New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Never trust the computer!

[Trifthen]

Timestomp? Now I've heard everything.

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.

Now that I think about it, that might be a good idea. I got some work to do. ;)

So...

[X0563511]

The obvious message to law enforcement is that people don't like others going through their things.

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)

Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.

Re:Never trust the computer!

[iminplaya]

Subject says it all. We give the damn things way too much power. Beware of the ATM!

Key quote

[gillbates]

They're using stego? Maybe we drop some stego on them.

Yeah, cause my stego *ROCKS* yo!

I'm thinking even the most avante-garde anti-forensics tool could fool this guy. Yeah, anti-forensics might be a problem for him, but last time I checked, having a future date on your warez or kiddie porn won't save you from prosecution. In fact, using something like Timestomp is more or less likely to convince the jury that you are indeed a criminal.

And likewise, it takes a very *good* steganography tool to really hide things. Sure, you could fool your friends, but you aren't likely to fool a forensic investigator with a basic knowledge of statistics. Could I tell the difference between a good and mediocre steganography tool? Probably. Could the average criminal? Probably not. A mistake as simple as hiding your data in images gleaned from the web would be enough to trip someone up: Here's a hint - if the image looks the same as the one on the web, but the checksums don't match, something's up. I'm guessing a shell script could go through the hard drive and do most of the work for the investigator. 17 hours isn't so short anymore...

If you don't want the cops to find it, use encryption. If you want deniability, use the double-xor technique mentioned in Bruce Shneier's Applied Cryptography. But don't bother thinking that bogus timestamps are going to foil any serious forensic investigator. The relative location of a file's blocks on the hard drive is going to give at least an approximate date of file creation, even if you do obliterate the timestamp, and every forensic investigator worth his salt knows this.

Re:But does it withstand rubberhose cryptoanalysis

[siddesu]

look up truecrypt. it has had that plausible deniability thing for years now ;)

Re:Never trust the computer!

[_Sprocket_]

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

And that seems to be the point - how many of these types actually know how to use touch or find... much less put together a perl script? By "hobbiest" they're not talking about our level of knowledge... they're talking average punk who thinks double-clicking a rootkit is advanced hacking. Criminals aren't always the sharpest crayons in the box.

I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

That basic precautions are showing up enough to give investigators a problem says something both about the attackers and the investigations.

Tools

[Kythe]

What would be interesting to me: a tool that deliberately modifies timestamps and/or creates ghost deleted files to tell a normal-looking story of computer use, when the actual history has been anything but.

In other words, forensics tools can assemble the history of file use on a disk. If it's known that the disk was in use before a certain date, but no timestamps can be found before that date (on current or deleted files), one may suspect the disk was wiped at that point. Likewise, physical disk usage for a given file system type has known and studied statistical characteristics over time. If the statistics are off, if you don't find deleted file images where you expect them, you may suspect that the freespace was wiped, or that certain unused disk space that would normally contain deleted file images contained files that are now wiped.

What happens when you have a tool that modifies timestamps on current and deleted files such that a normal distribution of them extend back before the date of disk wipe? Even worse, what happens if the tool can create "ghost" images of deleted files, in order to fool tools that look for normal statistical disk usage?

Once you have such a tool, wiping a disk and starting over can literally be done undetectably. So much for worry about having to maintain disk drive evidence after being hit with a subpoena.

Persuasion

[gillbates]

In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.

'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?

Re:Macs...

[Anonymous Coward]

Mind you, criminals are not usually noted for their cunning and intelligence....

Well, you only hear about the ones that get caught.

Re:Persuasion

[Mr2001]

That's what packages like TrueCrypt [truecrypt.org] with hidden volume support are good for. The Man tortures you, you give up a key, and he finds some fake secret files, while your real secret files are still safely hidden.

Re:Here's a real good one

[Psiven]

I didn't think encrpyting data twice or more over increased it's level of security. Can anyone say a piece on this?

Ever since

[gillbates]

I read Ken Thompson's Reflections on Trusting Trust [acm.org], it has always occurred to me that any computer crime is completely untraceable. It is only laziness on the part of the criminal which allows him to get caught. It is possible for someone to completely cover their tracks and leave no evidence of their actions.

But it is also possible to log every action a hacker does. Erasing the logs doesn't do much when the compromised system is virtually hosted and every action recorded for later playback - on a system which isn't even visible to the hacker. And consider the possibility of tracing at the network level. It is possible to physically connect an ethernet chip to a network and capture all traffic on the network without ever joining the network. That is, the card can sniff the wire in a read-only mode without ever publishing its MAC address or responding to ARP queries. Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.

