Author: Tambue Ramine Etow Supervisor: Ola Flygt
Semester: VT 2020
Subject: Computer Science
Bachelor Degree Project
IMPACT OF ANTI-FORENSICS TECHNIQUES ON DIGITAL FORENSICS INVESTIGATION
Abstract
Computer crimes have become very complex in terms of investigation and prose- cution. This is mainly because forensic investigations are based on artifacts left on computers and other digital devices. In recent times, perpetrators of computer crimes are getting abreast of the digital forensics dynamics hence, capacitated to use some anti-forensics measures and techniques to obfuscate the investigation processes.In cases where such techniques are employed, it becomes extremely difficult, expen- sive and time consuming to carry out an effective investigation. This might cause a digital forensics expert to abandon the investigation in a pessimistic manner.This Project work serves to practically demonstrate how numerous anti-forensics can be deployed by the criminals to derail the smooth processes of digital forensic investi- gation with main focus on data hiding and encryption techniques, later a comparative study of the effectiveness of some selected digital forensics tools in analyzing and reporting shreds of evidence will be conducted.
Keywords: Anti-forensic Techniques, Digital forensics, Forensic evidence, Digi- tal evidence,computer crimes, forensic practitioners, Lockard’s principle.
Preface
I want to thank my faculty, friends and family for their support they gave me through-out this project. I would like to especially thank my supervisorOla Flygt for his wonderful guidance and clarity on this project.
Contents
List of Figures List of Tables
1 Introduction 1
1.1 Background . . . . 1
1.2 Related work . . . . 1
1.3 Problem formulation . . . . 4
1.4 Motivation . . . . 4
1.5 Objectives . . . . 5
1.6 Scope/Limitation . . . . 5
1.7 Target group . . . . 6
1.8 Outline . . . . 6
2 Method 7 2.1 Scientific Approach . . . . 7
2.2 Reliability and Validity . . . . 8
2.3 Ethical considerations . . . . 8
3 Anti-forensics Techniques 9 3.1 Encryption . . . . 9
3.2 Steganography . . . . 9
3.3 Trail obfuscation . . . . 10
3.4 Tunneling . . . . 10
3.5 Onion Routing . . . . 10
3.6 Spoofing . . . . 11
3.7 Changing Metadata . . . . 11
3.8 Wiping techniques/standards . . . . 13
4 Anti-forensics Tools 14 4.1 VeraCrypt . . . . 14
4.2 AxCrypt . . . . 14
4.3 BitLocker . . . . 15
4.4 Gnu Privacy Guard . . . . 15
4.5 7-Zip . . . . 16
4.6 Eraser Software . . . . 17
4.7 Free Wipe Wizard . . . . 17
4.8 Invisible Secret 4 . . . . 18
4.9 ManyTools . . . . 18
4.10 Timstomp GUI . . . . 18
4.11 Attribute Manager . . . . 19
4.12 Bulk Extension Changer . . . . 19
4.13 OpenStego and StegHide . . . . 19
4.14 Attribute Changer9 . . . . 20
4.15 Disk Wipe . . . . 20
5 Implementation 22
5.1 Experiment one – Wiping / safe deletion tools . . . . 22
5.2 Experiment two – Hiding data techniques (Steganography) . . . . 24
5.3 Experiment three – Undermining credibility of the software . . . . 26
6 ANALYSIS OF ACQUIRED DISK WITH FORENSIC TOOLS 29 6.1 Data Wiping (Disk-Wiping) . . . . 29
6.1.1 Access Data Forensic Toolkit (FTK) . . . . 29
6.1.2 Encase . . . . 30
6.1.3 Autopsy . . . . 30
6.2 Hiding data techniques (Steganography) . . . . 30
6.3 Undermining credibility of the software . . . . 31
6.3.1 Access Data Forensic (FTK) . . . . 32
6.3.2 Autopsy . . . . 32
6.3.3 Enacse . . . . 33
6.3.4 Encrypted Files . . . . 33
7 Discussion 35 7.1 Forensic tools and Anti-forensic tactics used by attackers . . . . 35
7.2 Measures to counter anti-forensic strategies . . . . 36
7.3 Efficiency of forensic tools in countering anti-forensic strategies . . . . . 36
7.3.1 FTK Toolkit . . . . 36
7.3.2 Autopsy . . . . 37
7.3.3 Encase . . . . 37
8 Conclusion and Future work 38 8.1 Future work . . . . 38
References 39
A Appendix A
A.1 List of Acronyms . . . . A A.2 Software Versions . . . . A
List of Figures
2.1 Digital Forensic Analysis Methodology Flowchart . . . . 7
3.2 Classification of digital steganography according to host file type . . . . . 10
3.3 Onion routing . . . . 11
3.4 File metadata . . . . 12
4.5 VeraCrypt . . . . 14
4.6 Bitlocker . . . . 15
4.7 Kleopatra GUI for GnuPG . . . . 16
4.8 7-Zip . . . . 17
4.9 Bulk Extension Changer . . . . 19
4.10 Open Stego . . . . 20
4.11 Attribute Changer . . . . 20
4.12 Disk Wipe available erasing patterns . . . . 21
5.13 Adding folder for deletion . . . . 22
5.14 Shredder deleting files . . . . 23
5.15 Wiping SSD disk drive with DOD 5220.22M Standard . . . . 23
5.16 Hiding image in an image . . . . 24
5.17 Choosing the carrier file in Invisible Secrets . . . . 25
5.18 Hiding text in an image . . . . 25
5.19 Date modification using Attribute Manager . . . . 26
5.20 Before and After . . . . 27
5.21 Timestomp Manipulations . . . . 27
5.22 Altering File Extensions . . . . 28
6.23 Traces of deleted files . . . . 29
6.24 Corrupted Recovered files . . . . 29
6.25 Autopsy Disk-Wiping Analysis . . . . 30
6.26 Comparing Metadata for Steganography analysis . . . . 31
6.27 FTK File extension detection . . . . 32
6.28 Autopsy File Extension Mismatch . . . . 33
6.29 Hex editor reveal file’s signature . . . . 33
6.30 Autopsy File Encryption . . . . 34
List of Tables
1.1 Research questions . . . . 4
1.2 Objectives . . . . 5
5.3 Deletion efficiency Parameter . . . . 22
5.4 Deletion efficiency Results . . . . 24
6.5 Steganography detection results . . . . 31
7.6 Forensic Analysis Results . . . . 35
7.7 counter anti-forensics strategies . . . . 36 1.8 Software versions and types . . . . A
1 Introduction
Digital evidence in the simplest term is any information of importance to an investigation being processed by electronic devices. According to Locard’s principle, there is always an exchange between the offender and the scene of a crime [1]. On digital devices, the evidence is stored mainly on hard disks and memory as logs files and other components used to show related activity. The principle of Locard which is about cyberspace enhances the acceptance of the synergy involved in these forms of evidence, their exact occurrence periods of the events, and more importantly, the process of identifying the perpetrators[1].
