Anti Forensics Analysis of File Wiping Tools A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Security by Narendra Panwar 14MS013 Under the Supervision of Dr. Babu M. Mehtre Associate Professor Center For Cyber Security, Institute For Development And Research In Banking Technology, Hyderabad (Established by Reserve Bank of India) COMPUTER SCIENCE AND ENGINEERING DEPARTMENT SARDAR PATEL UNIVERSITY OF POLICE, SECURITY AND CRIMINAL JUSTICE JODHPUR – 342304, INDIA May, 2016 UNDERTAKING I declare that the work presented in this thesis titled “Anti Forensics Analysis of File Wiping Tools”, submitted to the Computer Science and Engineering Department, Sardar Patel Uni- versity of Police, Security and Criminal Justice, Jodhpur, for the award of the Master of Science degree in Cyber Security, is my original work. I have not plagiarized or submitted the same work for the award of any other degree. In case this undertaking is found in- correct, I accept that my degree may be unconditionally withdrawn. May, 2016 Hyderabad (Narendra Panwar) ii CERTIFICATE Certified that the work contained in the thesis titled “Anti Forensics Analysis of File Wiping Tools”, by Narendra Panwar, Registration Number 14MS013 has been carried out under my supervision and that this work has not been submitted elsewhere for a degree. Dr. Babu M. Mehtre Associate Professor Center For Cyber Security, Institute For Development and Research in Banking Technology, Hyderabad May, 2016 iii Acknowledgment The success of this project work and thesis completion required a lot of guidance. I would first like to thank my supervisor, Dr. Babu M. Mehtre , for his excellent guidance. His advice, encouragement, and critics are the source of innovative ideas, inspiration and causes behind the successful completion of this dissertation. I would like to extend my sincere thanks to Dr. A. S. Ramasastri Director, IDRBT for providing all the necessary resources for the successful completion of my project. I wish to express my sincere thanks to Sh. M.L. Kumawat, Ex. Vice Chancellor, SPUP and Dr. Bhupendra Singh, Vice Chancellor, SPUP, for providing me all the facilities required for my project work. I would like to express my sincere appreciation and gratitude towards faculty mem- bers at S.P.U.P., Jodhpur, especially Mr. Arjun Choudhary, Mr. Vikas Sihag, for their encouragement, consistent support, and invaluable suggestions. I thanks to Mr. Ghan- shyab Bopche Ph.D. scholar who helped me, guided me at the time I needed the most. iv Finally, I am grateful to my father Mr. Uttam Chand Panwar, my mother Mrs. Durga Devi Panwar for their support. It was impossible for me to complete this thesis work without their love, blessing and encouragement. - Narendra Panwar v Biographical Sketch Narendra Panwar E-Mail: [email protected], Contact. No. +91- 8233381245 Father’s Name : Mr. Uttam Chand Panwar Mother’s Name : Mrs. Durga Devi Panwar Education • Pursuing Master of Science in Cyber Security department from S.P.U.P., Jodhpur. • B.Tech. in Information Technology from Engineering College, Ajmer with 63.44% in 2013. vi Dedicated to My Loving Family for their kind love & support. To my friends for showing confidence in me. vii }Once you start a working on something, don’t be afraid of failure and don’t abandon it. People who work sincerely are the happiest.~ - Kautilya viii Synopsis Digital forensics is a process of exploring pieces of evidence from a seized digital device. On the other hand, Anti-Forensics is a collection of tools and techniques to counter the forensics process and to frustrate the forensics investigation. Anti-Forensics (AF) Tools are used for the privacy purpose or to avoid forensics investigation. In this research we have tested three AF file wiping tools namely, “Eraser”, “File Shredder” and “R-Wipe And Clean”, and examined the Anti-Forensics claims made by these tools. Apart from that, we provide results of forensics examination of the system after wiping files using these tools. We have also found some artifacts related to the wiped files in the system, which remain untouched even after wiping the files using these tools. We also show that “Eraser”, “File Shredder” and “R-Wipe and Clean” tools are not completely Anti-Forensics Tools. Interestingly, it is found that all these tools are leaving specific patterns (signature, trail) after wiping a file, which can be used to detect the actual tool used to wipe the file. Keywords: Digital Forensics Anti-Forensics(AF) Wiping AF tools Anti-Forensics tools ix Contents Acknowledgment iv Biographical Sketch vi Synopsis ix 1 Introduction 1 1.1 Problem Statement . 2 1.2 Scope of The Work . 2 1.3 Organization of Thesis . 3 2 Literature Survey 4 3 Anti Forensics: Science to Counter Forensics Investigation 6 3.1 Defining AF . 6 3.2 Classification of AF . 7 3.2.1 Evidence Source Elimination . 