How does a hacker know his rootkit isn't spying on him? Even if you have the source, a compromised compiler or assembler can still produce a compromised executable. Should you verify the executable by hand, you still have the possibility of a vulnerability in the processor's microcode. Something as simple as making any area of memory available to the NIC when a certain opcode sequence is executed could be hidden very well and provide a veritable back door to law enforcement.

Unless you are willing to build your own computer from scratch and never connect it to a public network, you can never prove that you aren't compromised. Sure, we can talk statistics and likelihood and incentives and human factors and whatnot, but it doesn't change two fundamental aspects of the computer:

1. Changing computer data at the most basic level can be done without leaving any evidence, and
2. You can't prove the code you are running doesn't have security vulnerabilities without spending an inordinate and impractical amount of effort.

Your averge user - heck, even most programmers and hackers - don't have the time to trace through every possible instruction path in the software they use. They aren't going to burn their own BIOS EEPROMs to be sure the BIOS isn't bugging them. They aren't going to surgically remove the processor's cover and verify the die pattern to be sure the microcode isn't compromised.

Instead, they're going to trust the responses their computer shows them. Just like the rest of us - it's a gamble. Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.

Still a pretty big risk, imho.

Re:Here's a real good one

[Anonymous Coward]

You'd have to be careful about the choice of encryption algorithms when you do this. There are good reasons (which I can't cite off the top of my head; I'm no cryptographer) why triple DES, for example, has an encrypt-decrypt-encrypt pattern, rather than encrypt-encrypt-encrypt. Even then, all you achieve is a doubling of the effective key length, not a tripling (and remember that the actual key is three times as long - each step uses a different key).

Cryptography is hard. I know enough to know that I know nothing about it, and that I'd screw the pooch on any crypto system I might implement. If you haven't a very solid maths background, and a lot of experience breaking cyphers (and I'm talking about more than just the simple Julius shift here), odds are extremely high that there's a flaw you've overlooked in your system.

Re:Never trust the computer! (even a Linux box?)

[nmb3000]

I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent?

Considering that rootkits originated in Unix (hence "root"), I imagine that they are as prevalent in Linux as they are in any operating system (the argument of uptime notwithstanding).

Besides, a rootkit does not have to reside in kernel space to be very effective. Simply replacing many of the key binaries (init, bash, getty, ls, top, ps, etc depending on *nix flavor) will do wonders for probably 98% of systems out there. That said, I'm sure there are some which do reside in kernel space (a kernel module perhaps?) or maybe even some that are simply modified kernels (the source is available after all). How do you know that the kernel your system is running has not been compromised?

After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels...

I tend to doubt you'll find the latest and greatest rootkit via Google. If you know the right people, I'm sure you can get whatever you need.

Re:Here's a real good one

[Fulcrum of Evil]

Sure it does - 2DES ~= DES in terms of security, while 3DES is better. Naturally, this means that the 3 level encryption scheme is dependent on the actual algorithm and serves mainly as a method for frustrating forensics. Probably AES - block shuffle - AES (different key) would make for some fun, but that assumes that they just want to convict you of something. If they think you can get at the data and want it bad enough, they'll just work you for it.

Re:Never trust the computer!

[Kjella]

I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

<advocate client="Devil">
So that means one of two things:
1. Smart people aren't trading in child pornography or
2. Smart people weren't caught to begin with, and still aren't

And it probably shows just how stillborn general encryption of mail is. If average people don't learn that under threats of years in prison, what could possibly make regular people do it?
</advocate>

Re:Pfft.

[plover]

At work the standard we gave our service vendor for destroying failed drives involved a drill press and epoxy. We're concerned about data thieves, not Three Letter Agencies.

For my personal drives at home, I just use a three pound hammer. A scraped, smashed and warped platter hitting the trash bin is effectively unreadable, and all I'm really concerned about is a bad guy finding bank account information. If someone official really wanted a working drive of mine, pajama-clad ninjas would probably come for it in the middle of the day while I was at work anyway.

"Deniable" Encryption Useless

[patio11]

I'm going to approach this from the perspective of A Bad Guy, because realistically if you're not A Bad Guy and you get arrested you have already hit your security worse case scenario. You're now arrested, your computer is in government hands, and you are about to take major financial and reputational damage before being released. (Some folks might say I'm naiive for assuming you'll be released. Fine, don the tinfoil hats if it please you, but if The Man can lock you up when you haven't done anything then encrypting what you haven't done doesn't afford you additional protection now does it? Similar for the "good guy using encryption" examples like dissidents in China -- lack of discoverable evidence does not render the back of your head immune to gunfire.)