Digital forensic investigators unravel and combine all the gathered facts into a single statement showing the nature and course of a particular action [2].
Contrary to this, anti-forensics are mainly geared towards hiding or altering digital ev- idence to render it unusable in legal actions making it exorbitant and laborious to reclaim and investigate. These, plus other questions of, which forensic tools are most effective in performing anti-forensics [3]. How far researchers have gone as far as a practical demon- stration of anti-forensic techniques is a concern, are some of the fascinating reasons why we want to relate these issues in real life and indicate the negative effects of anti-forensic techniques in the digital forensics investigation processes. In a nutshell, anti-forensics undermine the accessibility and effectiveness of evidence in processes involving forensic experts.
1.1 Background
Methods of carrying out anti-forensics activities are diverse and once deployed they can affect investigation processes at any stage. Whereas most of the methods used are directly against digital forensics, some of these methodologies are used for legitimate purposes [1]. For instance, Encryption protects organizational assets while digital watermarking prevent copyright infringement. Interestingly, the application of such techniques against computer forensics has the likelihood to inhibit investigators from accessing important data [4] . Discussions about anti-forensic techniques are hailed as exceptionally effective.
Be that as it may, almost no pragmatic work has been done right now regarding testing the techniques and essentially assessing their adequacy. This project is intended to recognize the prevalent digital anti-forensic approaches and examine them using forensic software.
Key outputs to be tended to is “whether computer anti-forensics can hinder the investiga- tion process and prevent real artifacts from being discovered and admissible in the legal process?”
1.2 Related work
The research paper applied several mechanisms to obtain the best sources for review.
First, only authority sources from government agencies like judiciary and agencies in- volved in creating technology standards. The objectivity and clarity of a source was eval- uated to ensure that reviewed papers were credible. The reputation of the authors and journal publication areas was also factored.
As explained earlier, Digital forensics is an emerging and fast-growing domain fol- lowing the increase and complexity in computer-related crimes [5]. Solving cases in- volving the misuse of digital technology has become a predominant undertaken by the enforcement agencies. Every crime has a form of relation to computer forensic as in most search-and seizures situation mostly mobile phones are also confiscated. Several studies and numerous scholars posit Anti-forensics as the techniques used by many criminals to
hide their activities in such a way that, they are not detected by forensics investigators [6].
For instance, The lack of enough hypothetical investigations is attributed mainly to anti- forensics, as opposed to the more conventional research methods on digital forensics [7].
For electronic evidence’s admissibility in court, the forensic expert must adhere to strict procedures in the retrieval and investigation of a digital system [7]. Furthermore, dur- ing forensic examination processes, several weaknesses are bound to disrupt the recovery of evidence needed to sustain a prosecution. Research indicates that cybercriminals are employing anti-forensic procedures to affect the forensic process and interfere with the electronic evidence [8] .
The following are the objective for Anti forensics:
• Avoid detection of any kind of malicious activity that has taken place.
• Disrupt the gathering of information, by trying to make it next to impossible for the forensic investigator to gather any incriminating evidence against them
• Increase the time taken by the examiner to resolve a case, where impediment is put on the way of the investigation. Anti-forensics derail the process and frustration sets in. This may cause the digital forensic investigator fatigue leading to thoughts of abandoning the investigation [9].
• Doubting forensic reports or testimonies thereby creating doubt in the mind of jury or judge as to the admissibility of the evidence [10].
• Sabotaging of the forensic tools by using the same tools to attack organizations internally by mounting direct attacks on the forensic examiner, like discovery and removal of the examiner’s network or blasting the same network under investigation [11].
In previous decades, digital forensics evolved as a new domain in computer science and has gained enormous attention. This consideration is because modern computer systems hold vast quantum of information which essentially serves as the richest source of evi- dence while conducting an investigation. Experimentally legitimate and legal measurable examination of this evidence reveals and recognizes its importance where the proof must be complete, reliable, and accurate [7]. To shed more lights, Conlan [7] arrayed some of the drawbacks in a digital forensic investigation as follows:
a) Personality: Every forensic investigator uses a myriad of methods in conducting investigations [3]. The effectiveness of any method will differ depending on char- acteristics such as education and experience as well as the smartness and perception of the investigator [7]. Many Forensic investigators have developed their process and procedure for conducting investigation which is convenient for them [7]. These might have been developed over a period of practice. New practitioners may also learn from their superiors or create their own altogether [2].
