File Extension Renaming
Of all the types of obscurity methods encountered today, the most common and easiest to detect is file extension renaming. This can entail either renaming the entire filename or only the file extension to obscure which program can access it. Although you can now detect file renaming using a variety of automated techniques, you should be aware of its impact on your investigation, especially if you do not have time to run these tools (though you should do so in any investigation). If you are conducting an investigation and are asked to review documents of only a certain type, renamed files could cause you to overlook evidence contained in them.
File Signaturing
File signaturing allows you to determine what application has been used to create a file without regard to the file extension or filename. File signaturing compares some unique aspect of the file, typically the file’s header and footer, to a database of signatures that relate to an extension. A signature in this case means a unique portion of data that exists in a certain file type that indicates which program can access it. For instance, a GIF image file always contains GIF8 in the file header. Several tools can be used to determine a file’s signature for you, and some of them are built into forensic tools.
Renaming a filename or extension does not modify its contents, so file renaming or signaturing would not prevent a search from finding relevant data.
File Command
The UNIX file command will return the type of file according to its database of signatures. The database that file uses is called magic and is typically found in Linux at/usr/share. The most appealing feature of file is that the database is a plaintext file with standard delimiters. This allows the investigator to create and customize file signatures for investigations; thus, the database will grow as the investigator’s cases do. To execute file, use the following:
# file top.jpg
top.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, 100 x 100
As you can see, this execution of the file command on a JPEG image file returned information that not only tells you that the file is an image, but also provides the aspect ratio and the size of the image in pixels. Here, for example, we rename the file as nothing. here and rerun the file command, and the following occurs:
# mv top.jpg nothing.here
# file nothing.here
nothing.here: JPEG image data, JFIF standard 1.02, aspect ratio, 100 x 100
The name of the file had no bearing on the file command’s ability to detect its true type. The file command is also available for Windows as part of the Cygwin package, which is found at www.cygwin.com.
EnCase
EnCase can detect file types and carry out file signature analysis to detect modified file types. After you load an image into EnCase, you can choose to validate the signatures on all of the files in the image when searching. To do so, click the search icon to open the Search dialog box, and then choose Verify File Signatures, as shown in Figure 9-1.
Figure 9-1 Choosing Verify File Signatures in EnCase
After the search is completed, the Signature column in the EnCase interface will be updated, as shown in Figure 9-2. If a file did not match its signature, this column would either read that it was mismatched or display the actual name of the file type, as shown in Figure 9-3.
Encoding Methods
Encoding means that a file’s contents are changed in some way that can be easily reversed. Many times, a simple encoding mechanism called ROT13 is used. (ROT means rotational and 13 means the characters are rotated 13 times.) If someone were to run ROT13, the algorithm would take each character provided and replace it with a character 13 values in front of it. So, for example, an A would be replaced with an N. (B starts the count as element 1.) However, if you were to perform a search across encoded data, the search would not find the relevant data, as the expression the search was looking for would not decode ROT13 without being instructed to do so.
Figure 9-2 Viewing signatures in EnCase
Figure 9-3 Viewing invalid signatures in EnCase
Detecting Encoding
To detect that some kind of encoding has been used, such as ROT13, you would need to rely on file signaturing if the original extension remained on the filename. However, ROT13 and similar algorithms do not leave behind any standard signature, and no simple tool exists to detect its presence automatically. This doesn’t mean, however, that detecting encoding cannot be accomplished. If a statistical analysis of the data were to occur with a ROT13 decoder, and the data was compared against the distribution of the English language, the distribution should be shown to be uniformly off by 13 places. ROT13 is especially popular for obscuring data contained in Windows registry keys.
You can find ROT13 decoders by searching for them on the Internet.
We have found that if backslashes (), colons (:), or any other nonalphabetic characters appear in a file, a ROT13 decoder can help sort it out. ROT13 will rotate and replace alphabetic characters only; spaces, slashes, colons, and any other nonalphabetic symbols remain as is in the file after decoding. Although this will not help you in automatically decoding the data while searching across a disk, once you’ve found such data, you can subsequently search it.
Most people who are trying to hide data do not use ROT13; it is most commonly used to hide movie spoilers on Web pages and newsgroup postings. However, Microsoft has a long-standing “affair” with ROT13, so you should never assume that a ROT13 decoder won’t be of help.
Compression Methods
Compression allows the content of a file to be reduced in size for storage and transmission. Compression algorithms analyze files to determine how the size of the file as it is stored can be reduced. This reduction is performed by analyzing the frequency of data in the file and applying an algorithm such as the deflation algorithms for gzip, PKZIP, and WinZip. It is not difficult to detect compressed files; however, most forensic tools do not permit direct access to compressed files during a search without some kind of prior interaction.
