Welcome back, my tenderfoot hackers!
So many readers in the Null Byte community have been asking me questions about evading detection and hacking undetected that I decided to start a new series on digital forensics.
I applaud each of you for your concern, as the last thing I want to see is one of you getting caught and spending years locked up in a 8 x 8 concrete room with a violent and lascivious cellmate. You can never be too cautious in this field of endeavor.
The best way to evade detection is to understand what the other side is doing and using. So, this series will focus on the tools and techniques that law enforcement and the security engineers are using to detect and prosecute hackers around the world.
What Is Digital Forensics?
Digital forensics is the field of determining who was responsible for a digital intrusion or other computer crime. It uses a wide-range of techniques to gain attribution to the perpetrator.
It relies upon the fundamental concept that whenever a digital intrusion or crime is committed, the perpetrator inadvertently leaves a bit of themselves behind for the investigator to find. These "bits" could be entries in log files, changes to the registry, hacking software, malware, remnants of deleted files, etc. All of these can provide clues and evidence to determine their identity and lead to the capture and arrest of the hacker.
As a hacker, the more you know and understand about digital forensics, the better you can evade the standard forensic techniques and even implement anti-forensic measures to throw off the investigator.
The Digital Forensic Tools
Just like in hacking, there are a number of software tools for doing digital forensics. For the hacker, becoming familiar with these tools and how they work is crucial to evading them. Most digital forensic investigators rely upon three major commercial digital forensic suites.
- Guidance Software's EnCase Forensic
- Access Data's Forensic Tool Kit (FTK)
- Prodiscover
These three suites are comprised of multiple tools and reporting features and can be fairly expensive. While these suites are widely used by law enforcement, they use the same or similar techniques as the free open-source suites without the fancy interfaces.
By using the open source and free suites, we can come to understand how such tools as EnCase work without the expense. EnCase is the most widely used tool by law enforcement, but not necessarily the most effective and sophisticated. These tools are designed for user-friendliness, efficiency, certification, good training, and reporting.
There are a number of the free, open-source forensic suites, including the following three.
- The Sleuthkit Kit (TSK)
- Helix
- Knoppix
We will look at each of these suites to better understand what digital forensic investigators can see and find about an intrusion and the perpetrator.
The Forensic Tools Available in BackTrack
In addition, there are a large number of individual tools that are available for digital forensics, some of which are available in our BackTrack and Kali distributions.
Some of the better tools in BackTrack include the following, among many others.
- sleuthkit
- truecrypt
- hexedit
- autopsy
- iphoneanalyzer
- rifiuti2
- ptk
- exiftool
- evtparse.pl
- fatback
- scalpel
- dc3dd
- driftnet
- timestomp
What Can Digital Forensics Do?
Digital forensics can do many things, all of which the aspiring hacker should be aware of. Below is a list of just some of the things.
- Recovering deleted files, including emails
- Determine what computer, device, and/or software created the malicious file, software, and/or attack
- Trail the source IP and/or MAC address of the attack
- Track the source of malware by its signature and components
- Determine the time, place, and device that took a picture
- Track the location of a cell phone enabled device (with or without GPS enabled)
- Determine the time a file was modified, accessed or created (MAC)
- Crack passwords on encrypted hard drives, files, or communication
- Determine which websites the perpetrator visited and what files he downloaded
- Determine what commands and software the suspect has utilized
- Extract critical information from volatile memory
- Determine who hacked the wireless network and who the unauthorized users are
And that' just some of the things you can do with digital forensics!
What Is Anti-Forensics?
Anti-forensics are techniques that can be used to obfuscate information and evade the tools and techniques of the forensic investigator. Some of these techniques include the following.
- Hiding Data: Hiding data can include such things as encryption and stegonography.
- Artifact wiping: Every attack leaves a signature or artifact behind. Sometimes it's wise to attempt to wipe these artifacts from the victim machine so as to leave no tell-tale trail for the investigator.
- Trail Obfuscation: A decent forensic investigator can trail nearly any remote attack to a IP address and/or MAC address. Trail obfuscation is a technique that leads them to another source of the attack, rather than the actual attack.
- Change the timestamp: Change the file timestamp (modify, access, and change) to evade detection by forensic tools.
Stay Tuned for More on Digital Forensics
We will spend some of my future Null Byte tutorials looking at the most widely-used techniques in digital forensics, using both commercial and open-source tools, and then advance to anti-forensics, or ways to evade detection from these tools and the forensic investigator.
So, to learn the techniques law enforcement and security engineers are using to track hackers, along with how to avoid and evade, keep coming back here!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
11 Comments
Is it possible to use forensics to trace where like a message on facebook came from, or even my comment here, or an anonymous message on like ask.fm? If so, would that be an advanced forensic technique or would it be easy to pick up?
Eight:
The answer is yes, but it wouldn't be easy. You can trace the IP address of where the message came from, but then I'd have to ask your ISP who was assigned that IP address.
OTW
I am waiting for Part 2...
A very great website, This is my first visit...
Muhammad:
Thanks for the compliment. I'm glad you found us here at Null Byte. Part 2 should be out this week.
OTW
is it fair to assume that forensics will take the trouble to track the source of an attack only if the target happens to be high profile? i.e if you fly under the radar you will be lost in all the noise?
Zero:
That is a fair assumption. Thousands of attacks take place everyday and no one has the time to track them.
OTW
nice post keep it coming
Thanks for that Master OTW.
Are there any books that you recommend for a beginner in the subject? Last question, If for a beginner I want to focus on data recovery as a primary means for forensics, what books, videos or course ( if free) would you recommend to truly master the subject ( the who, what, when ,where and why of data recovery).
Great article OCCUPYTHEWEB. Hope I'm not too late to the party but do you have plans to expand further on the open-source forensics tools you have introduced in this chapter? Alternatively, can you refer some good sources of tutorials to get familiarised with those tools?
Good stuff!
Would it be possible to track a hacker who would use a public wifi connection to exploit a target? The IP would be useless. The MAC address would be left on the networks logs but that is a dead end, too.
Share Your Thoughts