Jump to content

Anti-forensics


PaulyD

Recommended Posts

I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted).

Thanks.

Link to comment
Share on other sites

Unless you're managing C.I.A. computers you really shouldn't resort to such measures, unless, like Mr. Protocol said, you plan on replacing hard drives often.

Link to comment
Share on other sites

To me it does sound like, you are doing something illegal and you are trying to cover up your tracks.

As most mentioned, encryption should be enough, just remember to set a complex password.

Link to comment
Share on other sites

To me it does sound like, you are doing something illegal and you are trying to cover up your tracks.

As most mentioned, encryption should be enough, just remember to set a complex password.

Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this.

Thanks.

Link to comment
Share on other sites

Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this.

Thanks.

Full disk encryption + power kill switch for the server if touched/moved/opened. I am a computer forensic and data recovery major :P. I really hope int0x80 is at DerbyCon to chat it up.

If they don't know about the kill switch, they will have roughly 10 minutes to react to have a chance to get your password/encryption keys via cold boot or quickly booting and dumping RAM onto USB before it dissipates.

Link to comment
Share on other sites

Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :)

DumpIt

That's why int0x80's USB Attack Code was interesting.

Edited by PaulyD
Link to comment
Share on other sites

Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :)

DumpIt

That's why int0x80's USB Attack Code was interesting.

I'm curious if there is a limitation to this, such as having a pc with 16GB of ram, how that effects the tool functionality and ability to dump it all.

Link to comment
Share on other sites

I'm curious if there is a limitation to this, such as having a pc with 16GB of ram, how that effects the tool functionality and ability to dump it all.

Some are made in 32 bit and support only 4 GB. I would assume by now there would be newer scripts/applications to break the 4 GB barrier.

Link to comment
Share on other sites

I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted).

Thanks.

I haven't done much Windows anti-forensics research, in fact, you've given me some things to look up. One option you could consider is porting my scripts over and running them via cygwin or gnuwin32. If you've got FDE and you're running these wipes in cycles, you should be pretty well set. I haven't seen any Windows stuff that attacks inserted USB devices, but it would be a surprise if such software didn't already exist. Sorry to not be of much help on this one.

Link to comment
Share on other sites

Encryption is all you really need, although it will not do you much good if the system is vulnerable to attack. Firewire has direct access to RAM...

Not a big fan of disk encryption, I saw a talk at conference on the topic of rubber hose or gitmo decryption, which is basically if you have something on your encrypted disk that I want, I may decide to take you out the back and extract the key the painful way, if you get my drift.

Link to comment
Share on other sites

When I come back into the country, I generally rsync/ssh my data onto a server state-side, then zero the drive on the laptop. That way there is no confusion regarding disk contents.

For good measure I give it a little:

echo -n "Just us zeroes :]" | dd of=/dev/sda seek=$RANDOM

Reference (NSFW) http://pt.reddit.com/r/AskReddit/comments/ndpe1/whats_your_best_it_was_the_most_inappropriate/c38bptk

Link to comment
Share on other sites

When I come back into the country, I generally rsync/ssh my data onto a server state-side, then zero the drive on the laptop. That way there is no confusion regarding disk contents.

For good measure I give it a little:

echo -n "Just us zeroes :]" | dd of=/dev/sda seek=$RANDOM

Reference (NSFW) http://pt.reddit.com/r/AskReddit/comments/ndpe1/whats_your_best_it_was_the_most_inappropriate/c38bptk

HAHAHA NICE! If I do some international travel, I will be doing that.

Link to comment
Share on other sites

I haven't done much Windows anti-forensics research, in fact, you've given me some things to look up. One option you could consider is porting my scripts over and running them via cygwin or gnuwin32. If you've got FDE and you're running these wipes in cycles, you should be pretty well set. I haven't seen any Windows stuff that attacks inserted USB devices, but it would be a surprise if such software didn't already exist. Sorry to not be of much help on this one.

Awesome, thanks for weighing in on this. Looking forward to what you come up with when you find the time.

Pauly

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...