Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
net/publication/269400823
CITATION READS
1 2,162
4 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Jean-Paul W Van Belle on 20 November 2015.
Anti-Forensic Tool Use and Their Impact on Digital Forensic Investigations: A South
African Perspective
ABSTRACT KEYWORDS
Digital evidence is becoming an integral part of Digital forensics; anti-forensic tools; anti-forensic
most cases presented to court. From computers, to methods; digital forensic evidence; South Africa.
mobile phones, ATMs and surveillance cameras,
1 INTRODUCTION AND
our daily life is so inextricably entwined with
technology that it is difficult to find court cases BACKGROUND TO RESEARCH
where technology plays no part. Thus the Forensics as a scientific discipline is the
responsibility placed on a Digital Forensics (DF) process whereby science is used to investigate
practitioner to present usable evidence to a court is
artefacts or transfer of evidence and interpret its
increasing fast. However, potential criminals have
equally compelling reasons to prevent DF
relevance to an investigation [1]. The goal of
practitioners from getting their hands on the DF practitioner is the collection and
information of probative value and use tools and analysis of digital evidence with a view towards
methods known as Anti-Forensics (AF). presenting such evidence in a court of law or
other legal proceeding. Key to the success of
The purpose of this study is to identify the abilities
of DF practitioners to identify the impact that AF
this process is the probative value of the
has on their active investigations. We created a collected evidence [2].
research model that attempts to identify all the Anti-forensics (AF) involves the use of
factors and constructs that impact the AF methods specifically designed to hinder or
phenomenon. This model was then used to develop negate entirely, the use of science applied to
a survey instrument to gather empirical data from
criminal and civil law by interfering with the
South African DFs.
digital forensic practitioner’s ability
We found that whilst South African DF successfully complete the collection,
practitioners perceive DF as having an impact on examination and analysis of digital forensic
their investigations, they also perceive electronic artefacts (Harris, 2006). Due to the ever-
evidence as forming only part of the evidence
increasing frequency of AF tool use, greater
presented to court, and that some usable evidence
will generally remain. Unfortunately, we found also
vigilance by DF investigators will be required
that most DF practitioners in South Africa are well to ensure the integrity of investigative results
versed only in the more commonly known AF [3]. Anti-forensics is a multi-faceted issue and
techniques whilst not rating their abilities on more will require ingenuity and persistence to
complex techniques well. Finally, most DF overcome, and investigators can expect to
practitioners appear not to actively attempt to encounter more sophisticated challenges more
identify AF techniques as part of their frequently as the digital forensics capabilities
investigations. This combined with a lack of that exist become more commonly known to
understanding of more complex AF techniques computer users. By all indications this is a
could leave South African DF practitioners exposed constantly evolving problem and DF
by missing important evidence due to lack of
practitioners will have to ensure that they are
technical proficiency. The research and its findings
should be of benefit to academia and practicing DF
equally versed in DF as a science and AF as a
investigators with a view to assisting them better countermeasure.
prepare for the onslaught of AF.
All research into this phenomenon up to this Courts of law base the adjudication of all cases
point has come out of the developed world, on evidence presented. In examining AF and its
with the USA, Europe and Australia leading the effect on the punctiliousness of digital evidence
way. The 2012 Verizon data breach report presented, it is first necessary to examine
states that one third of all DF investigations digital evidence closely. Evidence can be
undertaken by Verizon are affected by AF [4]. defined as anything presented to logically prove
No similar research has been conducted in or disprove an issue at hand in a judicial case
South Africa, and as such the current scope of [6]. Digital evidence is information of legal
the AF problem is South Africa is not known. probative value that is stored or transmitted in
Due to the risks inherently posed by AF and the electronic form [3]. Digital evidence is similar
fact the electronic evidence in South African to traditional evidence in that it contains
law is still in its infancy, a real risk exists that information that is used to confirm or refute a
DF practitioners in South Africa are either not hypothesis placed before the court or legal
aware of the AF practices being used or are proceeding [7].The only difference is that such
incorrectly identifying information that information is stored digitally. As such the
indicates the use of AF practices or quality of such evidence remains a critical
applications, and are negatively impacting court factor as with any other case.
