File:Anti-forensics.pdf

Anti-forensics with a small army of exploits

By S Hilley - Science Direct - Investigation 4, 2007

Anti-forensics (AF) is a multi-headed demon with a range of weapons in its arsenal. Sarah Hilley looks at a set of hell-raising attacks directed at prominent forensic tools. Major forensic programs have started to attract unwanted attention from hackers aka security researchers of a type that have plagued mainstream software developers for years. This report focuses on the development of the Metasploit Anti-Forensic Investigation Arsenal (MAFIA).

Extract

1. Mainstream

Digital forensics is hitting the mainstream – the signs are everywhere. Home grown firm – Guidance Software, has gone public, firms are amalgamating, and the field is getting international acclaim for its role in high profile cases. But not all of the attention on digital forensic techniques is obviously helpful. So-called security researchers, dubbed Metasploit, are starting to pick holes in digital forensics programs creating more weaponry for the cause of anti-forensics. Of course software makers have been plagued by researchers finding holes in their products for years, and digital forensic vendors are now taking the brunt.

Forensic tool developers cannot ignore the anti-forensic exploits and Guidance Software has even made friends with Metasploit developers by inviting them to attend its conference as speakers. The Californian-based company’s reaction is mirroring the example set by Microsoft and Oracle who have befriended hackers in the past to try and quash a flurry of exploits

2. Interfering with investigations

Metasploit Project anti-forensic wares get very personal with investigative software as they do more than just corrupt it to gain access to a user’s computer. They interfere with the software’s results for use in investigating a crime. The Timestamp exploit, for example, interferes with the Timestamping capability in Guidance Software’s Encase program and FTK from Access Data – potentially upsetting evidence collection. And the Metasploit Anti-Forensic Investigation Arsenal (MAFIA) is not the only slew of AF exploits out there. Other documented attacks have targeted iLook, WinHex, TCT and Sleuthkit.

3. AF categories

But Metasploit exploits are only one of a variety of approaches to subverting evidence.

Criminals can choose from a bunch of ways to cover up crimes on digital devices. Steganography, data wiping programs and encryption all make life more complicated for investigators.

With the variety of anti-forensics approaches come numerous attempts by academics and practitioners to define AF. Ryan Harris at Purdue University presented a definition at the DFRWS conference in August which attempts to take all types of anti-forensics techniques into account. He classifies anti-forensics as ‘‘any attempts to compromise the availability or usefulness of evidence to the forensics process.’’

Dr. Marcus Rogers, also at Purdue University, breaks antiforensics into four categories: data wiping, artifact wiping, trail obfuscation and attacks against the latest CF processes and tools. MAFIA fits into the latter category.