A paranoid approach to securing data

A paranoid approach to securing data

By ghost | 9867 Reads |

0     0

Poking Big Brother in the eye…

Forensic analysis can be a serious problem for hackers. Advanced tools enable analysts to locate files that have been well hidden. Some tools are able to detect files hidden in slack space. Some recover deleted files and some check for hacking tools. As forensics becomes more sophisticated, more work is required to protect your data.

I'm not going to debate what the best techniques are but I thought that I would share some anti-forensic techniques or, as referred to by Adrian Crenshaw, occult computing.

One thing that can be useful to nosy people sifting through your stash is time stamps. By looking at creation dates, date modified and last accessed, a schedule of events can be pieced together to show when you did what. One tool to get around this problem is Metasploit's timestomp. TimeStomp is a cli tool that allows you to modify all of these attributes. By altering the time stamp of a file you can create your own "pattern of events" to obscure your trail. You can set it to show that it was last accessed in 1776 if want. Maybe Washington needed to check his email…

Another thing to consider, often I see advice saying that you should rename files and change the extension. Well, yes but that's only half of it. Files have other indicators as to what they are and what they contain. File headers indicate what type the file is. If you've ever opened a jpg with a hex editor you will see something along the lines of:

yoya + jfif (if you do it you'll get the idea)

After that there's the rest of the file. Well that yoya tells what type of file it is. Also the hex value for a jpg will be:

ff d8 ff e0 some have e1, d8, or other

Executables start with MZ. Forensic tools will immediately recognize these types and report that the file extension does not match. This is a simple problem. Use a hex editor like winhex or xvi32 or whatever your favorite is and simply change the header to match whatever extension you decide to use in your renaming. There is one caveat however. Filesize will not change, so make sure that what you change it to seems reasonable for that file size. Example: changing a 300mb video to a dll might draw more attention. Combine this with timestomp for further obscuration. One other note, if you're trying to be inconspicuous don't set your dates to a time before the filetype was invented, no docx files from the 70's…

Another indicator for files is the signatures. Many forensic tools rely on an md5 hash to identify known files. This can include anything from hacking tools, copyrighted music and movies, to system files. A list can be compiled of hashes for every file on your drive and many can be elimnated right from there, reducing the pile of possible evidence. Changing the signature is easy. Open the file with a hex editor and change a bit somewhere, typically plain text within the file is sufficient. Or you can just hit it with UPX and repack it if happens to be an executable. Again, this isn't the cure all. TimeStomp, for example, contains several references to itself in plain text. If an examiner opens it with a hex editor and searches for 'TimeStomp' it pops up quite a bit. So even if you rename a file, change it's header, and change it's signature you should go in and make sure there are no references inside the file that will blatantly shout out it's name.

Also, the old standby, encryption. Encrypt your files. I reccomend you encrypt your entire hard drive. Software like TrueCrypt and Bit Locker are helpful. I personally like TC. I like being able to create hidden volumes and to encrypt the system partition. It's definitely worth looking in to.

Finally, consider using virtualization. Software like VMware, Virtual PC, and such allow you to create a file that acts as a computer running on your computer. (I know, I know… what is the matrix…)

So, Here's my quick start guide:

1. encrypt your hard drive
2. use a virtual pc
3. download and modify timestomp
4. create a hidden volume within an encrypted volume (TrueCrypt)
5. create a virtual machine in the hidden volume
6. encrypt the hard drive of the virtual machine
7. create a hidden volume within an encrypted volume on the virtual pc
8. place your stash in that hidden volume from 7
9. Appropriately alter your files as described above
10. modify timestamps as needed
11. Apply all other techniques for keeping your system locked down

Doing this it is probably still possible to get found out but consider that if you get the chance to wipe the drive, even being able to read previous states of bits, if you use multipass overwriting, a forensic investigation would see that the drive is now random, used to be zeros. Assuming they can go back further, used to be ones, was encrypted and so on…

While the idea of preventing any possible recovery may be impossible the idea is to make it as difficult, time consuming and costly as possible.

I'm sure that I missed somethings and generalized a bit here and there but I hope that this sheds some light on the subject for those that are curious and gets the rest of us thinking. I also hope you enjoyed this article.