SlideShare a Scribd company logo

AntiForensics - Leveraging OS and File System Artifacts.pdf

E
ekobelasting

The document discusses anti-forensics techniques that can be used to hide evidence on a hard drive and frustrate forensic investigations. It covers how tools like file wipers, log injectors, and timestamp manipulators can destroy artifacts and obscure timelines. It also details the operating system and file system artifacts that examiners can analyze, such as Prefetch files, Jump Lists, Volume Shadow Copies, and the MFT, to potentially detect the use of anti-forensics and recover deleted files and events. The document aims to help examiners understand criminal perspectives and common artifacts in order to catch anti-forensics activities.

Education
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Anti-Forensics: Leveraging OS and File System Artifacts "What one man can invent, another can discover." – Sherlock Holmes
Objective • Talk on Anti-Forensics focusing on operating system and file system artifacts that can be used to confirm/refute if anti-forensics was used on a hard drive. • Talk covers Anti-Forensics from a criminal perspective not privacy perspective
Anti-Forensics? Tools and techniques that frustrate forensic tools, investigations, and investigators … - Dr. Simson Garfinkel
Anti Forensics • Locating anti-forensic tools leads to suspicion – Crumbs could be found even if removed! • Simple: clearing caches, offline files, app artifacts, deleting catalogs and thumbnail files, Jump Lists, Prefetch files, etc • Complex: Full Disk Encryption, Injected DLLs (meterpreter), Anti-X
GOALS ? • Avoid detection • Disrupting Information Collection • Increase examination time • Cast doubt on forensic reports or testimony • Subverting the tool 5
Categories • Hiding: – Data Hiding – Trail Obfuscation • Destruction: – Artifact Wiping – Attacking Forensic Tools
Q: What are we looking for? "Data! Data! Data! I can't make bricks without clay.“ - Sherlock Holmes • Before we check where and how is Data "evidence" stored, we must first understand what type of evidence from a forensic perspective are we looking for: – Time: a duration in this universe – Keywords: any specific text related to a crime – Action/Operation: open file, run program, shutdown system, etc – Object: disk, partition, file, malware, etc
Operating System Artifacts "Don't be conned by misleading menu structures!"
Techniques • Shift+del • Hiding files within system directories • Changing the file extension – .doc  .xls – .pdf  .doc • Merge Streams (Doc into XLS and vice versa) • Changing one byte in a file – Known to Unknown Hashes Bypass • Split and Scatter (splitting files and then scattering them) • Changing file headers – Transmogrify
Techniques – Cont. • Log Injection (misleading events) • Deleted Files and Removed Programs – Restore Points – Registry Entries – HKCUSoftwareMicrosoftWindowsCurrentVersionRun • Online Storage: Dropbox, Gdrive, etc • DLL Injection (Meterpreter)
How: Simple Techniques – Cont. • CLSID List (Windows Class Identifiers), https://autohotkey.com/docs/misc/CLSID-List.htm rename FOLDER “My Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}”
SysInternals: Autoruns
Detection Techniques • Different detection techniques (image path, memory, etc) • Fuzzy Hashes • Content Analysis • Scheduled Tasks • Thumbcache • Log detection – Correlation and Timeline Analysis – Memory dump of erased events or wipers – Centralized Log Management System • Meterpreter – Memory dump – stdapi_sys_process_getpid
Volume Shadow Copies / Restore Points • Beware of accessing VSCs on Live Systems (why?)
Shadow Explorer – VSC Browser • Browse a VSC
Windows Registry
User Registry File • NTUser.Dat file – Personal preferences and computer settings for user – If just look at file meta data – file attributes • Find out a lot of information • First time user logged on – Creation date of file • Last time user logged on – Last modified date of file
AntiForensics - Leveraging OS and File System Artifacts.pdf
Recycle.Bin • [Volume]:$Recycle.Bin • $Recycle.Bin (hidden by default) • Subfolder per user named with account SID • When a file is moved to the Recycle Bin, it becomes two files $I and $R. – $I -> original name and path, and deleted date – $R -> original file data stream and other attributes
Recycle Bin
Clear “Recent Items” Windows 7 To clear “Recent Item List” Right click on Recent Items and select clear
Jump Lists – Cont. Frequent files used Recent files used
Jump Lists – Cont. C:Users<username>AppDataRoamingMicrosoftWindowsRecent Items
Jump Lists – Settings If unchecked will prevent application history from appearing on the start menu Used to adjust the number of items to display in the Jump Lists
Libraries • A list of Monitored folders • Used to assist users to find and organize their media – Documents – Music – Pictures – Videos They look like any other folder!!! View them using a Forensic tool: XML based files named with the library- ms extension!
Link Explorer (LECmd)
Prefetch Files • Prefetch files indicates to the examiner the following: – Existence: application named was run – Creation date: when the application was first run – Modification date: when the application was last run
User Activity with ShellBags • I still know what you did !!!