b) Use of forensic tools: Forensic investigations majorly depend on tools. However, these are susceptible to compromise, thereby affecting the efficacy and validity of evidence outcomes. For instance, a forensics practitioner may apply a small number of tools, with an adverse impact on the outcome of their investigation, for example in the case of memory forensics. There may be several factors that will affect the choice of tools [9]. These include whether the tools is a free tool or sold commercial tool. Some organizations may decide to have a few tools which in their estimation
are the best in the market. Commercial Forensic tools can be very expensive to purchase [7]. Open source tools may also be limited in functionality and will need some add-ons that may not be readily available. Familiarity with a particular tool also makes the investigator to constantly deploy them in his investigation.
c) Logical/ Physical challenges: Include the availability or the lack of hardware tools such as storage devices, write blockers, firewalling, as well as timelines and the aspect of financing an investigation [7]. Technology moves with the speed of light and forensics practitioners require dynamism and resilience to keep up with the pace of advancement in technology and innovations.
Anti forensics as a field has several challenges due to the contradicting technological and regulatory issues. For example encryption is widely used as a strategy to secure sensitive documents. At the same time, encryption is used by intruders to deter forensic investigations.
The San Bernardino case is the reference point for the famous Apple versus FBI order and it revolves around the courts’ authority on matters concerning data protection and the responsibilities therewith for access to encrypted data [12]. The court’s orders to Apple under the Writs Act of 1789 required the phone manufacturer to retrieve privileged infor- mation from encrypted gadgets to facilitate in criminal inquiries. The court’s instructions were to compel Apple to write new software that would break the software security lock to enable the government to bypass the security features and unlock the phones to access the information [12]. Some of these demands included the requirement for Apple to cre- ate a digitally sign a forensic software for unlocking phones recovered from suspected criminals in the San Bernardino killings. When Apple declined to yield to these, demands the government sought third party assistance in unlocking the phones. Another example is a case where a judge recalled the application of the All Writs Act to force Apple to unlock an iPhone [12].
Unauthorized access to privileged information causes discomfort and is arbitrary to privacy and speech enhancing technologies [13]. The presumption that the law enforce- ment agencies have the prerogative to accessibility to these private spaces and data raises many legal questions as to whether they have the right to customary entitlement for such data. From the outset, it violates the bill of rights on several fronts including privacy rights and speech rights infringement. The police’s capacity to access private and privileged data such as phone data and emails requires a legal framework that considers the users’ rights provisions.
Features that will change the dynamics for this paradigm include the use of encryption.
Using privacy enhancement technology like data encryption by the use of algorithms is a sure futuristic way of enhancing data security and forces the law enforcement agencies to seek the right legal mechanisms such as court interventions to gain access to private space [13]. Furthermore, the exclusivity for the use of cryptography for military and intelligence agencies continue to diminish in the face of emerging software applications that support commercial and general public use . The growth in technology continues as computer-related crime increases, thereby creating a need for forensic experts to conduct digital evidence collection, analysis, and interpretation. As computer crimes increase in number and sophistication, the practitioner needs to come to terms with the fact and form of collaboration with other relevant agencies when needed.
Currently, legal restrictions limit the Swedish law enforcement agencies from search- ing international cloud services with servers outside the Swedish jurisdiction [14]. In the same way, the law also does not require encryption companies or Internet service
providers to decrypt data [7]. The Swedish constitution now approves law enforcement authorities to force in an individual digital devices such as mobile and computers to de- crypt documents or devices if it is related to a serious crime[15]. Moreover, the Swedish police can also utilize the testimony before the courts during police investigations to force individuals holding vital information to provide that information in court of law [14].
These regulations will greatly facilitate the efforts of forensic investigators during a foren- sic investigation.
1.3 Problem formulation
Computer crime investigators count on exceptional evidence to prove their cases and for these, they need authentication and authorization information from logs and file contents, timestamps, and other forms of digital data needed as reliable proof for court use. Crimi- nals use technology procedures to destroy evidence and as such, hacking methods aim to subjugate evidence which makes it next to an impossibility for the investigator to use the available evidence.
The Information System Audit and Control Association (ISACA) opines that anti- forensics applications account for a large number of most data breach investigations con- ducted [16]. Investigators need to lookout for several methods of distorting evidence which include zero-foot-printing, data hiding, and data obfuscation among others. All cases require some form of obfuscation which should entail the erasure of a hacker’s trail stamp. Hiding of data involves the use of cryptography which essentially masks the data by assigning it cryptic codes . Other users apply steganography as another form of data hiding. All these approaches require the use of sophisticated methods when searching for forensic evidence.
The practice of Digital Forensics is developing at a sharp pace with the increase in sophistication of crimes being investigated. Similarly, there is a remarkable change in the technologies and the tools of the trade that differ from conventional Digital Forensics. In brief, the malicious objective of implementing anti-forensics techniques levy a huge prob- lem to the forensic experts. The research questions below in Table 1.1 helped to achieve our research objectives;
RQ1 Which are the various anti-forensic tactics used by attackers?
RQ2 Which are the various digital forensic tools employed by forensic experts?
RQ3 Which are the various measures for counter-forensic strategy?
RQ4 How effective are the current forensic tools in countering anti- forensic tactics?
Table 1.1: Research questions
1.4 Motivation
In 2007, the TJX companies were attacked and over 45.7 million credit card details were accessed illegally. The attackers exploited a vulnerability in a Wi-Fi antenna in one of their clothing stores [11]. Investigations indicate that the attackers had accessed the com- pany systems for almost two years without detection. The TJX attack affected several banks and inflicted financial loss to millions of customers. The attackers had managed
to conceal their footprints and stole the customer data for over 18 months without being detected [11].
