Anti Forensics Tools

[maboroshi]

Anyone experienced with Forensics? I would like to learn what the police/feds of today are doing to thwart Anti Forensics Tools.

Code: Select all

http://www.securitywizardry.com/index.php/products/forensic-solutions/anti-forensic-tools.html

I am sure this is pretty covert stuff in agencies, I know DNR posted some info in the past.

Anyway

*cheers

[ayu]

ah, nice link

That might come in handy ^^

[ph0bYx]

Nice find!

[computathug]

Good find buddy, i think the last one i looked at was the one posted by DNR and i think it was called 'decaf'

[lilrofl]

An ounce of prevention...

In the majority of cases the beginning of a forensics investigation of your hard disk starts with capturing those disk, so a discussion of disk wiping and the Gutmann standards is all irrelevant I think. Of course you 'would have wiped them' but if that is no longer an option; What can be done to thwart an investigation that is being preformed on your already captured hard disk?

Forensics investigations start with a drive clone through a device called a write blocker which prevents writing to the device being cloned. PSIclone is an example of this kind of device. In some cases dd is used, but more often the software suite Encase is an all-stop-shop. Some governments are using the Deft Linux distro... it's pretty neat, you might like it.

The original hard drive is locked away and the investigation starts on the clone. Working from the image gives incredible flexibility and error recovery potential... like infinite redos... to me that means you need to encrypt your hard drive.

[bad_brain]

yep, working on the original drive would also make any evidence on it worthless...because time stamps for example could be altered.
I will get a grip on a professional forensics distro (Helix 3 2013 Pro) soon, got a notification that they will provide a beta version download soon for loyal subscribers like me (hooray for keeping at least some of my spam-me-I-don't-care inboxes alive ). of course I will share it then...

oh, and about encrypted drives: even if they can not break the encryption you could go to jail....BUT only for a very limited time as attempt to force you to reveal the password/key.
no idea about the USA, here it is max. 6 weeks.

[ph0bYx]

If I would have to choose a specialized distro I would choose something like that Helix one over all the other (with an emphasis on all the BackTrack distros).

[maboroshi]

On the notes that lilrofl pointed out

Code: Select all

http://www.forensicswiki.org/wiki/Anti-forensic_techniques

What do you guys think of or know about True Crypt's hidden volumes? Is true crypt still a viable standard. I remember at one point reading about a loop hole found allowing Forensics Teams to gain access to true crypted volumes or something along those lines. Lilrofl while speaking to him recommended multiple encryption schemes behind the protected files so layering them one after another.

Can people recommend Drive/File Encryption Software?

*cheers

Mabo

[ph0bYx]

I just encrypted a partition last night with TrueCrypt so I'm not that experienced with it but I haven't chosen a 'hidden partition' and yet it hides it from fstab when it's encrypted. Not sure if it's a feature from Linux or from TrueCrypt (as I said I'm a newbie for it for now )

[lilrofl]

TrucCrypt, and BitLocker volumes for that matter, are discoverable but they are still encrypted; however, if the encrypted volumes are not securely unmounted before the investigation begins it is possible to dump the encryption key from memory because of how the keys are used to access the hidden volumes.

EDIT:
mount > open > access > close > umount... and don't hibernate your computer during any part of that process.

As for legality, in the US a court can compel you to reveal your encryption key with jail time, under certain circumstances the jail time is not limited.

[bad_brain]

hmmm....from what I have read the hidden containers can be discovered, BUT they provide plausible deniability which means you can say "I have overwritten the nude pics I had taken of myself and stored in the (not hidden) encrypted volume with a disk wiper by using random data"....and there is no way to prove you are lying because the hidden container data has no signature and can not be identified as container for real data...the data looks really random. that's the actual purpose of the hidden container within a visible one: plausible deniability.