Index.DAT • Contains all of the Web sites • Every URL • Every Web page • All email sent or received through Outlook or Outlook Express • All internet temp files • All pictures viewed
Thumbs.DB • Pictures opened in Windows OS • Filmstrip • Thumbnails • Thumbs.DB Viewer
Binary Obfuscation • Packers / Unpackers – Reduce size, Hide actual code, Hide IAT, Anti-X DOS Header PE Header .data .code DOS Header PE Header .data .code Packed Executable Original Executable Simple Packer
Binary Obfuscation – Cont. • Complex packers might overwrite its own memory space • Unpacking: – Statically (complex and time consuming) – Dynamically (easy, needs native env.) – Hybrid (best of both) • Types: – Common: UPX, FSG, MEW – Complex: Armadillo, Obsidium, Sdprotect, ExeCrypt, VMProtect GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess Compressor 3.1415 MB 2.7282 MB
File Systems Artifacts “Don’t let jumbled Data Structures fool you!"
Disks • Without understanding of disks layout, you’ll never know what is truly hidden over there! Do you know what’s here?
File Systems • Can reveal useful artifacts like: – Manipulated Timestamps – Metadata : deleted or crumbs – Logs of actions : Journals
Volume Slack • Unused space between the end of the volume and the end of the partition • Size of the hidden data in volume slack is only limited by the space on the hard disk available for a partition Volume Slack Partition #1 Partition #2 Partition #3
File Slack Space • Slack space could be used to hide data Single Cluster with 8 sectors (4096 bytes) Sector #0 Sector #1 Sector #2 Sector #3 Sector #4 Sector #5 Sector #6 Sector #7 File Data 2248 bytes RAM Slack 312 bytes Cluster Slack 1536 bytes
File Systems (NTFS) • Everything written to the disk is considered a file – Files, directories, metadata, etc • MFT is the heart of NTFS (array of records 1024 bytes each) • Records in the MFT are called metadata • First 16 records in the MFT reserved for metadata files • Entry #1 is $MFT
PowerForensics
File Systems (NTFS) – Cont. • Deleted Files – Unallocated space – File System Journals, Index Files, and Log files: $I30, $LogFile, $UsnJrnl • File Wipers – Some crumbs left for investigator! • Hiding within $DATA attribute • Timestamps and timestomp tools – MACE / MACB
$MFT Slack Space • MFT Slack Space
Bad Blocks ($BadClus) • Marked in the metadata file $BadClus (MFT entry 8) • Sparse file with the size set to the size of the entire file system • Bad clusters are allocated to this file • Clusters can be allocated to $BadClus and used to store data
Alternate Data Streams (ADS) • More than one $DATA attribute • Locating streams: – Streams, LADS, etc – DF tools – Manually! • Can also hide binaries! – Images – EXEs – etc echo I am the hidden text > file.txt:Hidden.txt
Time Manipulation: Timestomp • Also a form of Data Hiding!
Time Manipulation: Detection • Compare timestamps of SIA with FN attributes • FN attributes timestamps must be older than SIA timestamps • Zero milliseconds in timestamps is suspect • Check creation timestamps earlier than file system format date • Check Shadow Copies (SVCs) and Restore Points • Check Journal files • Creating timelines
$UsnJrnl • Tracking NTFS’s history with $UsnJrnl – Creation, deletion, modification, renaming and moving of file and directory – It is possible to find trace of deleted file. – The event of program execution and opening document can be found through tracking prefetch file and LNK file’s history • $UsnJrnl record carving from unallocated space – There are mass $UsnJrnl records in unallocated space – Tracking old file system history(before several months) through $UsnJrnl record carving
NTFS INDX Files (aka: $i30) • Each directory index entry contains at least the following metadata for the child: – Filename – Physical size of file – Logical size of file – Modified timestamp – Accessed timestamp – Changed timestamp – Created timestamp
$LogFile • A transaction journal of changes to the $MFT • Could find file fragments and MFT records • Could find MFT records in unallocated space • Could locate file names that no longer exist on the disk
Finally … • To catch a criminal, you need to think like one! • Without proper understanding of the under-laying technology, its just like you’re searching for a needle in the haystack! • They can run, but they can’t hide for ever 
References • http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data- streams-in-ntfs.aspx • http://www.autohotkey.com/docs/misc/CLSID-List.htm • https://www.runtime.org/diskexplorer.htm • Anti-Forensics: Techniques, Detection and Countermeasures, Simson Garfinkel • Metasploit Autopsy – Reconstructing the Crime Scene, http://www.blackhat.com/presentations/bh-usa- 09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-SLIDES.pdf • A Windows Registry Quick Reference: For the Everyday Examiner, Derrick J. Farmer and Burlington, Vermont • https://en.wikiquote.org/wiki/Sherlock_Holmes • PowerForensics Get-ForensicUsnJrnl, http://www.invoke- ir.com/2016/02/forensic-friday-get-forensicusnjrnl.html
References – P2 • Advanced $UsnJrnl Forensics, FORENSIC INSIGHT • Prefetch Files, http://www.forensicswiki.org/wiki/Prefetch • LECmd, Eric Zimmerman, http://binaryforay.blogspot.com/2016/02/introducing-lecmd.html • http://www.williballenthin.com/forensics/indx/