This case among many others is the reason why anti-forensic research needs to be at the centre stage of every organization. Experts have observed an upsurge in the usage of anti forensics tools mainly because cyber attacks have shifted from an elite unix based attacks to simple Windows applications that can be utilized even by novice users.
According to Scott [11], “The hacker’s focus has shifted too, from developing de- structive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corre- sponding tool to baffle the investigation.” Anti-forensics knowledge, therefore, is good for practitioners undertaking forensic investigations to enable them easily manage incidents which would otherwise become difficult to handle in ordinary circumstances because peo- ple who have intentions to thwart the forensics processes always seek means to cover their tracks.
1.5 Objectives
Many pieces of research regarding anti-forensic techniques have generated little outcomes in terms of the practical implementation and effectiveness of their methodologies. There- fore the focal point for this research is to identify the modern hacking techniques and put them to test practically using forensic software.
This work serves to investigate by experimentation if indeed those anti-forensic tech- niques really can affect digital investigations into the accuracy in collection and analysis of digital evidence that is admissible in court.
To finally generate a precise report with details of how the selected tools are effective in anti-forensics techniques.This research paper is guided by the following objectives in Table 1.2;
O1 To make a theoretical study of the areas gathering information about anti-forensics
O2 a. Set up a digital forensic experiment lab scenario b. Run anti-forensic forensic analysis
O3 Compare different anti-forensic strategies and forensic software packages and evaluate them based on the results
O4 Conduct extra research to gather more insight and evaluates the re- sults obtained in O2.
Table 1.2: Objectives
1.6 Scope/Limitation
This study will only explore 3 anti-forensic techniques. These techniques include;
• Data Obfuscation
• Data Hiding
• Data wiping (Zero-footprinting)
To determine the efficiency of forensic analysis tools, the following tools will be used for analysis;
• Autopsy
• Encase
• FTK Imager
One of the major limitations of this project is that not all anti-forensic techniques have been analyzed due to time limitations. Also, in the case of forensic software analysis, only open source software was utilized due to resource limitation. The project has only con- sidered a limited number of parameters for result evaluation because the selected forensic analysis tools have different but limited functionalities [17] Some of the software used like Encase and Autopsy are used in analyzing hidden processes and metadata while FTK Imager is applicable when creating memory dump and analyzing email trails.
Whereas we utilized open source software for analysis, available commercial software provides better analysis and reporting capabilities. Therefore, our scope is only limited to the results analyzed by the used software. Also, the results further depend only on the evidence available in the memory dump. At times, experimental memory dumps might have limited evidence depending on the host machine used when creating the memory dump [11].
1.7 Target group
The research focuses on analyzing the various anti-forensic software tactics used by at- tackers and the ability of selected software forensic tools in detecting these techniques.
These objectives will be achieved by conducting a practical analysis of selected anti- forensic approaches and then rating the ability of the selected tools in detecting the anti- forensic techniques. This research aims to equip digital forensic experts and software security experts with skills and knowledge on how cyber-criminals obfuscate trails from laid down forensic strategies. The research will also assist researchers with a detailed overview of the available anti-forensic strategies and the ability of available forensic tools to detect these techniques.
1.8 Outline
The rest of the paper is organized as follows. Chapter 2 describes the methodology used in writing the paper. Chapter 3 details the anti-forensic strategies used by attackers and Chapter 4 describes various anti-forensic tools. Chapter 5 describes the anti-forensic ex- periments conducted while Chapter 6 analyses the obtained results. Chapter 7 summarizes the obtained results in form of discussion while conclusion and future work are in Chapter 8.
2 Method
This section will address the scientific method used in our research. The section further stipulates how data was gathered and analyzed. The section also discusses the verifiability and reliability of the obtained results. Finally, the section describes the ethical considera- tions considered when conducting the research.
2.1 Scientific Approach
To achieve our objectives, the scientific digital forensic methodology proposed by The Cybercrime Lab in the Computer Crime and Intellectual Property Section (CCIPS) was adopted[18]. This methodology adopts three crucial steps; extraction, identification, and analysis. The digital forensic methodology is built on the Locard’s Exchange Principle that stipulates that every computer activity involves the interaction of two or more pro- cesses and which must leave a trace of evidence. The Figure 2.1 shows the Digital Foren- sics analysis methodology flowchart adopted by the US Department of justices CCIPS division.
Figure 2.1: Digital Forensic Analysis Methodology Flowchart
Extraction The extraction process also incorporates the preparation process. Prepa- ration involves preparing the crime scene to ensure that all the required evidence is not tampered with. Extraction is the data gathering process where the evidence is gathered using specific scientific tools [7]. In our case, we used the FTK Imager forensic tool to extract our vulnerable memory dump. The acquired memory dump must be validated to ensure its working properly. The forensic image acquired must also be duplicated and hashed to prevent interference and enhance verifiability.
Research hypotheses were formulated in the form of "Searched Lead List". In digi- tal forensics, the Searched Lead List contains the specific preliminary ideas of what the examiner is looking for. In our case, the first anti-forensic experiment involved analyz- ing data hiding, data obfuscation, and zero-foot printing . These anti-forensic strategies guided our first set of “Search Lead List”. The second digital forensic experiment involved performing an experiment using existing digital forensic tools to analyze their ability in discovering the indicated anti-forensic strategies.
IdentificationAfter creating, the "Searched Lead List", the next step involved gather- ing the evidence. These steps involved identifying the process that proved that intruders use the above indicated anti-forensic strategies when executing their malicious activities . Every relevant evidence identified was documented on the Relevant Data List. The cycle was repeated for every item on the Searched Lead List until all the relevant evidence was obtained.
