|
Defeating Computer Forensics
by protonigger (a.k.a Murder Mouse)
Section 1: The Introduction
Computer forensics is a field of computer science that has been both
renowned and feared by the general public. This concept was first
used in it's primitive form in 1984 by the FBI's Magnetic Media
Program, which later on became CART (Computer Analysis and Response
Team). More attention began to be drawn into this field when in 1993
the first International Conference on Computer Evidence was held. Two
years later the IOCE (International Organization on Computer Evidence)
was born, and interest in this field propagated even further until
the millennia arrived and the FBI created the first Regional Computer
Forensic Laboratory, bringing the services of computer forensics to
every part of the States. Which thusly brings us to the year 2005.
Computer forensics is readily available, and actively used in many
computer crime investigations. Such organizations previously mentioned
are nowadays racking terabytes of confiscated data each year for
analysis. So with all this appraisal that has been propagated through
the internet, conferences, and the general media the one question that
has to be on some peoples' minds is "is there anyway to keep files
and information out of the hands of computer forensic investigators?".
Well the answer of course is yes, because if there wasn't then I
wouldn't be writing this tutorial. However, to understand how to
defeat computer forensic analysis you have to first understand the
techniques used in these laboratories. So lets begin, shall we...
Section 2: An Overview of Computer Forensic Techniques
Well for this overview this first thing you must understand is that
there are three steps that are used by computer forensic investigators
in their work...
- Taking an Image of the Device
- Processing the Image Obtained
- Analyzing the Results
When performing the first step the laboratory will attach a device to
one of the communications ports available on the target CPU, and then
record a complete copy of the data stored within the target CPU. When
I say complete copy, I mean byte by byte, every single bit of data
stored on the computer (this means of course deleted and partially
overwritten files). It's good from here to note that the reason that
such files can be recovered. This is because files on your computer are
accessed through a file allocation table, which tells the operating
system where in your disk a file can be found. These are marked on
the file allocation table by it's identifier. When you delete a file
you are not really deleting it off your computer, but are instead
simply removing it's entry on the file allocation table so that the
computer can no longer access it. This brings us into the second step,
which is processing. When the image is copied onto the controlled
device, the investigators will then process the image in order to
recover deleted files, partially overwritten files, and of course
files and folders currently used on the target CPU. Then of course
the final step is to analyze the information that has been processed
on the controlled device. From here the investigators can utilize
the image given, just as they would on the target computer (again,
they use the image to have a controlled environment for investigation).
There are many ways that an investigator would go about this. They
will many times use the Search option already available on the computer
in order to help find incriminating files. Other times they will
manually go into files (My Documents is usually a common starting
point) and look for incriminating files or seemingly scrambled file
names which indicate a recent deletion. They will also most likely
search through cookies, temporary internet files, and internet
history to take note of their web usage. Break passwords on protected
files, attempt to decrypt any encrypted files on the computer, etc.
etc. There are many steps used during the analysis stage, and not all
investigators use the same techniques. Every investigator usually has
his/her own technique from here, in the confines of usual protocol.
So now that you hopefully have a pretty decent understanding of how
computer forensic investigators work, lets discuss how to keep them
out of our data...
Section 3: Defeating Computer Forensic Techniques
Well lets say in theory that there are a lot of files on your computer
that you just don't want recovered. Many dimwitted fools from this
thought decide that formatting their computer would be the best way.
After all, they can't recover what isn't there, right? Wrong. This
is going on the right track, but a single format is not going to
keep investigators from recovering data on your computer, since
formatting leaves plenty of sparse data on the disk which can be
processed and assembled during the processing phase. So how do we
wipe our hard drive clean to keep the data within it from being
recovered? Simple. Perform multiple formats. Just create a boot disk
with a spare floppy, reboot the computer, and then from your floppy
disk perform a "format c:" on your hard drive. When you are finished
with this, do it again. You can perform this action as many times as
you feel is safe, but I'd suggest at least over 7 times or so (this
may sound paranoid, but it's better to be safe than sorry). How this
works is that with each format, a little bit more of this sparse data
that is scattered throughout your hard drive is removed. When you have
performed this action enough times, then the end result is that there
is very little data to work with, and definately not enough to
construct into any kind of incriminating evidence. Now lets move on to
another method that can be used if this seems a little too much for
you, secure deletion tools. If you remember our discussion in the last
section on how investigators recover deleted files, then you'll
remember about how a file is not completely taken off the hard drive
when you delete it (it's simply taken off the file allocation table).
Well overtime as these files sit, they are available to be overwritten
since they are no longer in use. When a file is completely overwritten
by the operating system then it can no longer be recovered using
computer forensic techniques. However, it takes quite a long time for
a deleted file to be overwritten completely by the operating system.
That is where secure deletion tools come in. Any decent secure
deletion tool will scan your hard drive, and completely overwrite any
data that is not written into the file allocation table, as well as
delete and overwrite any files that you specify. SDelete and WipeOut
are two excellent examples of such tools. Below are the links that
you would visit to download these tools...
- SDelete - http://www.sysinternals.com/Utilities/SDelete.html
- WipeOut - https://onesecond-128.bit-encryption.net/cgi-bin/wo-download.cgi
SDelete is a freeware, command-line application to perform this
method, while WipeOut is a trial, GUI application. Both are
pretty great options so it's all up to you on what you prefer.
Personally I believe SDelete offers the best results. The best
way to use SDelete is to extract sdelete from the .zip and then place
it into either your system32 (NT/2000/XP) or command (9x/ME) folder.
Then just open up command prompt and type in "sdelete" to allow you to
operate this program like as if it was a Windows command. When you
set in your pass variable (how many times the program overwrites the
program) set this variable as somewhere between 7-10. That way you can
be assured that the files are completely overwritten. Of course you
won't have to worry about this if you go with WipeOut, since it's
pretty much the same as running a defragmenting application. There are
also other techniques like steganography and cryptography, but it's
much safer just to apparently make a file "disappear" instead of
trying to safeguard it with different algorithms and such. So that
covers it for this section, all that's left is the conclusion...
Section 4: The Conclusion
So in conclusion though computer forensics has advanced greatly over
the years, and is effective in investigating and prosecuting cases
most of the time, it's not exactly the failproof method of recovering
incriminating data. Though the only 100% guaranteed method of keeping
data from reaching into the hands of computer forensic investigators
is to destroy a hard drive beyond recovery and spread it's parts
throughout the planet, any of the techniques mentioned in the previous
section will help you greatly in keeping the data that you don't want
recovered from being recovered. A good thing to note here is that
just because computer forensic investigators can't recover
incriminating data from your computer does not mean that the courts
can't find a way to prosecute you. However, in certain cases, keeping
incriminating data and information from being recovered by
investigators will greatly increase your chance of having the charges
against you dropped due to insufficient evidence. Also I doubt this
needs to be said, but none of the techniques above will really help you
if you are caught off guard with the law breaking down your door, so
if you have the slightest notion to remove incriminating data off your
computer, or if you have incriminating data that is no longer of any
use to you then it would be a great idea to go ahead and dispose of
such data before someone else recovers it. So anyways, hope you
enjoyed this tutorial, and be sure to check in with Information Leak
(www.informationleak.com) every once in a while to see if anything
new has been added.
Note: If you have any questions or comments and feel the need to reach
me then you can do so at [email protected] and I will try
to get back with you as soon as possible.
(pointless note: Future tutorials posted by me on here will be posted under the name Murder Mouse)
|
|
