Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ•ΆοΈ Anti-Forensics

Anti-Forensics Techniques

Created: 12.07.2023

This article is an overview of possible anti-forensics.

Timestomping

On NTFS, discrepancies between $STANDARD_INFORMATION and one or two $FILE_NAME attributes’ MACB timestamps could indicate timestomping.

πŸ€” How to detect timestomping techniques?

$FILE_NAME ⏰ vs $STANDARD_INFORMATION ⏰. Can be detected with πŸ› οΈ mftecmf, πŸ› οΈ fls, πŸ› οΈ istat and πŸ› οΈ FTK imager.

NTFS timestamps are very precise and have fractional seconds as well. Typically, you’d expect them to be something other than all zeroes. πŸ› οΈ mftecmf and πŸ› οΈ istat.

If 🏺 ShimCache timestamp > $STANDARD_INFORMATION modified timestamp. πŸ› οΈ mftecmf, πŸ› οΈ fls, πŸ› οΈ istat and πŸ› οΈ FTK imager for the $STANDARD_INFORMATION and πŸ› οΈ ShimCacheParser.py or πŸ› οΈ AppCompatCacheParser.py.

Check if compile time ⏰ > $STANDARD_INFORMATION. πŸ› οΈ sigcheck and πŸ› οΈ ExifTool.

Check $I30 as well.

Check MFT for records with similar entry numbers. NTFS tends to assign subsequent MFT records within a short period of time.

πŸ€” Imagine you have several files, and one of them was likely been tampered with. How do you decide which one? Look at the groups of files created roughly within the same time and look at the MFT numbers. If they are too different, it’s something to look into more. For example, a file has timestamps like most of the files created at the same time, but the MFT number is very low. Also, $STANDARD_INFORMATION timestamps (NTFS) and $FILE_NAME timestamps usually match and the milliseconds fraction should not be all zeroes.

File Delete/Wiping

πŸ› οΈ sdelete (more about the forensic footprint of the tool here). Wipes files, directories and free space. This is what this tool’s activity looks like:

img

As you can see, files are renamed with a peculiar pattern first. Each new file is renamed to the subsequent letter so that the first file is renamed with As, the second with Bs etc.

πŸ› οΈ bcwipe πŸ’° (commercial). Clears $I30 slack and MFT records. Renames files once with a random name equal in size to the original. Check $UsnJrnl, $LogFile, and 🏺 execution artefacts. πŸ“‚ C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex contains 🏺 .gthr gather log that’s used to index files for better search performance (used by Windows Search index). Windows Search index uses $UsrJrnl to track changes made to the system. Even when files were deleted and wiped, .gthr log, $UsrJrnl, $I30 can be used to confirm, at least, that the file existed and even recover some data from it. Also, 🏺 Prefetch file for sdelete or any other wiping tool could indicate that some wiping occurred.

πŸ› οΈ Eraser (open-source). Renamed MFT records (with ADS, if present), $130 slack, $UsnJrnl, $LogFile, and β€œEvidence of Execution” artefacts persist

πŸ› οΈ Cipher (built-in on Windows). Includes a feature to overwrite free space (not individual files). ❗️Creates a persistent directory named EFSTMPWP at the volume root and adds temp files to fill free space. Also, LOL.bin is sometimes used for cleanup.

πŸ“˜ cipher.exe /w:<drive>

πŸ› οΈ CCleaner

For Windows Registry recovery, use πŸ› οΈ Registry Explorer. It can process unallocated space for deleted keys. It can also spot anomalies to spot fileless malware hiding the registry. It can detect both large values and base64 encoded strings.

One can also use carving to look for specific data across various artefacts. It’s useful when the metadata is reused and no longer exists for the file.

πŸ“˜ icat -r image inode # recover with metadata method
πŸ“˜ tsk_recover image outputdir

# Carving methods
πŸ“˜ photorec # win, lin, mac, 300+ file signatures. Uses metadata from the carved files.
πŸ“˜

You can also utilise Volume Shadow Copies to restore deleted files. πŸ› οΈ vss_carver.py can be used for that.

πŸ“˜ vss_carver -t RAW -i /nrnt/ewf_mount/ewf1 -o 0 -c -/vsscarve-basefile/catalog -s -/vsscarve-basefile/store

πŸ“˜ vss_catalog_manipulator list -/vsscarve-basefile/catalog

πŸ“˜ vshadoranount -o 0 -c -/vsscarve-basefile/catalog -s -/vsscarve-basefile/store

πŸ“˜ cd /mnt/vsscarveJaasefile/ _
πŸ“˜ for i in vss*; do rrountwin $i /mnt/shadowcarve basefile/$i; done

Yet another way to recover files is to use πŸ› οΈ bulk_extractor-rec to carve for Event logs.

  • evtx - EVTX file and EVTX chunks (with generated file header)
  • ntfsindx - INDX records of SINDEXALLOCATION attribute
  • ntfslogfile - RSTR/RCRD records of SLogFile
  • ntfsmft - FILE records of $MFT
  • ntfsusn - USNRECORD structure of $UsnJml:$J
  • utmp - utmp structure records
πŸ“˜ blkls [options] image > image.unallocated

The last carving resort - strings, bstrings (Windows) and grep.

Encryption

Fileless Malware

Malware of that type is still not 100% fileless. What it means is that the main code is not written to disk, but the loader still needs to be present on the disk. most often it’s a PowerShell script or WMI on Windows machines.

Registry/Config

Keys can be deleted or wiped. Also, the registry might be utilised to hide scripts.

Logs Tampering and Deletion

With Event logs on Windows, one can even insert bogus events using the WinAPI.

Process evasion (injections and hooking)

References

Expand… Something here