, but photos, books, etc., as well. We want to know the names of our subject’s children and pets. We want to know their hobbies and interests. The terms and words associated with these interests could provide clues to the suspect’s password. For example, if the suspect is a huge Lord of the Rings (LOTR) fan, we can employ a tool that will index (record the content) of a website devoted to LOTR. The tool will grab names and places such as Aragorn and Rivendell. These terms can then be used to create custom dictionaries that can help unlock the password.

Let’s look at creating a custom dictionary based on biographical information for our suspect, Bill Thehacker. We’ll be using AccessData’s Password Recovery Toolkit. We enter a total of seven bits of information, including names, birth date, and some keywords related to Bill. (See Figure 6.2.)

Figure 6.2 Biographical Dictionary Generator in PRTK.

Figure 6.3 The final word count generated by our seven original entries.

From the seven words in Figure 6.2, the tool then generates more than 2,600 permutations, a sampling can be seen in Table 6.4. Note the combinations of terms with a multitude of prefixes and suffixes (Figure 6.3).

Table 6.4

A Sampling of the More Than 2,600 Keywords Generated from Our Original List of Seven

1 25 1987 1251987 billbill bill bill bill-bill bill_bill billb bill b bill-b bill_b billbillthehacker bill billthehacker bill-billthehacker bill_billthehacker billb bill b bill-b bill_b

b25billthehacker billthehacker251b billthehacker125b b251billthehacker b125billthehacker 25billthehacker1b 25b1billthehacker 1billthehacker25b 1b25billthehacker billthehacker1b25 b1billthehacker25 billthehacker25b1 b25billthehacker1 billthehacker25bill bill25billthehacker billthehacker251bill billthehacker125bill bill251billthehacker bill125billthehacker 25billthehacker1bill 25bill1billthehacker

251987secret 251987 secret secret1987h h1987secret secret198725h secret251987h h198725secret h251987secret 1987secret25h 1987h25secret 25secret1987h 25h1987secret secret25h1987 h25secret1987 secret1987h25 h1987secret25 secret1987 secret 1987 1987secret 1987 secret

Additional resources

Encryption

Bruce Schneier is a well-respected author and cryptographer who regularly publishes on encryption and security-related issues. He is the author of several books, as well as the Blowfish Encryption Algorithm. His book Secrets & Lies: Digital Security in a Networked World is both fascinating and highly readable. He also publishes a blog and the Crypto-Gram Newsletter. A visit to his website, http://www.schneier.com/, is highly recommended.

Steganography

Steganography, or stego for short, is another and very effective way to conceal data. The word steganography comes from the Greek words “Stegos,” meaning covered, and “Graphie,” meaning writing. Its exact roots equate to covered writing. SearchSecurity.com defines steganography as “the hiding of a secret message within an ordinary message and the extraction of it at its destination” (TechTarget, 2000).

Two files comprise the finished stego file. The file that contains the secret message is called the carrier file. Carrier files can be image files, video files, audio files, or word processing documents, just to name a few. The embedded secret document is called the payload. The underlying concept behind steganography is fairly straightforward. Let’s start with the carrier files. These file types are used because they have a significant amount of redundant data, also known as noise. The redundant data are replaced with the data composing the hidden message. Payload files don’t necessarily have to be text-based. An image file can be inserted into another image file. Multiple variants or combinations are possible.

Steganography applications are widely available on the Internet, and many are free. Backbone Security, a company that makes one of the more popular stego detection tools, has cataloged more than 960 separate steganography applications available for download on the Internet (Backbone Security.com, 2011).

What makes stego such a concern? First, it’s very difficult to detect. Second, once discovered, it’s very tough, if not impossible, to extract the payload without knowing the stego application and password used to create it.

Before his demise at the hands of Seal Team Six, Osama Bin Laden and his colleagues made extensive use of steganography to communicate. Stego files were posted in sports chat rooms and pornographic bulletin boards (Kelley, 2005).

Detecting the use of steganography is pretty tough. One of the most popular tools is Stego Suite™ from the Steganography Analysis and Research Center (SARC). The current version identifies more than 500 known steganography applications and has the ability to crack and extract payloads from carrier files (Wetstone).