rulings based on the acceptance of digital The proliferation of electronic devices has
evidence meant that digital evidence can be relevant to
This research aims to establish to what extent any case and not just to computer crimes. By its
the use of AF by the subjects of DF very nature digital evidence is fragile. Incorrect
investigations has affected the ability of DF handling, examination or intentional destruction
practitioners to complete such investigations or modification can alter digital evidence to a
successfully in the South African context. In point where it is no longer usable. The greatest
this instance success is defined as the existence challenge to using digital evidence in court is
of digital evidence of sufficient probative value the fact that manipulation or alteration of the
to ensure the presentation of admissible evidence can be achieved very easily without
evidence in a court or other legal proceeding. leaving any manifest indication of such actions
[5]. Whilst digital evidence is valuable as a
The motivation for this research is the
source of evidence in any variety of
furtherance of the knowledge of AF practices,
investigations, it also introduces a new level of
techniques and applications for the benefit of
complexity that could potentially confound
practicing DF investigators and aims to provide
digital forensic investigators [3].
a basis for further research into this
phenomenon with a view to expanding the 2.2 Anti-forensics
academic knowledge in this area.
Anti-forensics (AF) in the digital realm is the
2 LITERATURE REVIEW process of removal or obfuscation of digital
forensic artefacts with the aim of invalidating
2.1 Digital Forensics and Digital Evidence
digital forensic investigations [8]. Typically,
Digital forensics as a discipline is aimed at one or more of the following strategies are
identification, collection and analysis of digital used: data hiding, data destruction, trail
evidence following at attack [5]. The goal is to obfuscation, data contraception, data
determine the identity of the attacker or suspect fabrication, file system attacks [9]. AF aim to
(who), their actions (what), when their actions remove all traces of a digital event, invalidate
were taken, how they perpetrated the attack or the data or increase the complexity of the
crime and their motivations (why), i.e. investigation, remove evidence of its own use,
monetary gain, revenge, harassment etc. or generally cast doubt on the investigation
Hiding data in system areas not visible to the general computer user, such
data is easily recoverable using data recovery or
There are methods available to hide
forensic tools.
information in areas reserved as system space
or file slack (area between the end of the logical By using any one of a number of freely
file data and the end of the cluster). One such available data wiping tools (Including, Eraser,
tool is 'Slacker', by the Metasploit Project [17]. PGP etc.) the user is able to securely delete
Creators of this project claim that Slacker is the files by overwriting the clusters occupied by
first ever tool that allows you to hide files those files with random data, any number of
within the slack space of the NTFS file system. times, according to existing standards such as
In addition, custom attacks created using Guttmann (35 times) and DoD standard
software exploit frameworks such as the 5220.22-M (US DoD, 1995) (7 times) [10].
Metasploit framework are generally delivered Recovery of such securely deleted data is for all
using payloads created using tools such as intents and purposes impossible [8].
‘Msfpayload”, which allow the creator to create In addition to these tools, another suite of tools
custom file signatures that will not be detected exist that focus on securely removing artefacts
by forensic signature analysis. More advanced that pertain to activities of the user such as
tools such as ‘FragFS’ exist that have the internet history, file access, file downloads,
ability to store information in the NTFS file peer to peer networking, chat and so forth. A
system’s Master file table ($MFT file) [9]. good example of a tool such is this is CCleaner
Rootkits represent a particularly pernicious by Piriform which is available as a free
method of data hiding. Such programs allow download. Tools such as these perform a secure
attackers consistent and undetected delete of the artefacts mentioned above to
administrative access to a computer [18]. In this ensure that such remnants are not recoverable,
instance the attacker can affect multiple states post delete. Such tools can also quite easily be
on the infected computer such as executing configured so securely wipe all hard drive free
programs, logging keystrokes or even storing space, including slack space, either when
data. Rootkits are mostly installed on manually initiated by the user or at scheduled
computers through the binding of a malicious intervals.
program to a seemingly innocuous one. An In addition to data destruction by wiping or
example of this is where a user downloads an overwriting, there are also more drastic
MP3 or e-book from a file sharing site, and measures that cybercriminals sometimes revert
once the user runs the file they inadvertently to. These are degaussing the drive – sweeping
install the rootkit on their computer. To further the drive with a powerful magnet, thereby
confound the issue, many rootkits are self- rendering the data unstable – or the physical
healing, and will automatically reinstate destruction of the storage media.
themselves if deleted or uninstalled. An
example of this is the Computrace client that Trail obfuscation
consists of both an application agent and a Trail obfuscation follows three basic methods.
persistence module. The first has the aim of obscuring required
Data destruction information from the would-be investigator.