AnalysisExtensive analysis was conducted after gathering the evidence. Every item on the Relevant Data List is analyzed. The data examiners seek to prove who, what, when, where, and how a particular incidence occurred and why it is relevant to the forensic analysis,this is also known as the 5WH. The examiner also analyzed to determine which
user or application created, edited, or sent a message or any other item. All the analyzed evidence was linked to one of the main three anti-forensic strategies. Timeline analysis of the gathered evidence was produced to help explain the sequence of events. All the analyzed evidence was then documented in the "Analysis Results List". The Analysis Results List contains evidence that satisfies the forensic request .
2.2 Reliability and Validity
To enhance the reliability of our experiments, the acquired forensic image was hashed after the acquisition. This hash value was confirmed during the extraction process. Also, a copy of the forensic image was created during the extraction process to ensure that in case one copy is destroyed, the data examiner could use the forensic copy image. Creating a copy of the forensic image helps in confirming the Principle of Reproducibility [19]. This is a scientific principle that stipulates that if another forensic expert conducts the same forensic analysis using similar steps, they can arrive at the same conclusion.
The results were also compared to similar experiments and research to confirm their applicability. This was done by ensuring that the tools and methodologies applied are the approved industrial scientific tools . The digital forensic investigation process will be based on the principle of repeatable process and quality evidence. The reliability and validity of the results will be guided by National Institute of Standards and Technology (NIST) legal baseline for validating digital forensic tools [20]. The standards stipulate that the test can be reproduced following a similar testing method. To validate the ac- curacy of the tools, the Daubert Standard will be utilized [21]. The Daubert standards stipulates that a digital forensic method must have undergone empirical testing and be subjected to known peer review. Also, there should be standards to control and guide the techniques used during the investigation process. Finally, the testing method and tools must have received general acceptance across the scientific community [20]. To conduct the experiment, we have utilized testing methodologies that are generally accepted and the tools are approved by the NIST.
2.3 Ethical considerations
In every digital forensic analysis, it is essential to seek the appropriate legal authority from the relevant parties. In our case, I obtained permission from the research supervisor to conduct these experiments through a research proposal. Also, digital forensic stipulates that since a forensic analysis might involve analyzing harmful evidence that might harm your computer, it is crucial to conduct such experiments in a controlled environment. In such a case, we used the Windows VMware Workstation Pro to conduct the experiments.
Finally, since the experiment was for educational purposes, I used the freely available vul- nerable virtual machine memory dumps approved for practice. Using personal machines could have mounted to the invasion of privacy.
However, we understand that analysis and evaluation of the anti forensic strategies might bring enlightenment to attackers. As discussed by [7][22], majority of blackhat hackers initially are trained as white hat hackers. [23] describes the case of Edward Snow- den who was a NSA employee turned rogue and leaked information regarding how the US government was tapping its citizen’s communication. Whereas our main focus is to educate the general public and especially scholars and players in the digital forensic field, we cannot control who has access to this study. Therefore, we would like caution our audience to use the knowledge gained constructively.
3 Anti-forensics Techniques
With technological advances, forensic investigators are now employing new techniques to easily, effectively, and conclusively carry out their investigation. But on the other hand, perpetrators of computer crimes are equally utilizing technological advances to deploy sophisticated and customized strategies to obscure forensic investigation. The techniques deployed to subvert forensic investigation are referred to as anti-forensic strategies or techniques [7]. The second stage, after securement of data source, is the identification and extraction of forensic data which may be pertinent to the investigation. The dis- tinctive anti-forensic strategy employed in this stage is data hiding. This strategy involves concealment of any relevant forensic data that may be used by the investigators to uncover the crime. Three techniques are commonly used in data hiding: encryption, steganogra- phy, and trail obfuscation. Research shows that obfuscation and encryption are used by computer criminals to subvert identification and collection of forensic data by investiga- tors while allowing access to themselves [7]. This paper explores the three techniques used in data hiding.
3.1 Encryption
Commonly used to protect data from unauthorized access, encryption has been adopted by computer criminals to hamper the forensic investigation. With this strategy, the presence of data is not hidden from the investigators, but its readability is made impossible, unless with an extra effort of decryption. The availability of public encryption programs makes it easy for criminals to encrypt data or disks; deployed with modern encryption algorithms, these programs make the data virtually impossible to reads without decryption keys.
The two types of encryption commonly adopted by computer criminals are file-based and disk encryption. With file-based encryption, the file content is turned into a ciphertext that can only be readable through decryption using the right key. Disk encryption is the encryption of the whole storage partition that stores the data; so that access to the disk would require a decryption key. Encryption tools like VeraCrypt and CipherShed allow both types of encryption [24]. In the United Kingdom’s Regulation of Investigatory Powers Act of 2000, computer crime offenders are required to provide access to any data in their possession that might be helpful in forensic investigation[25]. Lewis states that about 60% of cases that involve encrypted data go unprosecuted due to the inaccessibility of data[26]. Open Rights Group agrees to these statistics; according to them, out of nineteen cases that involved a refusal to provide decryption keys between 2011 and 2013, three cases were successfully prosecuted [27]. Computer criminals might counter these types of regulations by providing access to a small portion of data while concealing the most incriminating data.
3.2 Steganography
Steganography is a technique that involves concealment of information, message, or files behind other plain information, message, or files; for example, an unnoticeable water- mark buried within a document. The first documented use of Steganography is found in Herodotus’ Histories, which speaks of Histiaeus who sent a message to his vassal Aristagoras by embedding the message into the shaved head of one of his servant [28].
The technique is used with images, documents, and video/audio files. This technique provides an offender with an easy way of hiding data, but it has its drawbacks; firstly, it is very simple to crack once the investigators detect its use. The Forensic Toolkit (FTK) is
an example of a readily available tool to crack steganography. Secondly, the techniques only apply to a very limited size of data. Finally, concealment of a file within another file distorts the visual quality of that file, which can easily be noticed by the investigators. For steganography to be effective, it can be deployed with other forms of encryption methods, for example, cryptography [1]. There are different classifications of steganography, this research will cover image and text.
