The
recent terrorist attacks in Paris and California has brought to light an
interesting (albeit frightening) cybersecurity phenomenon: the use of
commercially available encryption by ISIS.
For security professionals, the reason why these two incidents have
become even more newsworthy is that the western world’s intelligence
apparatuses appear incapable of breaking their encryption. Although some in the intelligence and law
enforcement communities blame Edward Snowden for tipping off terrorists to
America’s surveillance capabilities, the realty of the situation is even more
ominous (Gallagher, 2015). The fact is
that terrorist and criminal organizations have been using encryption and other
anti-forensic techniques for decades.
Since the late 1990’s we’ve known that Al Qaeda used steganography and
other obfuscation techniques to conceal electronic documents on CDs and USB
drives. The latest evolution of this
trend has been ISIS’ use of end-to-end encrypted communications applications
such as WhatsApp, Signal, and Telegram to encrypt communications and anonymize
the recipient of the messages.
In
the spirit of depressing hopeful forensic analysts, let’s take a look at what
the good guys are up against. The broad
range of anti-forensics is a category of tools and techniques that attempts to
make investigations on digital media more difficult and therefore more
expensive. Some of the more common approaches include (De Lucia, 2013):
– Data Hiding, Obfuscation and
Encryption
Obviously,
the great advantage of hiding data is to maintain the availability of these
when there is need. Regardless of the operating system, using the physical disk
for data hiding is a widely used technique, but those related to the OS or the
file system in use are quite common. In the use of physical disk for data
hiding, these techniques are made feasible due to some options implemented
during their production that are intended to facilitate their compatibility and
their diffusion, while other concealment methods take advantage of the data
management property of the operating system and/or file system. At this stage,
we are going to attack, as we can imagine, the first phase of an investigation:
“Identification.”
If evidence cannot be found, in fact, it will be neither analyzed nor
reported.
– Unused Space in MBR
Most
hard drives have, at the beginning, some space reserved for MBR (Master Boot
Record). This contains the necessary code to begin loading an OS and also
contains the partition tables. The MBR also defines the location and size of
each partition, up to a maximum four. The MBR only requires a single sector.
From this and the first partition, we can find 62 unused sectors (sector n. 63
is to be considered the start of cylinder 1). For a classic DOS-style partition
table, the first partition needs to start here. This results in 62 unused
sectors where we can hide data. Although the size of data that we can “hide” in
this area is limited, an expert investigator will definitely look at its
contents to search for compromising material.
1.4 – Use of Slack Space
The
“Slack Space,” in a nutshell, is the unused space between the end of a stored
file, and the end of a given data unit, also known as cluster or block. When a
file is written into the disk, and it doesn’t occupy the entire cluster, the
remaining space is called slack space. It’s very simple to imagine that this
space can be used to store secret information.
The use of this technique is quite widespread, and is more commonly
known as “file slack.” However, there are many other places to
hide data through the “slack space”
technique, such as the so-called “Partition Slack.” A
file system usually allocates data in clusters or blocks as already mentioned,
where a cluster represents more consecutive sectors. If the total number of
sectors in a partition is not a multiple of the cluster size, there will be
some sectors at the end of the partition that cannot be accessed by the OS, and
that could be used to hide data. Another
common technique is to mark some fully usable sectors as “bad” in such a way that these will no longer be
accessible by the OS. By manipulating file system metadata that identifies “bad blocks” like $BadClus in
NTFS, it’s possible to obtain blocks that will contain hidden data.
1.6 – Steganography /
Background Noise
In
information security, steganography is a form of security through obscurity.
The steganographic algorithms, unlike cryptographics, aim to keep the
“plausible” form of data that they are intended to protect, so that no
suspicion will be raised regarding actual secret content. The steganographic
technique currently most widespread is the Least Significant Bit or LSB. It is based on the fact that a
high resolution image is not going to change its overall appearance if we
change some minor bits inside it. For
example, consider the 8-bit binary number 11111111 (1 byte): the right-most
1-bit is considered the least significant because it’s one that, if changed,
has the least effect on the value of this number. Taking into account a bearing image,
therefore, the idea is to break down the binary format of the message and put
it on the LSBs of each pixel of the image. Steganography, obviously, may be
used with many types of file formats, such as audio, video, binary and text.
Other steganographic techniques that should surely be mentioned are the
Bit-Plane Complexity Segmentation (BPCS), the Chaos Based Spread Spectrum Image
Steganography (CSSIS) and Permutation Steganography (PS).
1.7 – Encryption
Encryption
is one of the most effective techniques for mitigating forensic analysis. We
refer to it as the nightmare of every analyst. As just mentioned, using strong
cryptographic algorithms, for example AES256, together with the techniques
described above, adds a further fundamental level of anti-forensics security
for the data that we want to hide. In addition, the type and content of the
information that we want to protect or to hide, can never be compared to
anything already known, because the resulting cipher-text of a good
cryptographic algorithm are computationally indistinguishable from random data
stream, adding the so-called “plausible deniability”
on top of all our encrypted documents. The
most widely used tool for anti-forensics encryption is certainly TrueCrypt, an open source tool that is able to
create and mount virtual encrypted disks for Windows, Linux and OS X systems.
