course_notes

CFC Week 8: Anti-forensics

CFC Week 8: Anti-forensics

Learning outcomes

  • Describe the most relevant anti-forensic techniques.
  • Explain the challenges behind handling encrypted devices.

What is Anti-forensics’ goal?

It aims to evade and thwart the forensic process through the implementation of attacks and adoption of adversarial actions.

What are four most adversarial actions adoptted in Anti-forensics

  1. Destroy : destroy potentially useful digital forensic evidence of their activities (like wiping log files)

  2. Divert by : Plant misleading digital forensic evidence

    • spoofing the source IP address of a cyber attack

  3. Deceive by : hide potentially useful digital forensic evidence, use

    • steganography
    • onion-routing

  4. Deny : Deny the access of potentially useful digital forensic evidence

    • use cryptography and conceal the evidence

What is meant by Full disk encryption?

Secure the disk and other volumes with strong encryption key (2048 bits by TrueCrypt)

How may a digital forensic examiner attempt to overcome FDE (full disk encryption) in a reasonably short time?

  • In order to operate full disk encryption, the decryption key must be stored in main memory or in a separate device.
    • Use live forensic techniques to retrieve the decryption key to decrypt the disks.
  • FDE is not in operation:
    • key might stored in a TPM (trusted platform module), a hidden partition or a dongle
    • use cold boot attack which freeze the RAM to get stored encryption keys

How to make a sound forensic analysis (soundness)?

  1. Acquisition of data should change the regional evidence as little as possible
    • changes needed to be explained and documented
  2. Documentation
    • where the evidence originated?
    • how it was handled?

When credentials for decrpyting are not available, what we can do with Full-disk encryption system?

  • Attempt decryption
    • brute force attack
    • dictionary attack
  • Load duplicate into a virtual environment
    • decrypted later in a number of ways
  • Restore to a working hard disk
  • Boot a restored clone of the original disk

How to avoid an online suspect who is also technically sophisticated to tamper or erase the digital evidence?

Distraction
  • Hoax parcel delivery
  • Meter reader
  • kiss-o-gram
Disablement
  • disconnect electrical power supply
  • pipe CS gas
  • use a taser

Reverse engineering

aims to understand both:

  • how malware technically behaves and
  • how opaque system function prior to a forensic investigation
digital_forensics
Licensed under CC BY-NC-SA 4.0
Last updated on May 03, 2022 17:12 +0100
comments powered by Disqus
© 2022 Under The Ginkgo
Cogito, ergo sum
Built with Hugo
Theme Stack designed by Jimmy