More Related Content

PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
PPT
Vista Forensics
CTIN
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PPT
Windowsforensics
Santosh Khadsare
 
PDF
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
PPTX
Ntfs and computer forensics
Gaurav Ragtah
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Vista Forensics
CTIN
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Windowsforensics
Santosh Khadsare
 
windows-forensics-analysis-v-1.0-4_2.pdf
AmineBesrour
 
Ntfs and computer forensics
Gaurav Ragtah
 

Similar to AntiForensics - Leveraging OS and File System Artifacts.pdf (20)

PPTX
Disk forensics for the lazy and the smart
Jeff Beley
 
PPT
Cos413day3
Sumit Tambe
 
PPT
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
PPT
Windows Forensics- Introduction and Analysis
Don Caeiro
 
PPS
intro to forensics
Pardhasaradhi ch
 
PDF
Lecture-1-Windows-Artefacts.pdf
ssuserfd0132
 
PPS
Introduction to Forensics and Steganography by Pardhasaradhi C
n|u - The Open Security Community
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PPTX
Dark Data Hiding in your Records: Opportunity or Danger?
Rob Zirnstein
 
ODT
Operating System Forensics
ArunJS5
 
PPTX
Msra 2011 windows7 forensics-troyla
CTIN
 
PPTX
Windows File Systems
primeteacher32
 
PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PDF
Ntfs forensics
n|u - The Open Security Community
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
PDF
Disk forensics
Chiawei Wang
 