Accessing Compressed Files
Forensic tools provide a couple of options that can help you search within compressed data. You must handle compressed data differently from other data when searching and analyzing its contents. You cannot successfully search or analyze compressed data with a forensic tool until the data has been virtually uncompressed. The AccessData Forensic Toolkit (FTK) and EnCase both allow you to perform searches using this functionality. SMART and other systems require that you export these files out of the image, decompress them, and then search across them using separate tools.
Accessing Compressed Files with FTK
By default, the FTK opens and adds to its index the contents of any compressed files it finds on the image. In fact, if you are working with another forensic tool, such as SMART, which does not have the ability to virtually uncompress the files within the image, you can export that data for import into FTK, as it will allow you to perform searches.
Accessing Compressed Files with EnCase
Within EnCase, you can choose to mount a compressed file, as shown in Figure 9-4. Mounting here means that you are viewing the internal files within the compressed files. By mounting the compressed files, EnCase’s search function will be able to search the files normally.
Figure 9-4 Mounting compressed files in EnCase
NTFS Alternate Data Streams
A popular topic that people like to bring up at anti-forensic talks is the alternate data stream, a secondary set of data that is attached to a single file within a NTFS file system. An alternate data stream is invisible to someone viewing the file through a Windows interface, such as Windows Explorer.
Searching Alternate Data Streams
Most modern forensic tools can display alternate data streams. Specifically, FTK, EnCase, The Sleuth Kit, and SMART all detect alternate data streams and display them to the user when an NTFS image is provided. Even so, the presence of an alternate data stream does not prevent any tool that searches the
physical disk from finding the data within the alternate data stream. An alternate data stream does, however, prevent you from detecting its existence on the disk without using a utility that can view its structure.
Slack Space
Slack space is a remnant of data that exists within a sector of data that has been overwritten. Specifically, slack space is the area of the sector that was not fully overwritten by a recent write to disk. Remember that sectors are fixed in their size, so, for example, if you wrote 3K of data to a 64K sector, the remaining 61K of data would not be reused. Instead, this unused sector space would still contain whatever data was written to it previously. Figure 9-5 shows a conceptual drawing of how slack space exists on the disk. While slack space is not a problem for any forensic tool that examines the physical disk itself, it is a problem if you are attempting to search a disk. If you were to search a disk using non-forensic utilities, you would miss all of the data in the slack space, while a forensic utility would allow you to see what is stored in the slack space and would even allow you to confine searches to it.
Figure 9-5 What slack space looks like
Searching Slack Space
The answer to this dilemma is simply not to use standard search utilities in forensic investigations—that is, do attempt to search evidence using non-forensic tools and expect to re-create the data you would find using a forensic tool. All modern forensic tools examine the entire disk during searches and imaging and as such always capture and review the slack space.
PRIVACY MEASURES
Some of the recognized anti-forensic techniques are legitimate attempts to protect the privacy of the individual. Of course, this does not help us in our forensic examination of a system, so we need to be able to identify and access that protected information. In this section, we will address problems and solutions concerning privacy software, such as encryption, steganography, evidence eliminators, and disk wiping. We are not concerned here with spyware removers, pop-up blockers, or anti-spam tools, because these tools are meant to protect the privacy of information leaving a computer. We are interested in the privacy software that either protects or erases the data that exists on the disk.
Encryption
Only one true anti-forensic method will defeat forensic analysis of data other than wiping, and that is encryption. However, even encryption has its weaknesses depending on the type used. For data to be encrypted, it must first exist on the disk in its unencrypted form—normally. We say normally because it is possible for someone to download a document in memory and encrypt it in memory before the data even touches the disk, although this is very rare except in the cases of e-mail. Instead, most people choose to encrypt a file that already exists on a disk. This means the data could still be stored at three locations: in the original file on the disk if it is still present, in the contents of the deleted file in the unallocated and slack space, and in the original file in the swap or pagefile.
This section covers the two dominant types of encryption: symmetric and asymmetric. Note that technical detail on how encryption works and the methodologies behind it are beyond the scope of this book. What we will cover is how to identify the encrypted data and what tools you can use to break it.
Symmetric Key Encryption
Symmetric key encryption, in the most basic of terms, means that a symmetric key has been used to encrypt data: in other words, the same encryption key is used to encrypt and decrypt the data. Symmetric key encryption is only as strong as its key length and its ability to keep others from learning the key itself. If data is encrypted with a symmetric key, you will not be able to analyze or search its contents directly, and you will have to find some other method of identifying and accessing the data. In fact, you cannot determine whether data was encrypted with a symmetric algorithm unless you’ve identified it as such.
