I applaud each of you for your concern, as the last thing I want to see is one of you getting caught and spending years locked up in a 8 x 8 concrete room with a violent and lascivious cellmate. You can never be too cautious in this field of endeavor.
The best way to evade detection is to understand what the other side is doing and using. So, this series will focus on the tools and techniques that law enforcement and the security engineers are using to detect and prosecute hackers around the world.
What Is Digital Forensics?
Digital forensics is the field of determining who was responsible for a digital intrusion or other computer crime. It uses a wide-range of techniques to gain attribution to the perpetrator.
It relies upon the fundamental concept that whenever a digital intrusion or crime is committed, the perpetrator inadvertently leaves a bit of themselves behind for the investigator to find. These “bits” could be entries in log files, changes to the registry, hacking software, malware, remnants of deleted files, etc. All of these can provide clues and evidence to determine their identity and lead to the capture and arrest of the hacker.
As a hacker, the more you know and understand about digital forensics, the better you can evade the standard forensic techniques and even implement anti-forensic measures to throw off the investigator.
The Digital Forensic Tools
Just like in hacking, there are a number of software tools for doing digital forensics. For the hacker, becoming familiar with these tools and how they work is crucial to evading them. Most digital forensic investigators rely upon three major commercial digital forensic suites.
- Guidance Software’s EnCase Forensic
- Access Data’s Forensic Tool Kit (FTK)
These three suites are comprised of multiple tools and reporting features and can be fairly expensive. While these suites are widely used by law enforcement, they use the same or similar techniques as the free open-source suites without the fancy interfaces.
By using the open source and free suites, we can come to understand how such tools as EnCase work without the expense. EnCase is the most widely used tool by law enforcement, but not necessarily the most effective and sophisticated. These tools are designed for user-friendliness, efficiency, certification, good training, and reporting.
There are a number of the free, open-source forensic suites, including the following three.
- The Sleuthkit Kit (TSK)
The Forensic Tools Available in BackTrack
In addition, there are a large number of individual tools that are available for digital forensics, some of which are available in our BackTrack and Kali distributions.
What Can Digital Forensics Do?
Digital forensics can do many things, all of which the aspiring hacker should be aware of. Below is a list of just some of the things.
- Recovering deleted files, including emails
- Determine what computer, device, and/or software created the malicious file, software, and/or attack
- Trail the source IP and/or MAC address of the attack
- Track the source of malware by its signature and components
- Determine the time, place, and device that took a picture
- Track the location of a cell phone enabled device (with or without GPS enabled)
- Determine the time a file was modified, accessed or created (MAC)
- Crack passwords on encrypted hard drives, files, or communication
- Determine which websites the perpetrator visited and what files he downloaded
- Determine what commands and software the suspect has utilized
- Extract critical information from volatile memory
- Determine who hacked the wireless network and who the unauthorized users are
And that’ just some of the things you can do with digital forensics!
What Is Anti-Forensics?
Anti-forensics are techniques that can be used to obfuscate information and evade the tools and techniques of the forensic investigator. Some of these techniques include the following.
- Hiding Data: Hiding data can include such things as encryption and stegonography.
- Artifact wiping: Every attack leaves a signature or artifact behind. Sometimes it’s wise to attempt to wipe these artifacts from the victim machine so as to leave no tell-tale trail for the investigator.
- Trail Obfuscation: A decent forensic investigator can trail nearly any remote attack to a IP address and/or MAC address. Trail obfuscation is a technique that leads them to another source of the attack, rather than the actual attack.
- Change the timestamp: Change the file timestamp (modify, access, and change) to evade detection by forensic tools.
Stay Tuned for More on Digital Forensics
We will spend some of my future Null Byte tutorials looking at the most widely-used techniques in digital forensics, using both commercial and open-source tools, and then advance to anti-forensics, or ways to evade detection from these tools and the forensic investigator.