2.3 – Timestamp Alterations /
MACB Scrambling
In
a few words that summarize this sub-chapter, the purpose of these activities is
to prevent a reliable reconstruction of the operations performed by a user or
during the breach of a system. Usually,
these events are reconstructed in a “timeline” primarily through the use of
MACB timestamp parameters of the file system, where MACB stands for “Modified,
Accessed, Changed, Birth.” It’s
important to note that not all file systems record the same information about
these parameters and not all operating systems take advantage of the
opportunity given by the file system to record this information. When we are going to change these attributes
to confuse a forensic analyst, the tool that certainly comes first to mind is “Timestomp.” The software’s goal is to allow for the
deletion or modification of timestamp-related information on files. The
practice to completely delete these attributes, however, is not advisable as it
is already evidence of changes occurring in the system. It’s important to note that “Timestomp” can modify only the SI ($STANDARD_INFO)
MACE values and, after modification, a forensic analyst could still compare
these valueswith those in FN ($FILE_NAME) MACE to check the accuracy of the
information found. The comparison with the FN MACE is the only point where it
is useful to look for changes occurred in the timestamp parameters (excluding
other data from external systems). This means that if we can modify FN MACE
attributes, we can also profoundly confuse even an expert analyst.
2.4 – Log Files
There’s
not much to say about the log files. Every computer professional knows of their
existence and the ease with which they can be altered. Specifically, in
contrast to a forensic analysis, the log files can be altered in order to
insert dummy, misleading or malformed data. Simply, they can also be destroyed.
However, the latter case is not recommended, because a forensic analyst expects
to find some data if he goes to look for them in a specific place, and, if he
doesn’t find them, will immediately think that some manipulation is in place,
which of course could also be demonstrated. The best way to deal with log files
is to allow the analyst to find what he is looking for, but of course making
sure that he will see what we want him to see. It’s
good to know that the first thing that a forensic analyst will do if he suspects
a log alteration, will be to try to find as many alternative sources as
possible, both inside and outside of the analyzed system. So it is good to pay
attention to any log files replicated or redundant (backups?!).
– Data Deletion
The
first mission of a forensic examiner is to find as much information as possible
(files) relating to a current investigation. For this purpose, he will do
anything to try to recover as many files as possible from among those deleted
or fragmented. However, there are some practices to prevent or hinder this
process in a very efficient way.
– Wiping
If
you want to irreversibly delete your data, you should consider the adoption of
this technique. When we delete a file in our system, the space it formally
occupied is in fact marked only as free. The content of this space, however,
remains available, and a forensics analyst could still recover it. The
technique known as “disk wiping” overwrites this “space” with random data or with the same data for each
sector of disk, in such a way that the original data is no longer recoverable.
Generally, in order to counter the use of advanced techniques for file
recovery, more “passages” for each sector and
specific overwriting patterns are adopted.
“Data wiping” can be performed at software level, with
dedicated programs that are able to perform overwriting of entire disks or
based on specific areas in relation to individual files.
– Physical Destruction
The
technique of physical destruction of media is certainly self explanatory.
However, we should focus on the most effective and clean of these: disk
degaussing. “Degaussing”
refers to the process of reduction or elimination of a magnetic field. This
means, when referring to hard drives, floppy disks or magnetic tape, a total
cancellation of the data contained within these. Although
it’s very effective, degaussing is a technique rarely used because of the high
costs of the equipment needed to put it into practice. In view of modern
magnetic media, to use this technique means to make the media totally unusable
for future writings. (De Lucia, 2013)
I’d
like to report that there’s some good news for those agencies hoping to thwart
evildoers, but it only gets worse.
Agencies like the NSA no longer receive backdoors into these tools from
the developers. Moreover, “even if the
US government were to press forward a demand for companies such as Apple,
Facebook, and Google to provide a way to tap into message traffic, that would
do little to prevent the use of existing peer-to-peer encryption and other
encrypted social media tools by terror organizations (Gallagher, 2015).” Long story short is cybersecurity
professionals need to stay vigilant. The
best tool we have moving forward is staying current on trends and techniques. See you at the next Def/Derby-con.
References
De
Lucia, E. (2013). Anti-forensics: Part 0x01. Forensics. Retrieved from http://resources.infosecinstitute.com/anti-forensics-part-1/
Gallagher,
S. (2015). ISIS using encrypted apps for communications; former intel officials
blame Snowden. Ars Technica.
Retrieved from http://arstechnica.com/information-technology/2015/11/isis-encrypted-communications-with-paris-attackers-french-officials-say/