Identifying and Accessing Symmetric Key Encryption
You can identify symmetric key–encrypted files in two ways: either the file has an extension that is used by an encryption program to identify its files, or you will use a process known as entropy testing. Entropy testing is a process by which the randomness of the distribution of data within a file can be tested. The specific randomness can then be compared against a table of known algorithm randomness to identify whether a known algorithm has been used. This works well for all publicly known and documented encryption algorithms, because you can use them to document their randomness scale. However, if your suspect is using a new or nonpublic algorithm, an entropy test will not be able to identify the type of encryption used.
Identifying Symmetric Key Encryption with FTK
When any data is brought into FTK, you can run an entropy test on the data to determine whether it could be encrypted with a known algorithm. The Entropy Test option on the Evidence Processing screen, as shown in Figure 9-6, is displayed when evidence is added to FTK. After FTK has completed its indexing and analysis, encrypted files may be identified for you.
Accessing the Symmetric Key with the Password Recovery Toolkit
Accessing the symmetric key–encrypted data requires a tool that not only supports the algorithm but also provides the ability to do brute-force searching for the key. Although the original tool could be scripted against a list of keys of your own creation, several tools are available today to help you crack these encrypted files, such as AccessData’s Password Recovery Toolkit (PRTK). While this is the not only tool available, we have used it successfully.
Figure 9-6 Selecting entropy testing in FTK
Here’s how to crack a file with the PRTK:
1. Load the application.
2. From the main menu, choose Analyze | Select Files, as shown in Figure 9-7.
3. Select the files that have passwords you want to crack.
4. A Module Options screen, shown in Figure 9-8, appears, where you can select the password attacks that are available for the files you have selected. Some of these options have rather complicated instructions, but it is well worth your time to use as many attacks as possible to maximize your password cracking attempts. Click OK.
5. On the Select Profile screen shown in Figure 9-9, select one of the password profiles that customizes the dictionaries used and their order of use. Depending on what you know about the person who encrypted the files, careful selection of a profile can significantly affect your decryption time. For a more thorough explanation of profiles and dictionary selection, refer to the documentation provided with PRTK. Click OK to go back to the main screen.
Figure 9-7 Selecting the files to crack
Figure 9-8 Viewing the status screen
Figure 9-9 Selecting the profile for the cracking
After the password has been discovered, you will be notified of the fact. Then click the Open File button; for some types of files, you will have to enter the password to view the file in its application. For most file types, PRTK can automatically decrypt the file and save it to a location of your choosing, as shown in Figure 9-10.
Asymmetric Key Encryption
Asymmetric key encryption, in the most basic of terms, means that asymmetric keys have been used to encrypt data—in other words, one encryption key was used to encrypt and another was used to decrypt the data. Asymmetric key encryption is stronger than symmetric encryption because not only does the length of the key protect it, but the private key that is used to decrypt the data must be found before the data can be accessed. Having the public key—the key that is used to encrypt the data—will not allow you to access the original data. If data is encrypted with an asymmetric key, you will not be able to analyze or search the data contents; instead, you will have to find some other method of identifying and accessing the data.
Figure 9-10 Decrypting the cracked file
Identifying and Accessing Asymmetric Key Encryption
You can identify asymmetric key–encrypted files in two ways: either the filename will have an extension such as .pgp that is used by an encryption program to identify its files, or you will
have to use entropy testing, as discussed previously.
Identifying Asymmetric Key Encryption with FTK
When any data is brought into FTK, you can run an entropy test on the data to determine whether it could be encrypted with a known algorithm. Once FTK has completed its indexing and analysis, files that may have been encrypted will be identified.
Accessing the Asymmetric Key with the PRTK
Accessing the asymmetric key–encrypted data requires a tool that not only supports the algorithm but also provides the ability to brute-force the key. Although the original tool could be scripted against a list of keys of your own creation, ready-made tools, such as AccessData’s PRTK, are available to help you. You should understand, though, that most asymmetric algorithms may require years of run time before the key can be determined. With a strong key, this can mean even hundreds of years. We can crack the passwords in the same way we did with symmetric encryption, except asymmetric keys take much, much longer to crack. AccessData’s documentation states that it may take as long as 254 days to crack an asymmetric key, so before you try this method, be sure that you cannot recover data in any other way.
Hacking Exposed Page 20