In June 2010, the FBI arrested ten Russian spies who had been in the United States for roughly a decade. These spies made extensive use of steganography as they passed secret messages to the SVR, the Russian intelligence service (CBS News, 2010). A criminal complaint in the case, filed in the Southern District of New York, provided some insight into the use of steganography by the Russians. In the complaint, Special Agent Maria Ricci said in part:

“In addition, and among other things, a number of the Boston Conspirators’ Electronic Messages appear directly to concern communication by means of steganography. For example, one message, dated December 15, 2004, discussed the process of ‘decrypt[ing]’ messages embedded in images; another message, dated February 22, 2005, discussed ‘decypher[ing] [sic]’ data embedded in images. Similarly, on or about October 3, 2004, law-enforcement agents, acting pursuant to a judicial order, intercepted aural communications taking place inside the Boston townhouse. Tracey Lee Ann Foley, the defendant, was heard saying to Donald Howard Heathfield, the defendant: ‘Can we attach two files containing messages or not? Let’s say four pictures ….’ Based on my training, experience, and participation in this investigation, I believe that this was a reference to conveying messages by means of steganography—placing ‘files containing messages’ in ‘pictures.’ On or about March 7, 2010, law-enforcement agents, acting pursuant to a judicial order, intercepted aural communications taking place inside the Boston townhouse. As a final example, in or about March 2010, Foley and Heathfield were heard discussing Foley’s use of steganography and the schedule of her communications with Moscow Center.” (United States of America v. Christopher R. Metsos, 2010)

Data destruction

Sometimes hiding data isn’t enough, and perpetrators try to destroy the data instead. Actually destroying the data is a little more complicated than many people think. The uninitiated may simply hit the Delete key and assume that the data no longer exist. As we’ve seen, this approach is not effective because the “deleted” data remain on the media and are easily recovered. In contrast, many drive-wiping tools can be very effective. Using utilities such as these can leave telltale signs of their use, providing substantial evidence even without the original data in question.

Data destruction can be accomplished or attempted in several ways. Some of them are better than others. Drive wiping software is commercially available and can be effective in destroying potential evidence. Much of its effectiveness rests with the quality of the software, how it is used, and the number of “wipes” that are made. Defragmenting or reformatting a drive is frequently attempted, but often delivers limited results.

Drive wiping

Drive-wiping utilities are used to overwrite data on a hard drive in a way that makes them unrecoverable. Most of these applications are promoted and/or intended to keep personal or corporate information private. Both are noble causes indeed. Unfortunately, these same utilities can be used for other, less-honorable purposes. Examples of these tools include Darik’s Boot and Nuke, DiskWipe, CBL Data Shredder, Webroot Window Washer, and Evidence Eliminator.

Using these tools is not an “all or none” proposition. They can be somewhat surgical in their application, wiping only specified files while leaving others untouched. Operating system files, for example, could be left intact. They can target specific files and folders as well as potentially incriminating system values like those found in the Windows Registry.

These tools do have a legitimate use and are available at many technology stores, including big-box stores like Best Buy. Privacy is a major concern for everyone, and wiping utilities can help. If we want to donate our old computers, we certainly don’t want our e-mails and other personal information going with them to Goodwill and from there to who knows where.

Using these tools is no guarantee that the data can’t be recovered. Success depends largely on the quality of the tool and the skills of the user.

From an evidentiary or investigative perspective, the presence or use of these applications can serve as the next best thing to the original evidence. Suspects may find it hard to explain why Evidence Eliminator software was installed and run on their computer the day before their computers were searched. Figure 6.4 shows the entry for Evidence Eliminator in the software key in the Windows Registry. This is an indicator that this software was installed on the machine.

Figure 6.4 Note the presence of “Evidence Eliminator” in the Windows Registry software key.

Wiping utilities can leave telltale signs of their use. When looking at the drive at the bit level, a distinct repeating pattern of data may be seen. This is completely different from what would normally be found on a hard drive in everyday use. (See Figure 6.5.)

Figure 6.5 Note the distinct repeating pattern of hexadecimal numbers. This pattern is unusual and may be an indication that a wiping utility was used.

Evidence of their use can be found elsewhere on the drive. Figure 6.6 shows signs of Evidence Eliminator being opened on a machine.

Figure 6.6 Shows signs in the MRU that the program Evidence Eliminator has been opened on this machine.

Some operating systems, Apple OSX Lion for example, ship with a drive-wiping utility installed. Called Secure Erase, this utility offers multiple options for data destruction. (See Figure 6.7.)