If you're A Bad Guy, on the other hand, there might be a significant difference between "major financial and reputation damage" and "being convicted of possession of child pornography". So lets consider a savvy Bad Guy who has screwed up and somehow alerted law enforcement of his existence. Maybe he was indiscreet with an accomplice, maybe the ISP logs show him as downloading young-kids-get-it-on.avi, maybe the feds caught him receiving a tape in the mail (the Postal Service has a division devoted to investigation for a reason, folks). So somebody had enough evidence to get their boss to sign off on a use of department resources to open an investigation, probably enough evidence to convince a judge to order a search or arrest warrant, and the fishing expedition begins in earnest.

At this point, Bad Guy is boned. He not only has the same problems Not A Bad Guy has with being arrested, but he has an adversary with virtually limitless resources relative to him now picking his security apart. And they will almost certainly find a place where he screwed up. Do they need to beat his passwords out of him? Hardly. If they're confident Bad Guy is a bad guy, when the computer shows clean they'll say "Hmm, we're quite sure these records say he is downloading young-kids-get-it-on.avi... widen the scope of the investigation", and then they'll start strip mining every bit of data they can get about the guy, and when you have a badge and a concerned looking face you can get an awful lot.

And, somewhere, Bad Guy screwed up. It doesn't matter how careful or exotic his protections were, he screwed up somewhere and its probably somewhere that will look stupid in hindsight. The CIA does it all the time, too -- covert ops blown by cell phone records, doesn't matter how many things you get right when the adversary has the luxury of winning from your first mistake. Maybe a photo fell behind his printer, maybe he used his credit card to pay for something sketchy 4 years ago, maybe one of his pedo buddies got picked up three weeks ago and turned state's evidence. Doesn't matter -- a significantly interested adversary will find the 1% of screwups eventually given enough time to look for them. And for the 99% that are behind the impenetrable security barrier? Doesn't matter, that one photo which fell behind your printer will send you to prison for years anyhow.

Re:Here's a real good one

[mbstone]

To assert your Constitutional rights, you'll need ready access to $50K for lawyers (and perhaps expert witnesses); otherwise you'll get the Public Defender and it will be explained to you that your only option is to plead guilty, thereby avoiding being sentenced to 0xFF years in jail. IAAL.

Re:Ever since

[rtechie]

Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.

Yeah, if you assume Orwellian powers on the part of the FBI. No, the FBI doesn't have secret backdoors in all the hardware and software because it would take a VERY short period of time before those backdoors became public knowledge, making them near-useless AND compromising everyone's security. This is exactly what has happened in the past and I don't see them repeating these mistakes. I can't think of a worse idea than the FBI distributing troyjan rootkits into the wild.

Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.

I don't think you understand how most of these investigations work. 9/10 the hacker in your example won't be caught by ANYTHING related to computers. Some "friend" of his will rat him out or the police will get a tip or something and they'll start investigating HIM. Or alternatively they'll get a complaint from the bank (unlikely) and start looking into the "usual suspects", hackers they've "identified" before. Eventually they'll find some people who said the suspect bragged about it or about his "mad hacking skillz" and then serve a search warrant which reveals he actually owns computers.

And that's it. No forensics whatsoever. They get a few witnesses to say "he's a hacker", show that he had lots of computer equipment, and then they pin whatever it is they wanted to pin on him. This is usually how these cases go.

Epically bad.

[rjh]

I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.

Your idea is quite terrible.

First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

You really need to do some basic research in crypto.

Re:Epically bad.

[rjh]

What I love about Slashdot armchair lawyers is their naive faith in the criminal justice system.

So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.

You may want to look into Wen Ho Lee [wikipedia.org], Steven Hatfill [wikipedia.org], Richard Jewell [wikipedia.org] and John De Lorean [wikipedia.org], all of whom had this exact thing happen to them.

Hatfill has never been charged. Jewell was totally exonerated, as was De Lorean. Wen Ho Lee pleaded guilty to a minor count just to make the madness stop, and received a profuse apology from the bench for how he was mistreated.

Also, have you been following what happened in Durham, North Carolina recently with respect to prosecutorial misconduct in a rape case [blogspot.com]?

You really, really need to acquaint your beliefs on how the law works with the reality of how the law works.

Indeed.

[Mr2001]

The "flaw" pointed out by the GP is only a flaw if you're being tried in a kangaroo court. I don't think our court system has gotten that bad.

I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way. The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.

I'm not sure what you mean by the "structured nature of the hidden volume", though. TrueCrypt hidden volumes have no plaintext header, just like main volumes, and as long as the crypto methods in use are good ones, the encrypted data will be indistinguishable from random bytes, no matter how well-structured the plaintext is.

There are attacks against hidden volumes, but they basically involve taking snapshots of the whole volume at separate points in time, then obtaining the main volume's key and checking whether any changes have been made to "unused" areas of the filesystem.