Figure 3.2: Classification of digital steganography according to host file type
3.3 Trail obfuscation
Trail obfuscation is the deployment of various tools and steps that muddies trail of a com- puter crime [7]. The objective of this technique is to mislead or divert the investigator’s line of investigation away from the offender’s tracks; for example, changing the files’
timestamps to direct the investigators to look in the wrong time frames. Timestomp and Transmogify—from Metasploit Framework—are some of the effective programs used in trail obfuscation. Timestomp allows a user to manipulate a file’s attributes regarding timestamps of its access, creation, and modification [29]. By use of these types of tools, an offender can effectively render a file useless in a legal setting. With Transmogify, an offender can manipulate a file header information in a bid to conceal it. For example, changing an image’s extension to .doc; resultantly, if a forensic investigator was to scan images, the scanner will skip the manipulated image because of its .doc extension.
Perklin [30] opines that trail obfuscation can disrupt a forensic investigation for about 15 hours. He recommends various trail obfuscation techniques; file nesting, for exam- ple, involves the creation of a directory path loop that will return a recursion error when followed
3.4 Tunneling
Tunneling utilizes encapsulation to enable private communications to be relayed on public networks. This means that data flows on public networks making it less suspicious. Use of Virtual Private networks is one strategy that allows data encryption and mainly used by at- tackers. Tunneling makes it difficult for forensic experts to determine true network traffic [7]. Also, encrypting private network makes it difficult to analyze data packets making it difficult to determine the sent messages. Routing also increased the time forensic experts take when analyzing network traffic.
3.5 Onion Routing
This was originally designed by the U.S Department for the Navy. Onion routing involves sending messages that are encrypted in layers. Each of these messages are encrypted and
a new header is appended to it, this new header has the next onion router destination address in the network as well as the source of the next onion router in the network [31]. Encryption of the messages ensures that the message reaches at the destination anonymously. Forensic experts mainly use reverse routing to decrypt the message which in itself is very time consuming. This means that with limited resources, crucial evidence can missed in case reverse routing is not possible.
Figure 3.3: Onion routing
3.6 Spoofing
Spoofing involves disguising communication so as to gain access to a system without the appropriate user privileges. IP spoofing occurs when attackers use several IP addresses to conceal their actual IP address when executing malicious activities. Attackers mostly em- ploy IP spoofing when executing a Distributed Denial of Service Attack (DDoS). Another type of spoofing used by attacker is Media Access Control (MAC) address spoofing, here an attacker changes the hard coded address number associate with their Network inter- face Card (NIC) with a special software. Spoofing makes it difficult for forensic experts to identify the actual attacker during forensic investigation.
3.7 Changing Metadata
Metadata refers to data that provides information about other data; alternatively, metadata can generally be defined as “data for a data” [32]. For every file, there is a set of metadata
associated with it; for example, the title of the file. Because of its descriptive nature, metadata is very essential in understanding more about a file. More examples of a file’s metadata include: its type, size, author, and creation/modified date. Anytime there is an addition or modification of a file’s information, that information becomes the metadata of the file.
The creation of metadata can either be manual or automatic; manual creation involves manual entry of metadata elements by a user, whereas automatic creation is an automated entry by a software. Manual creation tends to be more accurate, since a user has the flexibility to enter any data they deem relevant. Automated metadata is commonly limited to a few elements; such as a file’s size, and its Modification, Accessed, Created (MAC) times.
Figure 3.4 shows some metadata of an image file named “Metadata”. The metadata is Windows-generated.
Figure 3.4: File metadata
From the figure above, a file’s MAC times are some of the essential elements cap- tured; therefore, it is possible to even create a timeline of a user’s activities on a specific file. Ideally, there are three types of metadata: descriptive,administrative, and structural.
Descriptive metadata is the information that describes a file; for example, a file’s title, size, and publication/created date. Administrative data provides technical information about an asset, it generally describes intellectual property and usage rights of a file; for example, an asset’s author. Structural metadata describes how a digital asset is organized;
for example, a digital book’s structural metadata will indicate how pages are organized into chapters [32].
3.8 Wiping techniques/standards
Various techniques are used to wipe data; for example, the NSA/CSS’s 2017 [33] policy manual contains very good guidelines on how to destroy data stored in different storage devices [8]. The manual recommends an automatic degausser for wiping data stored in hard drives; the degausser operates by destroying the hard drive’s internal platters. But the important factor in data wiping is the type of wiping software, not the type of storage device.
Data sanitization is a standard practice of safely, securely, and permanently erasing data from storage devices; to prevent the erased data from being recovered. There are specific data wiping software that adheres to data sanitization; some of them include:
Eraser, KillDisk, DBan, HDDErase, MHDD, Disk Wipe [34].
Generally, some data wiping standards have proven to be very effective, and are com- monly used and researched by many practitioners in the forensic field; some of these techniques include the following [35, 36]:
• DoD 5220.22 M This standard is developed and maintained by US National Indus- trial Security Program. It works by overwriting specific data stored in a storage device. DoD 5220.22 M exists in two main forms: a three-phase and seven-phase series of steps. The technique is implemented in a series of three steps—Writes a zero and verifies the write; Writes a one and verifies the write; Writes a random character and verifies the write .
• NCSC-TG-025 is developed and supported by the US National Security Agency.
The standard works, and is implemented just like DoD 5220.22 M, but it offers more overwrites.