This is achieved by either replacing relevant
The destruction of data by wiping or shredding information with false information (such as IP
of files is a commonly used AF method which address spoofing) or using third parties to act as
has been around for a long time. For the proxies of the source data in order to remove all
cybercriminal the most perspicacious course of traces of the origin of the data from the
action is to simply remove all traces that resulting data at the destination (such as mail
anything untoward took place [19]. A simple anonymizers). The second form of obfuscation
delete essentially leaves the data intact. Though
• Syscall proxying – A local system call or 2.3 Trace Evidence of Anti-forensic Tool Use
function is proxied to another system to As with any other computer application, the
complete. actual use of an AF tool to remove forensic
• Remote library injection – Information artefacts will in itself leave trace evidence.
(typically a Dynamic Link Library) is Steganography is probably one of the most
inserted directly in RAM of the host leaving difficult methods of data hiding to detect and
no traces on the hard drive. decipher and steganography combines the art of
• DKOM (Direct Kernel Manipulation) – The hiding data that is not visible to human
process whereby the memory space utilized perception and cryptography [9]. The DF
by kernel objects are penetrated and used practitioner must therefore first develop the
by other inserted processes. knowledge or suspicion that steganographic
data hiding is present in any given case, and
• Utilizing ‘in-private’ browsing on web then the practitioner has to establish which files
browsers such as Mozilla Firefox will keep out of all data that falls within the scope of the
all cache and history in RAM and will not investigation could be affected. As there could
write any information to disk for later potentially be hundreds of thousands of files on
analysis. a suspect computer this is often difficult. In this
instance the detection of files affected by
Steganography will often depend on the
intuition and experience of the DF examiner. In
the event that Steganography is suspected and When using a tool such as slacker to hide
the DF practitioner has identified files to target, information in system areas, the forensic
the practitioner may use methods similar to the investigator will likely have no specific
one below to confirm the presence of indication that such an indication has occurred
steganography and to attempt to decipher the as the only change to the file assigned to
contents. legitimately occupy that sector, will be a
change in the ‘date modified’ field. An AF
Encryption is often quite obvious to detect. An
practitioner who is thorough in their attempt at
example of this may be where a DF practitioner
data hiding will then quite simply use another
has attempted to image a suspect computer and
tool such as ‘Timestomp’ to change that
is not able to access any of the data on the drive
metadata attribute back to a value that would
due to full disk encryption. In such examples
not arouse suspicion [21]. The data written to
the DF practitioner will not be able to access
the slack area is not encrypted, but the metadata
any of the data on the suspect drive unless such
of the files written into slack space is
a password is provided, and it is often more
encrypted. This is intended to complicate
practical to attempt to extract the password
efforts to locate a list of files created using
from the suspect using legal means than it
Slacker by doing metadata analysis. The most
would be to use technology. Other forms of
likely indication of the use of slacker will be
encryption may not be as easy to detect, such as
the discovery of the Slacker executable on the
a virtual encrypted disk. In this instance the DF
suspect drive or in the event of volatile memory
practitioner will have to rely on other methods
analysis or virtual memory analysis, a keyword
of detection such as identifying suspiciously
search may indicate that the program had been
large files and files with an unknown or no file
loaded into memory. In the absence of such
signature. However, even in the event of
trace evidence the DF practitioner may still find
detecting an encrypted volume, the challenge of
information relating to the case in slack space
decrypting such a volume still remains. Without
by making use of a simple keyword search.
the passkey required to decrypt and mount such
Whilst this information may relate to the case,
a volume it is near on impossible to decrypt the
it will not provide any proof that a product such
information contained therein [15]. Attempting
as Slacker was used to place it there.
to break the password to the volume using any
number of traditional methods such as brute Most anti-virus software claims to be able to
force attacks, dictionary attacks or rainbow detect rootkits. The reality is unfortunately that
tables may take years to achieve [18]. In this most Anti-virus software may stop a computer
instance the most viable option is often to from being infected with new rootkits, but
attack the human factor. Encrypted volumes are established rootkits will often remain
often not breakable in the traditional sense for undetected [9]. This is not to say that the DF
any practical purposes and will require a practitioner need not run an AntiVirus scan on
password. the acquired forensic image, as this remains an
available tool for detecting rootkits and viruses
Most forensic software will detect signatures of
and can be useful in the event that the suspect
commercial file packers. The astute forensic
decides to pursue a ‘Trojan- defence’. When
investigator should also be aware that such file
assessing the ability to detect rootkits from a
packers typically have file signatures that can
forensic analysis perspective, it is important to
be searched for manually. An example of the
look at two basic modes of forensic operation.