Figure 6.7 Secure Erase options from Apple OS X. Note the array of options, particularly the number of passes over the data.

More advanced

Defragmentation as anti-forensic technique

Defragmentation, or defragging as it’s commonly called, is often done to improve computer performance. Defragging is the process of moving clusters as close together as possible to speed up the system. This procedure involves moving data from one location on the drive to another. Data can be overwritten in the process. These overwritten (destroyed) data may have had some evidentiary value.

The defragmentation process can occur in three ways—it can be user-scheduled, manually initiated by the user, or done automatically by the operating system (Casey, 2009).

There are a few different ways you can attempt to determine whether a drive has been recently defragmented. One way is to boot the drive image in Windows and look at the amount of file fragmentation. Drives in regular use normally show a significant amount of file fragmentation. Drives that show otherwise, without a plausible explanation, would be suspect.

Q & A with Nephi Allred, Cryptanalyst with AccessData, the Maker of Password Recovery Toolkit (PRTK)

By now it should be clear that encryption is a major concern to the digital forensics community. That means we must be prepared to deal with encrypted data. Decryption tools are one weapon we can bring to the fight. One of the premier decryption tools on the market is Password Recovery Toolkit (PRTK) from AccessData. PRTK is widely used worldwide by law enforcement, intelligence agencies, and private corporations such as large financial institutions. U.S. users include the FBI, CIA, and Secret Service, just to name a few. In this Q&A, we get a closer look inside PRTK and the encryption it aims to break.

[Q] About how many passwords per second does PRTK guess on a “standard” machine?

[A] We get this question a lot. It’s impossible to answer, as it stands because the question itself has an implicit assumption, which is wrong. Namely: All password schemes are not the same. It’s a bit like asking how fast animals can go. Which animal? Every program or application or other system that uses passwords does it differently. The way they do it makes all the difference in the world in how much computation is required to test a password.

For example, a “typical” machine might guess 2 million passwords per second trying to crack an Office 97 file, while the same machine might only guess 500 passwords per second in cracking an Office 2010 file.

And, of course, the answer also depends on what you mean by a “typical” machine (and that changes as time goes on, too).

[Q] PRTK guesses passwords in a certain order to improve the speed and efficiency. Can you talk a little about how that works and why it’s important?

[A] Not all passwords are created equal. In the space of all possible passwords, some are more likely to be used by humans than others. (For example, “Br1tn3y” is much more likely to be used than “H(i3}-aV.K = TyG7”). So, if you are trying to guess passwords, you will be faster and more successful on average if you guess the more probable passwords first.

Of course, which passwords are more probable is not always easy to determine, and certainly varies from person to person. PRTK defines a default ordering of passwords that we have tried to make as effective as possible, given what is known about how people tend to choose passwords. But an investigator often has specific knowledge about a suspect and can use that to make a password ordering more tailored to that individual. This is why PRTK gives its users a great deal of password space customization. For example, rather than going with the default, you can specify that a job first try all the passwords in a (possibly customized) dictionary, then all of those words in reverse order, then all of those words with “123,” “4eva,” or “asdf” appended. And lots more.

[Q] I know that PRTK also relies on identified patterns of passwords (roots and appendages). What are those based on and how does that work?

[A] Based on various password lists that we’ve obtained over the years (some from clients of ours, others freely available), we’ve tried to make password “rules” that generate passwords that people actually use in real life. At this point, this is still more an art than a science. That is, there is no deep statistical analysis going on (yet)—mostly we eyeball the lists and look for patterns. For example, a lot of passwords seem to end with 1. So one of our password rules is “Dictionary followed by common suffixes” and 1 is one of those common suffixes.

[Q] Do you know just how effective PRTK is in breaking passwords?

[A] Again, this varies widely over the kinds of files and suspects. I don’t have any numbers for you, unfortunately. You should probably talk to people who use PRTK (or DNA) on real cases.

It’s worth noting that not all attacks PRTK does are password-guessing attacks. Some crypto systems have flaws that allow their passwords to be recovered instantly, with no “guessing” involved. For example, PRTK can instantly recover the master password on the Whisper32 password manager. This was not uncommon in applications a decade ago, but these days, it’s becoming much more rare as software developers become more crypto-savvy.

[Q] Is there anything that slows down the decryption process? Can you talk about that and why that is?

