8/6/2017 Countering Anti-Forensic Efforts - Part 2

Digital Forensics

Countering Anti-Forensic
E orts - Part 2
Wed, 09/16/2015 - 11:44am by Oleg Afonin, Danil Nikolaev and Yuri
Gubanov

In the first part

of this paper. we
talked about the
most common
and also some of
the simplest
ways suspects
can try to cover
their tracks in an
attempt to slow
down an investigation. This part of the article is dedicated to
some of the more advanced techniques that can, at times, be
very challenging to deal with. Let's take a look at some of the
possible workarounds when the data we are looking for was
deleted or encrypted.

Destroying Evidence by Formatting,

Sanitizing or Wiping
Attempting to securely wipe or otherwise destroy evidence
stored on hard drives and other media can be a plan of last
resort. If done properly, a secure erase will irreversibly
destroy evidence without giving investigators the slightest
chance of recovery. However, computer users with average

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 1/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

literacy can make mistakes that will result in incomplete

destruction. The following are some of the things suspects do
to in their unsuccessful attempts to erase hard drives.

Formatting the Disk

Disk formatting is one of the most popular methods of
destroying information, and one of the least reliable ones.
Sometimes, users will have no understanding of what
formatting does, and use Quick Format to clear the content of
the device. Obviously, quick-formatted media such as hard
drives and USB sticks can be nearly fully recovered by using
carving. One notable exception is SSD drives which may (or
may not) destroy information automatically in background
even after Quick Format.

Even after full formatting, information is not always destroyed.

In Windows XP and in earlier versions of Windows, the format
command does not write zeros to the whole disk when a full
format is performed. Instead, the command will check for bad
blocks by reading sectors. This behavior changed with the
release of Windows Vista. By default in Windows Vista and
later (Windows 7, 8, 8.1, 10), the format command writes
zeros to the whole disk when a full format is performed.

Data Wipe and Secure Erase Tools

Securely erasing information is a complex topic. Some storage
devices come with the ability to self-encrypt data, making
secure erase as easy (and as fast) as destroying the
decryption key. Even if so equipped, self-encryption must be
activated by either the user or the OS, which is not a given.
An average computer user may not know such a thing is
possible.

A typical secure wipe tool will overwrite the content of a file

(or the entire disk volume) with one or more passes of random
data. This is enough to permanently overwrite information
stored on magnetic hard drives and, to a large extent, on USB
flash drives. However, some users will set unnecessarily large
number of wipe cycles, overwriting the data several times.
Needless to say, this is a much slower wipe that may give law
enforcement a chance to stop the process mid-way.

In order to successfully counter anti-forensic efforts, an

investigator must have a clear understanding of the types of
data that are usually the first to get securely erased. When

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 2/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

using automated "cleaners" and "privacy protection" tools, the

usual targets are chat histories in popular messengers such as
Skype; documents; pictures and video files; and web browsing
history. Removing these types of artifacts without proper
consideration leaves many traces. Some of these traces may
include:

Fragments While a file could be securely erased and

overwritten, parts of the file (or one of its previous
versions, if were talking about a document or
spreadsheet) might still be available on the disk due to
file system fragmentation. If blocks previously used by
the file before defragmentation are not yet overwritten
with new data, it is possible to carve the file or its parts.
Multiple copies of some types of files often exist. This
includes temporary saved copies of working documents,
files that were copied, compressed/decompressed or
moved around. The user might not have known about
those other copies (or forget to securely erase them)
and apply secure destruction to just the current copy of
the file.
Recent events such as chats, browser histories,
pictures and documents can still be available in
hibernation or pagefile.
Volatile evidence If a computer or laptop was seized
while it was powered on, some recent data can be found
in the Live RAM contents (see the section below).
Volume Shadow Copy Older versions of the file
might be found in Volume Shadow Copy.
Duplicate data Some information is duplicated in a
number of different files, which the user might be not
aware of. For example, deleting just the Skype
database will not help clear the history because the
chatsync folder may contain the same (or even greater)
amount of chats, calls and file transfers compared to
the history file. Information in the registry is sometimes
duplicated (or complemented) by information in System
Event Logs (for example, information on plugged in USB
devices). See more in our previous article.
Traces Some information, while not exactly
duplicated, can be stored in another way, giving implicit
evidence about its prior existence. For example,
deleting a picture or photo sometimes might not help
because a thumbnail is stored in Windows Thumbnail
Cache, and it might be possible to create a link between
the original photo and its smaller preview image.

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 3/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

Opening a document will leave a trace in the system's

jumplist file. See more in our previous article.