PDF
MNSEC 2018 - Windows forensics
MNCERT
 
PPTX
Windows Forensics
Prince Boonlia
 
PDF
11 Analysis Methodology
Sam Bowne
 
PPT
Working with Windows and DOS Systems.ppt
ChSamson2
 
Disk forensics for the lazy and the smart
Jeff Beley
 
Cos413day3
Sumit Tambe
 
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
Windows Forensics- Introduction and Analysis
Don Caeiro
 
intro to forensics
Pardhasaradhi ch
 
Lecture-1-Windows-Artefacts.pdf
ssuserfd0132
 
Introduction to Forensics and Steganography by Pardhasaradhi C
n|u - The Open Security Community
 
Windows forensic
MD SAQUIB KHAN
 
Dark Data Hiding in your Records: Opportunity or Danger?
Rob Zirnstein
 
Operating System Forensics
ArunJS5
 
Msra 2011 windows7 forensics-troyla
CTIN
 
Windows File Systems
primeteacher32
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
Ntfs forensics
n|u - The Open Security Community
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Disk forensics
Chiawei Wang
 
MNSEC 2018 - Windows forensics
MNCERT
 
Windows Forensics
Prince Boonlia
 
11 Analysis Methodology
Sam Bowne
 
Working with Windows and DOS Systems.ppt
ChSamson2
 
Ad

Recently uploaded (20)

PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Institutional Correction lecture only . . .
limvtheghins
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Pre independence Education in Inndia.pdf
goofy5603
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
RMMM.pdf make it easy to upload and study
sajedul2
 
master seminar digital applications in india
ananyaray35
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Ad