[A] Yes, there is. These days, most developers of password using applications are aware of tools like PRTK, and they will use measures to slow down password-guessing attacks. As I explained in #1, the speed at which we can guess passwords all depends on how the application uses the password.

An application could deliberately choose a very slow password-to-key methodology. It might hash the password 10,000 times, for example, instead of just once, while transforming the password into a key. (This is a simplification, but you get the idea). This forces the password-guessing tool to also hash the password 10,000 times per password guessed, which leads to many fewer passwords per second.

[Q] How is encryption changing? What do you see is the “next big thing” in cryptography? What challenges do you see ahead?

[A] Cryptography is a big subject, and I’m hardly an expert in any of the cutting edges of new research. But in the arena of password-based encryption, things are changing.

It’s not exactly a new insight, but people are becoming more and more aware that passwords as a security device are often inadequate. What we’ll use instead of them (or, more likely, in addition to them) is not yet entirely clear, but encryption providers are trying new things.

For example, several applications, like TrueCrypt, allow users to enhance their password with “key files.” A key file can be any file, and it is used to scramble a password before use. This means that to run a successful password-guessing attack, PRTK needs to have any and all key files used. It may not be easy for the investigator to figure out what key files were used, if any.

Summary

Anti-forensic tools and techniques can have a significant impact on a forensic examination of a computer. To frustrate examiners, subjects generally attempt to either hide the incriminating data in some fashion or destroy it altogether. Encryption is one of the most common and potentially potent forms of data-hiding. Powerful encryption is available free on the Internet and included with some versions of both Microsoft and Apple operating systems. These tools can make it practically impossible to recover encrypted data.

Should encryption be encountered, it can be attacked in different ways. In a brute force attack, every possible password is tried until the right one is found. This is the slowest and least desirable of all the attacks. Increasing the processing power used in an attack can reduce the time needed to break the password. Some password-protected applications have vulnerabilities that can be exploited. These vulnerabilities can allow us to reset a password to one of our choosing.

Dictionaries can be created and used to break passwords. These can range from standard dictionaries to custom ones based on information specific to the target. Pet names, hobbies, interests, and birth dates are just some of the details that can compose a custom dictionary.

Messages or data can be hidden within other files. In a process known as steganography, files (called payloads) are inserted into other files such as pictures or movies (called carrier files). Steganography can be very difficult to detect. If it is detected, it can also prove tough to extract the message from the carrier file.

A subject may choose to destroy data with a commercially available drive-wiping tool. The effectiveness of these tools is far from foolproof. Incriminating data can still be recovered, even after the tool has been used. Even if data have been successfully deleted, the software can leave behind telltale signs of their use. Proof of their use can be potent evidence as well.

References

Apple, Inc., 2011. OS X Lion: About FileVault 2. Retrieved from: <http://support.apple.com/kb/HT4790> (accessed 11.08.11.).

Backbone Security.com., 2011. Backbone’s Digital Steganography Database Exceeds 925 Applications. Retrieved from: <https://www.backbonesecurity.cm/Database925Applications.aspx> (accessed 11.08.11.).

Barbera, J., 2008. Anti-Digital Forensics, The Next Challenge: Part 1. Retrieved from: <http://www.forensicmag.com/article/anti-digital-forensics-next-challenge-part-1> (accessed 11.08.11.).

Bauchie, R., Hazen, F., Lund, J., Oakley, G., Rundatz, F., 2000. Encryption. Retrieved from: <http://searchsecurity.techtarget.com/definition/encryption> (accessed 11.08.11.).

Caproni, V., 2011. Going Dark: Lawful Electronic Surveillance in the Face of New Technologies. Retrieved from: <http://www.fbi.gov/news/testimony/going-dark-lawful-electronicsurveillance-in-the-face-of-new-technologies> (accessed 11.08.11.).

Casey E. Handbook of Digital Forensics and Investigation. Burlington, MA: Academic Press; 2009.

CBS News, 2010. FBI: 10 Russian Spies Arrested in U.S. Retrieved from: <http://www.cbsnews.com/stories/2010/06/28/world/main6627393.shtml> (accessed 11.09.11.).

Dick, R.L., 2001. Issue of Intrusions into Government Computer Networks. Retrieved from: <http://www.fbi.gov/news/testimony/issue-of-intrusions-into-government-computer-networks> (accessed 11.08.11.).