• AFSSI-5020 This standard is developed and managed by the United States Air Force. It also works just like DoD 5220.22 M and NCSC-TG-025, but there is a slight variation—there is only one general verification of all the overwrites, and it happens at the end of the overwrites.
• AR 380-19 This method is developed and supported by the US Army. Unlike the previously discussed standards, this method’s implementation process involves:
write a random character, write a typical character compliment, write a specified character, then verify the writes.
• NAVSO P-5239-26 This technique is developed and supported by the US Navy.
It is implemented as the AR 380-19, but its overwrites are done from specified character, typical character complement, to random character .
• Gutmann 35-passes This method was developed by Peter Guttmann. As the name suggests, the method involves 35 passes of overwriting a random character and verifying. But with the evolution of storage device technology, this technique is thought to becoming obsolete.
• Schneier method-Developed by Bruce Schneier, this technique is implemented in 7 phases; the first 2 phases involve writing 1 and 0, and the last 5 phases involve writing random characters.
4 Anti-forensics Tools
Primarily, data encryption tools can be classified into: disk encryption, file encryption, data encryption, Steganography, email, and network transport. The following are some common examples of anti-forensic tools.
4.1 VeraCrypt
VeraCrypt, an advanced encryption tool of TrueCrypt, works freely on all major com- puter operating systems—Windows, Linux, and Mac OS. The tool supports a variety of encryption mechanisms; these include: Advanced Encryption Standard (AES), Serpent encryption, and TwoFish; AES being the widely used specification. In addition to the above encryption mechanisms, VeraCrypt also provides for the creation of hidden and encrypted volumes within other existing volumes. VeraCrypt is partly an open-source software, with its codes open for review and study. The tool is under continuous develop- ment, with every development stage audited and tested to improve its effectiveness.[24]
Figure 4.5: VeraCrypt
4.2 AxCrypt
AxCrypt is a file encryption tool for Windows OS. Despite its distinct feature of being simple, and easy to use, the tool is quietly effectual. It incorporates effectively with Windows Explorer, hence a user can just right-click a file and choose encrypt from the drop-down menu. Among the powerful features of AxCrypt is what is referred to as
"timed encryption", with this is premium feature, a user can encrypt a file for a specified period of time and the file will automatically decrypt at the set time, or setting a file on transit to automatically decrypt once it reaches the intended recipient. A file encrypted by AxCrypt can decrypt when need be, or when it’s in use; and then re-encrypt itself after a user exits from it. In addition, AxCrypt allows the selection and joint encryption of multiple files. Among the advantages of the tools are: it supports both 128 and 256-bit AES encryption, offers protective mechanisms against brute force, and it is remarkably
light in size (less than 1MB). Premium subscription of AxCrypt allows users to save their passwords in the cloud.[37]
4.3 BitLocker
Bitlocker is a full-disk encryption tool incorporated into Microsoft Windows versions, starting with Windows Vista to the latest Windows 10, and also Windows Servers (2008 and later). The tool provides data protection by encrypting the whole storage volume.
By default, BitLocker uses the AES encryption mechanism. While this encryption tool primarily encrypts a whole disk, it can be used to also encrypt partitions or virtual drives.
Among the authentication modes the tool support includes: standard password and PINs, a USB key, and Trusted Platform Module (a hardware-based encryption mechanism that uses cryptographic keys). The incorporation of BitLocker into Windows Operating Sys- tems, and its availability for free use, makes it widely viable to many users.[38]. Figure 4.6 shows a windows hard disk being encrypted using Bitlocker
Figure 4.6: Bitlocker
4.4 Gnu Privacy Guard
GNU Privacy Guard (GnuPG), an open-source version of Pretty Good Privacy (PGP), is a multifaceted encryption tool that encrypts everything and anything from emails, com- mon files, and entire storage volume. GnuPG supports varieties of encryption mecha- nisms, among them is asymmetric encryption, where users create and deploy a pair of keys—private and public. In addition, GnuPG also supports symmetric encryption (for example, AES). The tool is supported by Windows, Linux, and MAC OS.[39] Figure 4.7 shows a list of public keys being managed by GnuPG Kleopatra.
Figure 4.7: Kleopatra GUI for GnuPG
4.5 7-Zip
7-zip is an open-source file achiever, used to compress files for easier storage; the tool is commonly known to Windows users. But apart from compression, 7-zip also offers file and volume encryption features. It supports 256-bit AES encryption mode; and while it is officially available for only Windows, there exist versions for Linux and MAC OS.
The tool is available for free use, but can also be commercialized. 7-zip’s source codes are generally under the GNU LGPL license. Files encrypted using 7-zip are easily trans- ferable, and can be set to automatically self-decrypt once the recipient receives the file.
In Windows, the tool can be accessed and operated on through GUI or command line.
Through GUI, a user right-clicks on a file, and selects "7-zip" from the drop-down menu as shown in Figure 4.8 [40].
Figure 4.8: 7-Zip
4.6 Eraser Software
With the increased sophistication in encryption technologies, attackers to sensitive data extend their hacking attempts to magnetic data storage and solid-state memory. Sanitiz- ing, or destruction of remanence data aims to destroy sensitive information for institu- tional integrity and privacy protection purposes by degaussing or overwriting. One of the most effective open-source wiping tools used to completely eradicate unwanted or sensi- tive data from a storage device such as a hard disk is the Eraser security tool. The program has advanced support features for the Windows platform of operating systems including their service packs namely, Windows Server 2003, 2008, 2012, 2016, Windows 7,8,10.
In ordinary circumstances, when a user deletes a file from their Windows-based de- vice, they assume that it is gone, no! That file is still referenced in the file system of the operating system and stored on disk, therefore what deleting simply does is to remove the file system reference but the file is intact on disk until an overwrite is done. Even after the overwrite, it is retrievable by using a magnetic field scanner on the disk platter surface [41] Most undelete utilities or recovery tools such as Easeus are used in retrieval of lost or erased data of this nature.
