A paranoid approach to securing data
A paranoid approach to securing data
Poking Big Brother in the eye…
Forensic analysis can be a serious problem for hackers. Advanced tools enable analysts to locate files that have been well hidden. Some tools are able to detect files hidden in slack space. Some recover deleted files and some check for hacking tools. As forensics becomes more sophisticated, more work is required to protect your data.
I'm not going to debate what the best techniques are but I thought that I would share some anti-forensic techniques or, as referred to by Adrian Crenshaw, occult computing.
One thing that can be useful to nosy people sifting through your stash is time stamps. By looking at creation dates, date modified and last accessed, a schedule of events can be pieced together to show when you did what. One tool to get around this problem is Metasploit's timestomp. TimeStomp is a cli tool that allows you to modify all of these attributes. By altering the time stamp of a file you can create your own "pattern of events" to obscure your trail. You can set it to show that it was last accessed in 1776 if want. Maybe Washington needed to check his email…
Another thing to consider, often I see advice saying that you should rename files and change the extension. Well, yes but that's only half of it. Files have other indicators as to what they are and what they contain. File headers indicate what type the file is. If you've ever opened a jpg with a hex editor you will see something along the lines of:
yoya + jfif (if you do it you'll get the idea)
After that there's the rest of the file. Well that yoya tells what type of file it is. Also the hex value for a jpg will be:
ff d8 ff e0 some have e1, d8, or other
Executables start with MZ. Forensic tools will immediately recognize these types and report that the file extension does not match. This is a simple problem. Use a hex editor like winhex or xvi32 or whatever your favorite is and simply change the header to match whatever extension you decide to use in your renaming. There is one caveat however. Filesize will not change, so make sure that what you change it to seems reasonable for that file size. Example: changing a 300mb video to a dll might draw more attention. Combine this with timestomp for further obscuration. One other note, if you're trying to be inconspicuous don't set your dates to a time before the filetype was invented, no docx files from the 70's…
Another indicator for files is the signatures. Many forensic tools rely on an md5 hash to identify known files. This can include anything from hacking tools, copyrighted music and movies, to system files. A list can be compiled of hashes for every file on your drive and many can be elimnated right from there, reducing the pile of possible evidence. Changing the signature is easy. Open the file with a hex editor and change a bit somewhere, typically plain text within the file is sufficient. Or you can just hit it with UPX and repack it if happens to be an executable. Again, this isn't the cure all. TimeStomp, for example, contains several references to itself in plain text. If an examiner opens it with a hex editor and searches for 'TimeStomp' it pops up quite a bit. So even if you rename a file, change it's header, and change it's signature you should go in and make sure there are no references inside the file that will blatantly shout out it's name.
Also, the old standby, encryption. Encrypt your files. I reccomend you encrypt your entire hard drive. Software like TrueCrypt and Bit Locker are helpful. I personally like TC. I like being able to create hidden volumes and to encrypt the system partition. It's definitely worth looking in to.
Finally, consider using virtualization. Software like VMware, Virtual PC, and such allow you to create a file that acts as a computer running on your computer. (I know, I know… what is the matrix…)
So, Here's my quick start guide:
- encrypt your hard drive
- use a virtual pc
- download and modify timestomp
- create a hidden volume within an encrypted volume (TrueCrypt)
- create a virtual machine in the hidden volume
- encrypt the hard drive of the virtual machine
- create a hidden volume within an encrypted volume on the virtual pc
- place your stash in that hidden volume from 7
- Appropriately alter your files as described above
- modify timestamps as needed
- Apply all other techniques for keeping your system locked down
Doing this it is probably still possible to get found out but consider that if you get the chance to wipe the drive, even being able to read previous states of bits, if you use multipass overwriting, a forensic investigation would see that the drive is now random, used to be zeros. Assuming they can go back further, used to be ones, was encrypted and so on…
While the idea of preventing any possible recovery may be impossible the idea is to make it as difficult, time consuming and costly as possible.
I'm sure that I missed somethings and generalized a bit here and there but I hope that this sheds some light on the subject for those that are curious and gets the rest of us thinking. I also hope you enjoyed this article.
ghost 15 years ago
Not sure how much detail you wanted but I wasn't looking to provide a novel, rather an overview. As for information, well, I did point out some tools and discuss briefly editing signatures and modifying hashes. I would like to put out a nice how to, I just thought we were a bit limited as to the length of an article. I appreciate the insight, though. Seeing as this is an overview, sort of a broad intro, I'll follow up with some how-to's on some of the individual components. If there's anything in particular you'd like to see discussed further let me know. Again, thanks for your thoughts.
korg 15 years ago
Thought it gave good basic info to start with, I'd rather see a few short articles on a subject because long ones tend to piss me off anymore.
elmiguel 15 years ago
Interesting article, although I lack to see the benefit of this "paranoia" take on securing data. I mean if there was any data for me to secure that much I mostly like would not have it saved on a computer. It would be on a disk locked in a safe of some sort buried somewhere I only know about. But other than that, I would definitely like to see more articles on this and I agree that short mid size articles are way better then long drawn out articles pretending be some nobel prize winning thesis. Keep up the good work.
ghost 15 years ago
I've always wanted to know what the best option in TrueCrypt is, it offers a bunch encryption schemes and some all together in different orders.
Which is best? Performance and securitywise? :S