Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 27
Members Online: 2

Registered Members: 82825
Newest Member: bulmers
Latest Articles

A paranoid approach to securing data

Arrow Image Briefly discuss some Anti-forensic methodologies
and provide insight to protect your data against
access and recovery by undesireables, mostly the fuzz.



Poking Big Brother in the eye...

Forensic analysis can be a serious problem for hackers.
Advanced tools enable analysts to locate files that have
been well hidden. Some tools are able to detect files
hidden in slack space. Some recover deleted files and
some check for hacking tools. As forensics becomes more
sophisticated, more work is required to protect your data.

I\'m not going to debate what the best techniques are but
I thought that I would share some anti-forensic techniques
or, as referred to by Adrian Crenshaw, occult computing.

One thing that can be useful to nosy people sifting through your
stash is time stamps. By looking at creation dates, date modified
and last accessed, a schedule of events can be pieced together
to show when you did what. One tool to get around this problem is
Metasploit\'s timestomp. TimeStomp is a cli tool that allows you
to modify all of these attributes. By altering the time stamp of
a file you can create your own \"pattern of events\" to obscure your
trail. You can set it to show that it was last accessed in 1776 if
want. Maybe Washington needed to check his email...

Another thing to consider, often I see advice saying that you should
rename files and change the extension. Well, yes but that\'s only
half of it. Files have other indicators as to what they are and
what they contain. File headers indicate what type the file is.
If you\'ve ever opened a jpg with a hex editor you will see something
along the lines of:

yoya + jfif (if you do it you\'ll get the idea)

After that there\'s the rest of the file. Well that yoya tells what type
of file it is. Also the hex value for a jpg will be:

ff d8 ff e0 some have e1, d8, or other

Executables start with MZ. Forensic tools will immediately recognize
these types and report that the file extension does not match. This
is a simple problem. Use a hex editor like winhex or xvi32 or whatever
your favorite is and simply change the header to match whatever extension
you decide to use in your renaming. There is one caveat however.
Filesize will not change, so make sure that what you change it to
seems reasonable for that file size. Example: changing a 300mb video to
a dll might draw more attention. Combine this with timestomp for further
obscuration. One other note, if you\'re trying to be inconspicuous
don\'t set your dates to a time before the filetype was invented, no
docx files from the 70\'s...

Another indicator for files is the signatures. Many forensic tools rely
on an md5 hash to identify known files. This can include anything from
hacking tools, copyrighted music and movies, to system files.
A list can be compiled of hashes for every file on your drive and
many can be elimnated right from there, reducing the pile of possible
evidence. Changing the signature is easy. Open the file with a hex editor
and change a bit somewhere, typically plain text within the file is sufficient.
Or you can just hit it with UPX and repack it if happens to be an executable.
Again, this isn\'t the cure all. TimeStomp, for example, contains several
references to itself in plain text. If an examiner opens it with a hex editor
and searches for \'TimeStomp\' it pops up quite a bit. So even if you rename a
file, change it\'s header, and change it\'s signature you should go in and make sure
there are no references inside the file that will blatantly shout out it\'s name.

Also, the old standby, encryption. Encrypt your files. I reccomend you encrypt
your entire hard drive. Software like TrueCrypt and Bit Locker are helpful.
I personally like TC. I like being able to create hidden volumes and to encrypt
the system partition. It\'s definitely worth looking in to.

Finally, consider using virtualization. Software like VMware, Virtual PC, and
such allow you to create a file that acts as a computer running on your computer.
(I know, I know... what is the matrix...)

So, Here\'s my quick start guide:

1. encrypt your hard drive
2. use a virtual pc
3. download and modify timestomp
4. create a hidden volume within an encrypted volume (TrueCrypt)
5. create a virtual machine in the hidden volume
6. encrypt the hard drive of the virtual machine
7. create a hidden volume within an encrypted volume on the virtual pc
8. place your stash in that hidden volume from 7
9. Appropriately alter your files as described above
10. modify timestamps as needed
11. Apply all other techniques for keeping your system locked down

Doing this it is probably still possible to get found out but consider
that if you get the chance to wipe the drive, even being able to read
previous states of bits, if you use multipass overwriting, a forensic
investigation would see that the drive is now random, used to be zeros.
Assuming they can go back further, used to be ones, was encrypted and so on...

While the idea of preventing any possible recovery may be impossible
the idea is to make it as difficult, time consuming and costly as possible.

I\'m sure that I missed somethings and generalized a bit here and there
but I hope that this sheds some light on the subject for those that are
curious and gets the rest of us thinking. I also hope you enjoyed this article.

Comments

TheMonitoron September 07 2009 - 23:07:09
haha, nice Mosh. +1 =) Grin
Phantomchaseron September 08 2009 - 20:45:30
Not sure how much detail you wanted but I wasn't looking to provide a novel, rather an overview. As for information, well, I did point out some tools and discuss briefly editing signatures and modifying hashes. I would like to put out a nice how to, I just thought we were a bit limited as to the length of an article. I appreciate the insight, though. Seeing as this is an overview, sort of a broad intro, I'll follow up with some how-to's on some of the individual components. If there's anything in particular you'd like to see discussed further let me know. Again, thanks for your thoughts.
korgon September 10 2009 - 14:10:27
Thought it gave good basic info to start with, I'd rather see a few short articles on a subject because long ones tend to piss me off anymore.
elmiguelon September 10 2009 - 20:20:46
Interesting article, although I lack to see the benefit of this "paranoia" take on securing data. I mean if there was any data for me to secure that much I mostly like would not have it saved on a computer. It would be on a disk locked in a safe of some sort buried somewhere I only know about. But other than that, I would definitely like to see more articles on this and I agree that short mid size articles are way better then long drawn out articles pretending be some nobel prize winning thesis. Keep up the good work.
buttmonkeyon October 31 2009 - 17:21:32
I've always wanted to know what the best option in TrueCrypt is, it offers a bunch encryption schemes and some all together in different orders. Which is best? Performance and securitywise? :S
maugon November 25 2009 - 11:30:09
I can do a better job without even using encryption or software. #1 compartmentalize everything. #2 define the data seekers' resources and the need for your data to be hidden. # 3, keep it as simple as you can, managability adds to security.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.