8 3.2.2 Artifact Wiping . 9 3.2.3 Hiding Evidences . 12 3.2.4 Trail Obfuscation . 14 3.2.5 Attack Against Forensics Tools . 15 x 3.3 Desirable Features of AF File Wiping tool . 17 4 Areas of Forensics Interest in Windows System 19 4.1 Windows Registry . 19 4.1.1 LastRun MRU . 20 4.1.2 Recently Open/Save Files . 20 4.1.3 Recently Open Executable . 21 4.1.4 Recent Docs . 21 4.1.5 User Assist . 22 4.1.6 Last Registry Change . 22 4.1.7 Shell Bags . 23 4.2 Artifacts as files . 23 4.2.1 Recent Items . 23 4.2.2 Windows Event Logs . 24 4.2.3 Prefetch Files . 24 4.2.4 Temp Folder . 25 4.2.5 Tumbcache Database . 25 5 Experimenting with AF tools 27 5.1 Experimental Setup . 27 5.2 Forensics Examination . 28 5.3 Results Of Forensics Examination . 30 5.3.1 File Traces . 30 5.3.2 Tool Traces . 32 5.3.3 Identification of Tools Used for Wiping . 34 6 Conclusions and Future Work 39 7 Author’s Publications 41 References 42 xi List of Figures 1 Classification of AF techniques. 7 2 Eraser main window left, and available algorithms right. 11 3 File Shredder main window left, and available algorithms right. 11 4 R-Wipe and Clean main window left, and available algorithms right. 12 5 File content and slack space filled with secret message. 13 6 Hidden message in the file “sample.txt”, using Alternate Data Stream. 14 7 Linux command to create a zip bomb. 16 8 Actual size of zip bomb. 16 9 Size when extracting zip bomb is 1GB. 16 10 An ideal AF file wiping tool components, dark color components show tool related artifacts and light color components show file related artifacts. 18 11 Windows registry entry of RunMRU, showing run items from “Windows Run” . 20 12 Windows registry, shows open/save “PNG” files using windows explorer. 20 13 Windows registry, shows open save files using windows explorer. 21 14 Windows registry, shows recently opened docs as “.txt” format. 21 15 Windows registry entry containing UserAssist information with GUID number. 22 16 Windows registry entry of last key edited. 22 xiv 17 Windows Shell Bags information show using “ShellBagsView”. 23 18 Event logs using Microsoft Event Viewer. 24 19 Prefetch file od “CMD.EXE” using “NirSoft WinPrefetchView”. 24 20 Thumbnail of an image exist in “thumbcache database”. 25 21 Artifacts of File “A” at various locations, after creating and accessing the file. 28 22 Files “Test-file.mp4” wiped using “Eraser”, “xyz.mp4” using “File Shred- der” and “anti-forensics-derbi-conf.mp4” using “R-Wipe And Clean” in- formation found in $LogFile . 31 23 Changes are shown in the figure after wiping the file, region 1 shows artifacts that are removed by wiping. Region 2 shows artifacts which remain unchanged after wiping. 31 24 Magnified area showing MFT information of the file before wiping (shaded area in region-1), after wiping the file using “Eraser” (shaded area in region-2). .................................. 35 25 Magnified area showing MFT information of the file before wiping (shaded area in region-1), after wiping the file using “File Shredder” (shaded area in region-2).................................. 36 26 Magnified area showing MFT information of the file before wiping (shaded area in region-1), after wiping the file using “R-Wipe And Clean” (shaded area in region-2). .............................. 36 xv List of Tables 1 AF techniques and tools. 8 2 Selective File wiping tools. 27 3 Results of forensics examination after wiping files. 33 4 Traces of the wiping tools at various locations. 34 5 Residual patterns or identification method of the wiping tools. 37 xvi Chapter 1 Introduction Anti-Forensics is a collection of techniques and tools to counter the forensics analysis. Anti-forensics is defined as; “Any attempt to compromise the usefulness and availability of digital evidence to the forensics process”[11]. To understand the term Anti-Forensics we now compare digital crime with traditional crime. There are two categories of AF in both scenarios, first is pre-incident, and another is post-incident. The first category of AF is useful in planned activity, and these tools are useful before the incident takes place like; use of gloves, face mask in traditional crime and use of Live-OS, TOR in digital crime. In the second scenario the AF tools are applied after the incident like; removal of fingerprints, hide tools in traditional crime and wipe a sensitive file, fill fake evidence in the digital crime. Anti-forensics tools are also useful for legitimate purposes like; encrypting sensitive files, wiping private information[15]. Now we can define the Anti-Forensics as, An attempt to reduce the quality and quantity of digital artifacts to ensure that any sensitive information or evidence is never exposed by the other person or forensics investigator.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages58 Page
-
File Size-