AntiForensics - Leveraging OS and File System Artifacts.pdf

  • 1. Anti-Forensics: Leveraging OS and File System Artifacts "What one man can invent, another can discover." – Sherlock Holmes
  • 2. Objective • Talk on Anti-Forensics focusing on operating system and file system artifacts that can be used to confirm/refute if anti-forensics was used on a hard drive. • Talk covers Anti-Forensics from a criminal perspective not privacy perspective
  • 3. Anti-Forensics? Tools and techniques that frustrate forensic tools, investigations, and investigators … - Dr. Simson Garfinkel
  • 4. Anti Forensics • Locating anti-forensic tools leads to suspicion – Crumbs could be found even if removed! • Simple: clearing caches, offline files, app artifacts, deleting catalogs and thumbnail files, Jump Lists, Prefetch files, etc • Complex: Full Disk Encryption, Injected DLLs (meterpreter), Anti-X
  • 5. GOALS ? • Avoid detection • Disrupting Information Collection • Increase examination time • Cast doubt on forensic reports or testimony • Subverting the tool 5
  • 6. Categories • Hiding: – Data Hiding – Trail Obfuscation • Destruction: – Artifact Wiping – Attacking Forensic Tools
  • 7. Q: What are we looking for? "Data! Data! Data! I can't make bricks without clay.“ - Sherlock Holmes • Before we check where and how is Data "evidence" stored, we must first understand what type of evidence from a forensic perspective are we looking for: – Time: a duration in this universe – Keywords: any specific text related to a crime – Action/Operation: open file, run program, shutdown system, etc – Object: disk, partition, file, malware, etc
  • 8. Operating System Artifacts "Don't be conned by misleading menu structures!"
  • 9. Techniques • Shift+del • Hiding files within system directories • Changing the file extension – .doc  .xls – .pdf  .doc • Merge Streams (Doc into XLS and vice versa) • Changing one byte in a file – Known to Unknown Hashes Bypass • Split and Scatter (splitting files and then scattering them) • Changing file headers – Transmogrify
  • 10. Techniques – Cont. • Log Injection (misleading events) • Deleted Files and Removed Programs – Restore Points – Registry Entries – HKCUSoftwareMicrosoftWindowsCurrentVersionRun • Online Storage: Dropbox, Gdrive, etc • DLL Injection (Meterpreter)
  • 11. How: Simple Techniques – Cont. • CLSID List (Windows Class Identifiers), https://autohotkey.com/docs/misc/CLSID-List.htm rename FOLDER “My Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}”
  • 13. Detection Techniques • Different detection techniques (image path, memory, etc) • Fuzzy Hashes • Content Analysis • Scheduled Tasks • Thumbcache • Log detection – Correlation and Timeline Analysis – Memory dump of erased events or wipers – Centralized Log Management System • Meterpreter – Memory dump – stdapi_sys_process_getpid
  • 14. Volume Shadow Copies / Restore Points • Beware of accessing VSCs on Live Systems (why?)
  • 15. Shadow Explorer – VSC Browser • Browse a VSC
  • 17. User Registry File • NTUser.Dat file – Personal preferences and computer settings for user – If just look at file meta data – file attributes • Find out a lot of information • First time user logged on – Creation date of file • Last time user logged on – Last modified date of file
  • 19. Recycle.Bin • [Volume]:$Recycle.Bin • $Recycle.Bin (hidden by default) • Subfolder per user named with account SID • When a file is moved to the Recycle Bin, it becomes two files $I and $R. – $I -> original name and path, and deleted date – $R -> original file data stream and other attributes
  • 21. Clear “Recent Items” Windows 7 To clear “Recent Item List” Right click on Recent Items and select clear
  • 22. Jump Lists – Cont. Frequent files used Recent files used
  • 23. Jump Lists – Cont. C:Users<username>AppDataRoamingMicrosoftWindowsRecent Items
  • 24. Jump Lists – Settings If unchecked will prevent application history from appearing on the start menu Used to adjust the number of items to display in the Jump Lists
  • 25. Libraries • A list of Monitored folders • Used to assist users to find and organize their media – Documents – Music – Pictures – Videos They look like any other folder!!! View them using a Forensic tool: XML based files named with the library- ms extension!
  • 27. Prefetch Files • Prefetch files indicates to the examiner the following: – Existence: application named was run – Creation date: when the application was first run – Modification date: when the application was last run
  • 28. User Activity with ShellBags • I still know what you did !!!
  • 29. Index.DAT • Contains all of the Web sites • Every URL • Every Web page • All email sent or received through Outlook or Outlook Express • All internet temp files • All pictures viewed
  • 30. Thumbs.DB • Pictures opened in Windows OS • Filmstrip • Thumbnails • Thumbs.DB Viewer
  • 31. Binary Obfuscation • Packers / Unpackers – Reduce size, Hide actual code, Hide IAT, Anti-X DOS Header PE Header .data .code DOS Header PE Header .data .code Packed Executable Original Executable Simple Packer