Elcomsoft Co. Ltd., 2011. System & Security Software. Retrieved from: <http://www.elcomsoft.com/esr.html#forgot%20administrator%20password> (accessed 11.08.11.).

Homeland Security News Wire, 2011. Feds Forced to Get Creative to Bypass Encryption. Retrieved from: <http://www.homelandsecuritynewswire.com/feds-forced-get-creative-bypass-encryption> (accessed 11.08.11.).

Kelley, J., 2005. Terrorist Instructions Hidden Online. Retrieved from: <http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen-side.htm> (accessed 11.08.11.).

Microsoft Corporation, n.d. What Is Encrypting File System (EFS)? Retrieved from: <http://windows.microsoft.com/en-US/windows7/What-is-Encrypting-File-System-EFS> (accessed on 06.20.11.).

Microsoft Corporation, 2009. Windows BitLocker Drive Encryption Frequently Asked Questions. Retrieved from: <http://technet.microsoft.com/enus/library/cc766200%28WS.10%29.aspx#BKMK_EntireDiskMicrosoft> (accessed 11.08.11.).

Microsoft Corporation, 2011a. BitLocker Drive Encryption Overview. Retrieved from: <http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encryption-Overview> (accessed 11.06.11.).

Microsoft Corporation, 2011b. Compare Windows. Retrieved from: <http://windows.microsoft.com/en-US/windows7/products/compare> (accessed 11.06.11.).

Microsoft Corporation, 2011c. Create Strong Passwords. Retrieved from: <http://www.microsoft.com/security/online-privacy/passwords-create.aspx> (accessed 11.08.11.).

Microsoft Corporation, 2011d. The Encrypting File System. Retrieved from: <http://technet.microsoft.com/en-us/library/cc700811.aspx> (accessed 11.09.11.).

Microsoft Corporation, 2011e. Unique Technology for Enterprise Customers. Retrieved from: <http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#bitlocker> (accessed 11.08.11.).

Microsoft Corporation, 2011f. Windows BitLocker Drive Encryption Step-by-Step Guide: Microsoft Corporation. Retrieved from: <http://technet.microsoft.com/en-us/library/cc766295%28WS.10%29.aspx> (accessed 05.13.11.).

Mozilla Foundation, 2011. Private Browsing. Retrieved from: <https://support.mozill.org/en-us/kb/private.browsing-browse-web-without-savinginfo?esab=a&s+browsing$r=1$as=5> (accessed 27.08.11.).

Schneier, B., 2002. Crypto-Gram Newsletter. Retrieved from: <http://www.schneier.com/crypto-gram-0205.html#1> (accessed 11.06.11.).

Schneier, B., 2007. Secure Passwords Keep You Safer. Retrieved from: <http://www.schneier.com/essay-148.html> (accessed 11.08.11.).

Symantec Corporation, 2011. Whole Disk Encryption: Symantec Corporation. Retrieved from: <http://www.symantec.com/business/whole-disk-encryption> (accessed 11.05.11.).

TechTarget, 2000. Steganography. Retrieved from: <http://searchsecurity.techtarget.com/definition/steganography> (accessed 11.08.11.).

TrueCrypt Developers Association, 2011. Documentation: TrueCrypt Developers Association. Retrieved from: <http://www.truecrypt.org/docs/> (accessed 11.05.11.).

Tyma, P., 2003. Encryption, Hashing, and Obfuscation. Retrieved from: <http://www.zdnet.com/news/encryption-hashing-and-obfuscation/128604> (accessed 20.06.11.).

United States of America v. Christopher R. Metsos, et al. 2010. Southern District, New York. Retrieved from: <www.politico.com/pdf/ppm153_metsos.pdf> (accessed 07.09.11.).

Wawro, A., 2009. US Government Using PS3s to Crack Encryption, Catch Paedophiles. Retrieved from: <http://www.computerworlduk.com/news/security/17680/us-government-using-ps3s-to-crack-encryption-catch-paedophiles/> (accessed 11.08.11.).

Wetstone Technologies, Inc., 2011. Stego Suite™—Discover the Hidden. Retrieved from: <http://www.wetstonetech.com/product/stego-suite/> (accessed 11.08.11.).

What Is Anti-Forensics.com? 2011. Retrieved from: <http://www.anti-forensics.com/about-anti-forensics> (accessed 08.14.11).