Logo
RSS Feed

👈🏼 Back to
🔎 Investigation Tactics Techniques and Procedures

🕶️ Anti-Forensics

Anti-Forensics Techniques

This article is an overview of possible anti-forensics.

Hiding Processes

Malware is not going to just always sit there and sing 🎶. Below are common techniques. More detailed explanation is in the anti-forensics section.

Forged Image Detection

https://29a.ch/photo-forensics/#forensic-magnifier

Images can be forged or cloned. Regions can be manipulated with. Hard to detect with naked eye. ❗ Social Media strips-off metadata from uploaded images which makes tracking of the image difficult.

Main goals are: detect whether the image was cloned and track the source of the image. Forensically and JPEGSnoop open-source tools. They detect tampering.

  1. Magnification. Autocontrast will not disturb the colors too much. Autocontrast by channel will.
  2. Clone Detection. The most important. Minimal similariyt ~ 0.5. Minimal detail ~ 0.1. Minimal cluster size - the number of blocks that two regions need to share in order to be considered clones ~ 14.
  3. Error-level analysis. Tells that something was compressed multiple times. For example, when you paste an image on another image and save, the are several compressions in place: for the original image and for the pasted one. Use noise to determine that. Spot the artifacts that have been implanted on an image by compressing it multiple times. Because of the noise these parts can’t be compressed much.
  4. Noise analysis. Self-explanatory.
  5. JPEG analysis. Computes the Quantization table, which specify the way an image has been compressed. Each cell 0-255. To compress an image the pixel intestines are modified by the software app in the range of -128 to 127 and new quantization table is calculated. The value of standart - 95, which is auto value when the image is not processed. Adobe (Photoshop quality) uses 85. The order of different sections. SOI - image start, EOI- end of image. Multiple SOI and EOI are indicative of pasting other images. Application segments, APP0(JPEG version, screen and printing resolution), APP1 (date/time, focal length, aperture), APP13 (if processed with Adobe Photoshop). SOS - image was compressed.
  6. Structural and String Analysis. When there is no EXIF is useful. FBMD01000a9... indicated web upload (Facebook).

osdf-fakeimages1

Evading Antivirus

Windows

https://tyeyeah.github.io/2021/08/02/2021-08-02-Bypass-Anti-Virus/

macOS

Linux

Hiding Data

Alternative data stream

Alternate data streams. Specific for Windows. See more here. Are there such streams for other OS? If yes, how to make them and discover them?

To ensure compatability between NTFS and HFS. Allows hiding files.

C:\type C:\mal.exe > C:\readme.txt:naughty.exe
start readme.txt:naughty.exe
C:\mklink innocent.exe readme.txt:naughty.exe

# to run
innocent.exe

But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.

Turning Off Logging

macOS

From Apple’s official documentation:

In some cases, the contents of a volume are sufficiently secret that it is not appropriate to log them. To disable logging on a per-volume basis (for creating a backup volume, for example), you must do the following:

  • Create a .fseventsd directory at the top level of the volume.
  • Create an empty no_log file in that directory.

So if your volume is mounted at /Volumes/MyDisk, you would create an empty file called /Volumes/MyDisk/.fseventsd/no_log.

USBKill Switch

A software that could be used for anti-forensics. By default, configs are at /etc and named usbkill.ini. The default behaviour - shut the system down. Keeps a whitelist of allowed USB devices. Can also prevent malware from getting on the PC from a USB drive.

Analogues: BusKill (set a udev rule to be triggered if the USB drive is removed: lock, shutdown or self-destruct) and Silk Guardian (Linux Kernel mode switch that’s waiting for a change, deletes files on events and shuts the system down).