  • 32. Binary Obfuscation – Cont. • Complex packers might overwrite its own memory space • Unpacking: – Statically (complex and time consuming) – Dynamically (easy, needs native env.) – Hybrid (best of both) • Types: – Common: UPX, FSG, MEW – Complex: Armadillo, Obsidium, Sdprotect, ExeCrypt, VMProtect GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess Compressor 3.1415 MB 2.7282 MB
  • 33. File Systems Artifacts “Don’t let jumbled Data Structures fool you!"
  • 34. Disks • Without understanding of disks layout, you’ll never know what is truly hidden over there! Do you know what’s here?
  • 35. File Systems • Can reveal useful artifacts like: – Manipulated Timestamps – Metadata : deleted or crumbs – Logs of actions : Journals
  • 36. Volume Slack • Unused space between the end of the volume and the end of the partition • Size of the hidden data in volume slack is only limited by the space on the hard disk available for a partition Volume Slack Partition #1 Partition #2 Partition #3
  • 37. File Slack Space • Slack space could be used to hide data Single Cluster with 8 sectors (4096 bytes) Sector #0 Sector #1 Sector #2 Sector #3 Sector #4 Sector #5 Sector #6 Sector #7 File Data 2248 bytes RAM Slack 312 bytes Cluster Slack 1536 bytes
  • 38. File Systems (NTFS) • Everything written to the disk is considered a file – Files, directories, metadata, etc • MFT is the heart of NTFS (array of records 1024 bytes each) • Records in the MFT are called metadata • First 16 records in the MFT reserved for metadata files • Entry #1 is $MFT
  • 40. File Systems (NTFS) – Cont. • Deleted Files – Unallocated space – File System Journals, Index Files, and Log files: $I30, $LogFile, $UsnJrnl • File Wipers – Some crumbs left for investigator! • Hiding within $DATA attribute • Timestamps and timestomp tools – MACE / MACB
  • 41. $MFT Slack Space • MFT Slack Space
  • 42. Bad Blocks ($BadClus) • Marked in the metadata file $BadClus (MFT entry 8) • Sparse file with the size set to the size of the entire file system • Bad clusters are allocated to this file • Clusters can be allocated to $BadClus and used to store data
  • 43. Alternate Data Streams (ADS) • More than one $DATA attribute • Locating streams: – Streams, LADS, etc – DF tools – Manually! • Can also hide binaries! – Images – EXEs – etc echo I am the hidden text > file.txt:Hidden.txt
  • 44. Time Manipulation: Timestomp • Also a form of Data Hiding!
  • 45. Time Manipulation: Detection • Compare timestamps of SIA with FN attributes • FN attributes timestamps must be older than SIA timestamps • Zero milliseconds in timestamps is suspect • Check creation timestamps earlier than file system format date • Check Shadow Copies (SVCs) and Restore Points • Check Journal files • Creating timelines
  • 46. $UsnJrnl • Tracking NTFS’s history with $UsnJrnl – Creation, deletion, modification, renaming and moving of file and directory – It is possible to find trace of deleted file. – The event of program execution and opening document can be found through tracking prefetch file and LNK file’s history • $UsnJrnl record carving from unallocated space – There are mass $UsnJrnl records in unallocated space – Tracking old file system history(before several months) through $UsnJrnl record carving
  • 47. NTFS INDX Files (aka: $i30) • Each directory index entry contains at least the following metadata for the child: – Filename – Physical size of file – Logical size of file – Modified timestamp – Accessed timestamp – Changed timestamp – Created timestamp
  • 48. $LogFile • A transaction journal of changes to the $MFT • Could find file fragments and MFT records • Could find MFT records in unallocated space • Could locate file names that no longer exist on the disk
  • 49. Finally … • To catch a criminal, you need to think like one! • Without proper understanding of the under-laying technology, its just like you’re searching for a needle in the haystack! • They can run, but they can’t hide for ever 
  • 50. References • http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data- streams-in-ntfs.aspx • http://www.autohotkey.com/docs/misc/CLSID-List.htm • https://www.runtime.org/diskexplorer.htm • Anti-Forensics: Techniques, Detection and Countermeasures, Simson Garfinkel • Metasploit Autopsy – Reconstructing the Crime Scene, http://www.blackhat.com/presentations/bh-usa- 09/SILBERMAN/BHUSA09-Silberman-MetasploitAutopsy-SLIDES.pdf • A Windows Registry Quick Reference: For the Everyday Examiner, Derrick J. Farmer and Burlington, Vermont • https://en.wikiquote.org/wiki/Sherlock_Holmes • PowerForensics Get-ForensicUsnJrnl, http://www.invoke- ir.com/2016/02/forensic-friday-get-forensicusnjrnl.html
  • 51. References – P2 • Advanced $UsnJrnl Forensics, FORENSIC INSIGHT • Prefetch Files, http://www.forensicswiki.org/wiki/Prefetch • LECmd, Eric Zimmerman, http://binaryforay.blogspot.com/2016/02/introducing-lecmd.html • http://www.williballenthin.com/forensics/indx/