That is, I could sneak into your house and copy the disk today (version A), then come back next month, seize the disk (version B), and force you to give up the main volume key. I can then mount both versions of the partition and look for differences between them. If there are any areas that contained random data in version A, and different-but-still-random data in version B, I can be pretty sure it means you were writing to a hidden partition located there.

I think the best defense against that attack would be for TrueCrypt to randomly write chunks of new random data to the free space of mounted volumes, which would disguise the writes made to hidden volumes. (Of course you'd need to use both keys when mounting the main volume so it knew not to clobber your hidden data.)

Re:Guess for all you know about crypto

[Kadin2048]

In our court system, you are innocent until proven guilty, the burden of proof is on the state.

This is true for sufficiently high values of w, where w is your net worth. If you can't afford tens of thousands of dollars to fight a bogus charge, then you're effectively screwed, particularly if the charge is one of the very emotionally charged ones (child porn, rape, terrorism, etc.).

You'd quickly end up in a situation where you'd be facing a team of prosecutors, working with virtually unlimited taxpayer funds (gotta protect the children, right?), against your fresh-out-of-lawschool public defender, whom if you're unlucky, you might have to share with half a dozen other defendants. And chances are, they're going to believe you're guilty and (consciously or not) treat you like it.

There have been a lot of sociological studies and research done on the U.S. legal system. People who can't afford lawyers plead guilty at an astoundingly high rate, and the entire system is set up to "process" them as quickly as possible, from arrest through to prison.

The system works like you describe in the best case scenario, but even then, it'll probably leave you bankrupt.

Re:Pfft.

[eln]

In my first job, we had a 250 MB rack mounted hard drive. In those days, a head crash was almost like a car crash in terms of violence and noise. These days, of course, head crashes are much less violent, but certainly still exist.

It's nonsense

[Paul Crowley]

Encrypt once using a good algorithm. Multiple encryption is Hollywood-style security.

Re:Indeed.

[Mr2001]

You'd have a fairly strong defense against that accusation if your hard drive contains no steganography tools. That's sort of the the issue with truecrypt - it doesn't prove you have child porn, or even a hidden volume, but its not unreasonable to suppose you might, if you have truecrypt, there is other circumstantial evidence, and a 'snitch' whose just reliable enough of a witness to sway a jury.

Luckily, in a criminal case, the standard is "guilty beyond a reasonable doubt", not "one could reasonably suppose you might be guilty".

Re:It's nonsense

[bWareiWare.co.uk]

The point is which is the 'good algorithm'? The is no way of proving the NSA havn't found a weekeness in any given scheam. Buy using three diffrent 'good algorithms' you are bettering your odds.

It all depends on the political winds

[vinn01]

Our justice system is run by elected officials (with media support). If you want fair treatment (justice) you had better hope that:

- it's not an election year
- the case has not generated a lot of media attention
- the case is not worthy of media attention when the DA holds a press conference
- the DA (and many others in the justice system) are not career building, and looking at your case as an opportunity to advance

The last one is the kicker. For every case there are dozens of people in the justice system that will get beneficial career advancement material from a successful conviction. That's my observation.

Re:So...

[misanthrope101]

How hard can it be to make stuff, for all practical purposes, inaccessible? Truecrypt + VMplayer + keyfiles + good passphrases has to equal some pretty good security. Of course that only applies if they burst through the door, not if they came in quietly while you were shopping and installed keyloggers and screencap software ahead of time and then arrest you later. If they're that interested in you, and they have physical access to your system, you're toast anyway. But I somehow doubt the local PD is going to break a Truecrypt container or PGP key, unless your passphrase is written down...oh wait.

Re:Epically bad.

[asninn]

But the law and the legal system *did* work in these cases; it was society, the media etc. that didn't. Not that it helps the victims, of course, but you need to recognise that this is a failure of society, not one of the criminal justice system, if you want to fix it.

Re:Guess for all you know about crypto

[unlametheweak]

The fact is, you haven't proven that a hidden partition cannot work. You have not proven your argument. You side-stepped it by pointing out social problems with the mass media. You have used rhetoric and flamboyant language to try and defend yourself.

Recap:
"Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want."

You can flame me if you wish. At least admit to yourself that you never answered the question. This topic is about Forensics, not the legal system.

Re:Guess for all you know about crypto

[unlametheweak]

I'll add to that. The topic is about forensics, and the thread is about crypto. The legal system and mass media is a bit of a red herring.

Re:Epically bad.

[computational super]

you have to be proven GUILTY in a court of law, not NOT guilty.

Unless you've been accused of a crime against Our Nations Most Precious Resource - The Children. Then you're guilty even after you prove you're not guilty.