UPX file packer a manual keyword search can
These are live incident response i.e. volatile and
be completed for the search term ‘UPX’, which
non-volatile data analysis on a live computer,
will identify executable files that have been
and dead’ forensics, the analysis of static
packed using this packer.
system data
Data destruction is often time consuming and itself leave trace evidence.
very often the applications used do not destroy How prevalent is AF tool use in the South
all data, as advertised. In addition to these African environment? This research will
factors there will very often be indications that attempt to establish the prevalence of AF
data destruction applications have been used on tool use as experienced by South African
a computer. A detailed discussion can be found DF practitioners.
in [22].
3.2 Research Methodology and Proposed
Finally, commonly used trail obfuscation tools Model
often leave certain artefacts behind e.g. by
A positivistic research philosophy was adopted
changing time/date stamps in only one system
for this research. A cross-sectional time-
area but not others.
horizon is used, as the study will aim to
3 RESEARCH METHODOLOGY understand the status of the problem at a point
in time. This research will assume a deductive
3.1 Research Question and Hypotheses
approach. To that end, a research model was
The core research question is whether the use of developed as per figure 1.
AF is affecting the ability of South African DF Figure 1. Proposed research model
practitioners to complete DF investigations?
Some of the constructs warrant further
To answer the main research question the explanation. Under the Individual
research will endeavour to find answers to the Characteristics, “DF” refers the Digital
sub-questions listed below: Forensics exposure and capabilities, including
What AF tools are being used, and how DF experience, formal DF training, any
they are being used? Specific applications qualifications obtained and the industry
are designed and released to the public with environment in which they are deployed (DF
the single purpose of removing or hiding vertical: civil, criminal or corporate
DF artefacts. As with any application the environment). The AF abilities refer to specific
way in which such tools are used will result Anti-Forensic tool and method abilities. The
in varying degrees of success of their value of AF artefacts refers to the knowledge of
intended purpose. This research will and ability to identify AF artefacts (i.e.
identify which of the available AF tools are evidence left behind by AF tools) including the
being used and for what purpose. knowledge of artefacts left behind by AF tools
Are South African DF practitioners able to and techniques, the ability to identify AF tools
identify AF tool use by the artefacts that by their artefacts and knowledge of the
such tools leave behind? As with any other evidentiary value of the artefacts left by AF
computer application, the actual use of an use.
AF tool to remove forensic artefacts, will in The impact of AF is measured by evidence
recovery (the DF practitioner’s ability to
recover useable evidence), evidence
presentation (the DF practitioner’s ability to
present evidence of probative value) and
acquittals (where AF leads to acquittals). The
Impact of AF as part of all evidence refers to
the impact AF has on electronic evidence when
seen as part of the entire case and all other
types of evidence presented and convictions
refers to the impact of AF on convictions when
seen as part of the entire case and all other
types of evidence presented.
South African DF practitioners were targeted to A wide spread of experience in DF was borne
ensure inclusion of practitioners that operate in out by the respondents. In line with the
criminal, civil, and corporate environments.
The aim was to include practitioners that deal
with evidence in traditional, mobile and internet
/ e-commerce forensics. Thus a probability-
sample using the stratified random-sampling
technique was used in order to identify forensic
practitioners functioning across the strata. A
limitation is the relatively small size of the
South African DF fraternity. One of the
researchers has access to a great portion of the
current South African DF fraternity through
previous interactions, and we consequentially stratified random-sampling method a
feel that we managed to cover most of the DF satisfactory spread of employment sectors was
community. achieved.
No individuals were interviewed, no personal Figures 3a & 3b. Experience, employment sector of
information was gathered about any DF respondents.
practitioners or their places of employment and
this research abided by the research ethics
guidelines set out by our academic institution.
Impact of Anti-Forensics
During your investigations, anti-
forensics has an effect on the
ability to recover evidence.
Anti-forensics has impacted your
Figure 9. AF tools most prevalent in investigations ability to present usable
evidence in a case
4.3 Respondents Rating of Their AF Abilities
Anti-forensics regularly impacts
Respondents were asked to rate their own Anti- your ability to present usable
evidence in a case
Forensics abilities by means of three questions:
their own knowledge of AF, their prior
exposure to AF and their ability to counteract
the use of AF tools. The 3 items were
considered as a single construct as they
logically represent respondent’s abilities to Anti-forensics has no marked
investigate AF. effect on case outcomes as
electronic evidence is only a…