Anti-forensics: Obfuscating the path to forensic examination

What can a user do that will obscure the path to analysis of a computer system so that minimal to no digital information may remain to be examined in a forensically sound method? What are the tools and methods to creating a system that a traitor to an organization could use to communicate virtually without tracing? These are the questions we going to answer in general. From a forensic standpoint we are not going to attempt to handle the evidence of fingerprint or other physical evidence of use. Our discussion will center on the aspects of a digital investigation. It is incredibly important to first responders and researchers to understand where the gaps in the investigative processes exist. I hope to provide a few well founded examples to show where the gap in scientific method and tools based discipline have grown to the point a conclusion is obvious.

Encrypting the home directory is the quickest way to obscure the machines use and what data it has accessed. Unfortunately data can still reside in routing tables, temp directories, and other areas outside the home directory of the user.  Standard hard drive analysis tools using the “pull the plug” method of forensic analysis will expose the pattern of usage on the machine. Encrypted file systems also do not necessarily hide all data. As mentioned file system temp directories, caches of network history, Windows registry and Linux application databases are still exposed.  Though a good first point of protection home directory encryption or obstruction it is hardly going to be a complete solution. There are commercial and open source applications that use certificates and passwords to encrypt the entire hard drive but those for this discussion are outside the scope of the discussion.  With laws being changed in Europe to force a user to provide the key it is hardly a tool to be trusted in wide spread adoption.

Using a virtual machine that is encrypted while on the host provides a better example that could be possibly wiped off the machine in total using secure file delete tools. It still would be hard to wipe all vestiges off the hard drive of the virtual machine application. This method has the added benefit of hiding all application, temporary file storage, and other previously mentioned issues into a virtual machine environment that is represented to the file system as a single large file.  Unfortunately configuration data and even traces of files can be examined on the hard drive of the host computer. Also, even though the virtual machine is running on a host as virtual the network connectivity and all of the normal host based tracking methods still apply. It would still be possible to pick up evidence of communication from a computer configured in this manner by examining routing tables of the host computer.

Using a virtual machine running using a CD ROM with encrypted file system on machine with the hard drive disconnected leaves little in the way of resilient computer forensic evidence on the host machine. The CD ROM can lead to supposition that the user has implemented it in a particular way but it is still static evidence. Providing proof of some type of activity on the computer is going to be difficult. All of the issues of connecting to the computer network remain. Standard processes such as pulling the plug on the computer when arriving would result in any dynamic host based information being lost. Even then what evidence remains is likely in the RAM of the computer. With substantial argument over the realities of dynamic [1] or static [2] based computer forensics the discipline has fallen behind the technology curve. If encrypting the memory space a cold boot attack is going to also be likely to fail.  The path of tool development has not kept pace with the requisite needs of the investigator. With this example the investigator is going to be left with only the dynamic evidence that may still be in the machines RAM. Getting it out though is difficult and therefore fairly ignored with a few counter examples.

Using a virtual machine booting off of an encrypted write blocked Universal Serial Bus  (USB) device, blocking the use of the hard drive, accessing the Internet through the onion router (TOR) network is the final example. Taking as an example the SwitchBlade Project . It is possible to build a write blocked USB drive that contains all of the files necessary to implement a virtual machine and host in the computer memory. With double layers of encryption it becomes much harder to break into the computer. Since the encryption is dynamic and the utilization of the system is also dynamic there are several fail safes in place. Writing a software write blocker for most hard disk user computer systems has been done as part of the forensic discipline. Such software turns a normal computer into a diskless computer. Carrying ourselves on the back of other technologies it is possible to use the TOR network to obscure the traffic path (we assume simple text will suffice and performance issues are not a problem).  Using a virtual private network through the TOR network will also encrypt the communication thus keeping it from prying eyes.

This last method to foiling computer forensics when broken down to the OSI 7-Layer Communications Model encrypts, obscures, or fails to provide evidence at all layers of the model providing little or no evidence even when the machine is found on in the suspects possession. It is obvious that such methods are not going to be obvious to the casual user, but each of the tools discussed exist as open source implementations with some groups providing them and training to political dissidents. This particular scenario has the added bonus in that the USB key can be password protected and delete routines (software and hardware external switches) can be installed in the USB key to render it useless for an investigation instantaneously.

Computer forensics as a discipline is utilized heavily for tracking white-collar crime, and is especially useful in providing high value evidence in child pornography cases. This is interesting but an area that is missing is actual traitor tracing. In traitor tracing it is often considered part of multimedia digital rights management and secondarily uses the tools of disinformation or technical tools like watermarking to find where information was leaked. Those are excellent areas to consider, but finding a traitor (internal adversary) is much more difficult when the normal investigatory tools are not useful or relevant. With the advent of random access memory (RAM) hard drives this type of forensics will only get harder.

In considering the act of traitor tracing (beyond multimedia digital rights management and watermarking of digital documents) the investigator must have a broad set of tools and analyze the suspect, the environment, and the criminal events being investigated. Computer investigations have left the era of point and click investigations. If it was ever in existence that is.  There may be need to evaluate and communicate new training to first responders and criminal investigators when dealing with computers that are secondary to the crime but possible evidence that a crime occurred.

The practitioners of computer forensics need to understand that the research agenda must include tools outside of hard drive analysis. The discipline should understand that to become a science the corollary theories and laws of the science must be able to be generalized to the point that a paradigm can be agreed upon that is inclusive of the problem sets. The inability of the current set of tools to provide meaningful analysis or forensic evidence is an example of the discipline not having the scientific background due to the reliance on tools rather than scientific method. Forensic science needs to at some point provide a screed that is above the level of the first responder and create a simple set of rules that are indicative of the totality of the science.

[1]            F. Adelstein, “Live Forensics: Diagnosing your system without killing it first,” ACM, vol. 49, p. 63, February 2006 2006.

[2]            B. Carrier and E. H. Spafford, “Getting Physical with the Digital Investigation Process,” International Journal of Digital Evidence, vol. 2, 2003.


1 comment for “Anti-forensics: Obfuscating the path to forensic examination

Leave a Reply