4.7 Free Wipe Wizard
Another effective tool that wipes sensitive data securely is Free Wipe Wizard. The proce- dure destroys the file patterns hence recovery of any data is not possible after running the wizard on disk media. Built on strong open source cryptographic code, the freeware soft- ware is a free public license GNU distribution. The application is compatible with several file systems including NTFS/4/5,FAT12/16/32, VFAT, and runs on the Windows-based operating systems such as Microsoft’s Windows Server 2003, 2008, 2012, 2016, Win- dows 7,8,10. The program supports all disk media including hard drive disks, memory sticks, and many others [42].
4.8 Invisible Secret 4
Data encryption aims at securing sensitive data from unauthorized access and Invisible Secrets 4 does beyond that; it provides encryption and hides the files from the normal windows directory file structure using advanced steganography techniques to prevent un- wanted access. Data is encrypted into pictures so that people won’t suspect anything [43]. The software has other features such as a file shredder, a password manager, and a locker for programs and harnesses cutting-edge encryption algorithms to ensure user data is securely protected with a guarantee of privacy.
Data breaches during storage or transfer over the internet are avoided through the en- cryption process and confidential information is securely and conveniently hidden in a unique location so that prying eyes do not gain access or notice it. The software com- pletely encapsulates private data and ensures that it is invisible to unintended users. Be- sides the encryption capabilities, the application comes with existing security features for protection such as secure password protection for sensitive data with a password manager and generator which automatically creates new one time passwords (OTP) for enhanced security so that no one password is ever repeated. Data sent over the internet is safer with Invisible Secret 4 because of the email encryption feature.
4.9 ManyTools
As an online software repository, Manytools provides automation for applications for per- formance optimization in a web-based environment and these tools include networking, CSS3, finance, hacking, imaging, browser,and social media among other useful tools.
The portal is now a discontinued open source project which until 2017 its developers in- tegrated tools that aimed at automating repetitive tasks. For instance, the tools available for steganography enable one to encode text into images for onward transmission. The password generator enables the creation of up to 9999 highly secured passwords at a time for use in wireless networks with BCRYPT/BLOWFISH hashing methods.
Conversion of images and text in ASCII and ANSI is possible for encrypting data.
Another exciting offering is the online generation of printable, scannable barcodes in PNG, and SVG formats for documents among many other exciting tools [44]. However, the resource is private and for noncommercial use and seems to have its last website updated activity in September 2017.
4.10 Timstomp GUI
A timestamp is a system used to describe points in time based on the Unix epoch [45].
The encoded characters are used to give the specific time and date of an event in seconds.
Digital forms of the application of timestamps are applied in computer files to indicate the exact time a particular file was modified. Digital equipment like cameras and scanners also timestamp their outputs. The system gives an accurate account of the time based on UTC which then is used to draw comparisons of different records and logging of events.
Computers store timestamps in their metadata files and the format is unique to each operating system or system call but notably, the format must include the last access time, last modification time, and last status change time. Similarly, file archivers and software tools use time stamping to denote a change in times of access to different locations or devices.With Timestomp Gui, it permits the manipulation of the NTFS timestamp file and can modify, delete, or change the Modification (M), Access(A), Created (C) and Entry Modified (E) M.A.C.E files[46].
4.11 Attribute Manager
Within a windows system environment, the Attribute Manager is an application that easily enables the user to change the characteristics for accessing files and folders. The settings that the Attributes Manager modifies include the Read-Only, Hidden, Archive, or System attributes. Other attributes that one can modify include the dates of file or folder creation, last time of access and when the file was last modified [47] The program can work with an unlimited number of files and folders, offers multilingual support in a user-friendly interface.
The directory structure of the computer system takes into consideration the many at- tributes that enable easy storage and retrieval of information. For instance, the date a file is created and when it is modified is an important part of creating a time-dependent file structure with various attributes attached to it. The range of file attributes is wide and they are all unique in behavior when they are applied. Apart from the above mentioned com- mon attributes, the uncommonly used attributes include; indexed, compressed, encrypted, temporary, Offline, and Sparse file among others.
4.12 Bulk Extension Changer
The Bulk Extension Changer is a tool used to manipulate file and folder extension. With just a few clicks, the tool easily changes a file extension. The tool is available as an open- source, and free to use[48]. Figure 4.9 shows .jpg extension files being replaced by .pdf extensions.
Figure 4.9: Bulk Extension Changer
4.13 OpenStego and StegHide
OpenStego is a common stenographic application used to hide data within a cover file (for example, an image). In addition, the application is used to watermark files with invisible textual data. Different stenographic tools operate differently due to the varying encryption techniques used. The Figure 4.10 shows OpenStego in use.
Figure 4.10: Open Stego
4.14 Attribute Changer9
Attribute Changer9 is a free Windows Explorer add-on application used to alter attributes, or rather properties of a file or folder; especially a file’s created time, modified time, and accessed time. The Figure 4.11 shows the MAC attributes of a file to modified using Attribute Changer9.
Figure 4.11: Attribute Changer
4.15 Disk Wipe
Disk wipe [49] is a portable Windows application used for permanent deletion of data stored in a volume. The normal disk formatting leaves a possibility of recovering the erased data, but with this tool, one can erase data with zero probability of recovering the deleted data. Disk Wipe is estimated to be far more effective depending on which erasing pattern selected, its efficiency can be 35 times more than the normal disk clearance techniques . Figure 4.12 shows the different erasing patterns Disk Wipe offers.
Figure 4.12: Disk Wipe available erasing patterns
