Hey everyone.
I'm writing a anti-forensics tool in python, that would be uploaded/executed on a target machine to keep the attackers identity safe. I'm reading up on anti-forensics and doing all my research but I would like to have some suggestions on some techniques or data I should be looking out for. This can apply to any OS since I'm writing the script to identify the OS and go from there. Right now I'm thinking of ways to systematically delete directories and files for when the attacker want's to wipe most data on the target's system so that It will delete(or encrypt) everything without deleting(or encrypting) the files it actually need to do so. Then in the end delete a file that corrupts the system - if the attacker wants that to happen. The encryption would be done with AES CBC mode with a 256bit key.
Now in order to completely wipe the drive I would probably have to create a partition then boot off of something that could run the code on the other partition without any interruption, because it doesn't depend on the other to function. That would probably have to be written in and require deep-knowledge in C which I'm still learning and I doubt I could do something like that , but would make the tool much better so I might try to learn to do so.
If you didn't catch the question in that mess , here it is:
Do you guys have any suggestions on some techniques or data I should look out for to keep the attackers identity safe.
Thank you.
-WireWise
9 Responses
Well are you trying to completely format a drive or delete certain files in the OS to erase certain traces? I recently was involve in a Forensics case and some files you have to get yourself familiar with our shellbag, link files, prefetch files, event logs, startup items, etc. A lot of information is stored in the registry for Windows systems.
However, if you just want to format everything, then knowing all that isn't much use as hopefully it will be overwritten.
Both really, the program is going to have many arguments which will hopefully do both. I would like to focus more on deleting certain files in the OS to erase certain traces , but having an option to format the drive wouldn't hurt. Do you know where I should go to learn which files to delete to erase certain traces?
So basically, you're wanting to create some sort of rootkit? Also, if you wanted to you can probably delete the MBR; it's just a matter of setting some bytes on disk to 0 and would probably take less than 20 lines of code. Of course, the files would still be intact if you didn't touch them and they recover the MBR.
If you're wanting to know more about traces left by attackers, it's recommended that you look how forensics before doing anti-forensic.
Thanks , will do.
Pretty cool project you're working on there, WireWise. Will be interesting to see what you come up with. Good luck.
You have to make sure the files with evidence are gone and not just removed from the MBR/GPT.
Some interesting and useful function would be when you could open/change/copy/etc files and the MAC timestamps get changed to the values they had before you accessed them after you've done your evil shit ;). This would kill a critical point in forensics.
@echo off
FOR /F "tokens=1,2" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=" %%G in ('wevtutil.exe el') DO (call :doclear "%%G")
echo.
echo goto theEnd
:doclear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
exit
Hi WireWise,
Probably you are already aware, but note that deleting a file or formatting a drive will not, in general, really delete the information. You really need to destroy the data. And that is a very interesting topic...
A good starting point to learn about some of the issues with that is the shred tool. Type info shred and start reading. Also check this wiki page go to the standards section to get an idea of what you will have to do.
Share Your Thoughts