HellBound Hackers

A paranoid approach to securing data
Posted by Phantomchaser on September 06 2009 - 01:04:21

Poking Big Brother in the eye...

Forensic analysis can be a serious problem for hackers.
Advanced tools enable analysts to locate files that have
been well hidden. Some tools are able to detect files
hidden in slack space. Some recover deleted files and
some check for hacking tools. As forensics becomes more
sophisticated, more work is required to protect your data.

Im not going to debate what the best techniques are but
I thought that I would share some anti-forensic techniques
or, as referred to by Adrian Crenshaw, occult computing.

One thing that can be useful to nosy people sifting through your
stash is time stamps. By looking at creation dates, date modified
and last accessed, a schedule of events can be pieced together
to show when you did what. One tool to get around this problem is
Metasploits timestomp. TimeStomp is a cli tool that allows you
to modify all of these attributes. By altering the time stamp of
a file you can create your own "pattern of events" to obscure your
trail. You can set it to show that it was last accessed in 1776 if
want. Maybe Washington needed to check his email...

Another thing to consider, often I see advice saying that you should
rename files and change the extension. Well, yes but thats only
half of it. Files have other indicators as to what they are and
what they contain. File headers indicate what type the file is.
If youve ever opened a jpg with a hex editor you will see something
along the lines of:

yoya + jfif (if you do it youll get the idea)

After that theres the rest of the file. Well that yoya tells what type
of file it is. Also the hex value for a jpg will be:

ff d8 ff e0 some have e1, d8, or other

Executables start with MZ. Forensic tools will immediately recognize
these types and report that the file extension does not match. This
is a simple problem. Use a hex editor like winhex or xvi32 or whatever
your favorite is and simply change the header to match whatever extension
you decide to use in your renaming. There is one caveat however.
Filesize will not change, so make sure that what you change it to
seems reasonable for that file size. Example: changing a 300mb video to
a dll might draw more attention. Combine this with timestomp for further
obscuration. One other note, if youre trying to be inconspicuous
dont set your dates to a time before the filetype was invented, no
docx files from the 70s...

Another indicator for files is the signatures. Many forensic tools rely
on an md5 hash to identify known files. This can include anything from
hacking tools, copyrighted music and movies, to system files.
A list can be compiled of hashes for every file on your drive and
many can be elimnated right from there, reducing the pile of possible
evidence. Changing the signature is easy. Open the file with a hex editor
and change a bit somewhere, typically plain text within the file is sufficient.
Or you can just hit it with UPX and repack it if happens to be an executable.
Again, this isnt the cure all. TimeStomp, for example, contains several
references to itself in plain text. If an examiner opens it with a hex editor
and searches for TimeStomp it pops up quite a bit. So even if you rename a
file, change its header, and change its signature you should go in and make sure
there are no references inside the file that will blatantly shout out its name.

Also, the old standby, encryption. Encrypt your files. I reccomend you encrypt
your entire hard drive. Software like TrueCrypt and Bit Locker are helpful.
I personally like TC. I like being able to create hidden volumes and to encrypt
the system partition. Its definitely worth looking in to.

Finally, consider using virtualization. Software like VMware, Virtual PC, and
such allow you to create a file that acts as a computer running on your computer.
(I know, I know... what is the matrix...)

So, Heres my quick start guide:

1. encrypt your hard drive
2. use a virtual pc
3. download and modify timestomp
4. create a hidden volume within an encrypted volume (TrueCrypt)
5. create a virtual machine in the hidden volume
6. encrypt the hard drive of the virtual machine
7. create a hidden volume within an encrypted volume on the virtual pc
8. place your stash in that hidden volume from 7
9. Appropriately alter your files as described above
10. modify timestamps as needed
11. Apply all other techniques for keeping your system locked down

Doing this it is probably still possible to get found out but consider
that if you get the chance to wipe the drive, even being able to read
previous states of bits, if you use multipass overwriting, a forensic
investigation would see that the drive is now random, used to be zeros.
Assuming they can go back further, used to be ones, was encrypted and so on...

While the idea of preventing any possible recovery may be impossible
the idea is to make it as difficult, time consuming and costly as possible.

Im sure that I missed somethings and generalized a bit here and there
but I hope that this sheds some light on the subject for those that are
curious and gets the rest of us thinking. I also hope you enjoyed this article.