Secure Erase and SSDs

SSD drives are based on different principles than magnetic
hard drives. Overwriting the data on SSD drives does not do
any good since there is no guarantee that the drive will
overwrite the content of the physical NAND flash blocks that
contain data. Why does this happen?

NAND flash cells, where information is stored on SSD drives,

are much slower to erase than to write or read. Yet, cells
MUST be erased before they can accept new information. For
this reason, the SSD controller will write new data into already
erased, empty data cells, remapping the cells to-be-erased
and assigning them different logical addresses (or place them
into the overprovisioned area). This means that traditional
secure wipe applications will NOT wipe the data the user
intends to erase. Depending on the particular SSD type and
considering multiple factors (such as the file system being
used and whether the SSD drive is an external or internal
one), the drive may or may not have overwritten available
data. This is a rather complex thing thats out of scope of this
paper to fully explain; however, it is certain that traditional
data wipe tools are far less effective on SSD drives than they
are on magnetic hard drives.

An SSD drive can be wiped quickly with manufacturer-supplied

initialization tools. These tools can simply trim the whole
content of the drive in a matter of seconds, even if the actual
data is still there. Modern SSD drives comply with DRAT
(Definite Read After Trim) or DZAT (Definite Zeroes After
Trim) this makes SSD controllers return all zeroes or other
(fake) data instead of actual information stored in a trimmed
block (even if the block itself still contains information).
Unfortunately, in this case there is no workaround other than
performing a chip-off, which could be an extremely time- and
effort-consuming procedure.

Data Encryption
Full-disk encryption is sometimes used by criminals who want
to hide their data from investigators. If a reasonably long,
complex password is used to encrypt the volume (where

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 4/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

applicable, e.g., TrueCrypt), a brute-force attack may not be

effective. Even if brute-forcing the password is possible, the
process would take a long time, allowing the suspect achieve
the goal of delaying the investigation.

When dealing with full-disk encryption, there are two

workarounds to consider: the possibility of obtaining the
binary decryption key out of the memory dump (which must
be captured while the encrypted container is mounted) and
the possibility of getting a hold of an escrow key.

TrueCrypt, PGP, BitLocker: Extracting Decryption Key from a

Live RAM Dump
Full-disk encryption tools such as TrueCrypt and PGP can be
extremely secure and pretty much impossible to break if used
properly. Designed to resist brute-force attacks, these tools
make attacking encryption keys impossible, while making
brute-force attacks extremely slow.

If there is a reasonable chance that the suspect used full-disk

encryption, one must capture a memory dump from the live
running system before turning it off and taking the disk out.
Various tools offer the ability to extract decryption keys out of
the RAM dump and use them to decrypt and mount protected
volumes.

BitLocker: Escrow Keys May Be Available

Windows 7, 8, 8.1, all versions of Windows RT and Windows
10 are capable of using BitLocker to enable full-disk
encryption. Starting with Windows 8, BitLocker encryption is
activated automatically on system volume if all of the following
conditions are met:

Device is equipped with a TPM (Trusted Protection

Module)
Device supports Connected Standby
Non-removable (soldered) RAM
Administrative user logs in with Microsoft Account (as
opposed to using a local Windows account)

Even if some of these conditions are not met, it is usually

possible to manually activate BitLocker protection on a given
volume.

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 5/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

Once encrypted, the volume remains encrypted unless you

were able to capture a Live RAM dump and extract the binary
decryption key. However, in addition to this method, an
alternative vector of attack is available.

When encrypting the disk with BitLocker, Windows

automatically creates escrow keys (BitLocker Recovery Keys)
that can be used to decrypt the volume if the disk is removed
from the original device (and its TPM module). A proper
Recovery Key may look like this:

394853-139583-506726-395820-621405-354512-066290-
589293

In order to unlock the encrypted volume, youll need a volume

Recovery Key. If the administrative user logs in with their
Microsoft Account, the Recovery Key will be automatically
uploaded to their OneDrive account.

In order to retrieve the Recovery Key, you will need to supply

the users login and password, if available. Alternatively,
Microsoft can disclose the suspects Recovery Keys with a
court order.

Encrypted File Systems

In Windows, users have an option to transparently encrypt the
contents of individual files and folders by setting the

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 6/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

encrypted attribute.

Not to be confused with full-disk encryption provided by

BitLocker and similar tools, NTFS file encryption complements
BitLocker by adding user-level protection of files and folders.
BitLocker encryption protects the entire volume against offline
attacks. Once the volume is unlocked by any user of a
computer, all users (or at least all users with administrative
privileges) will have full access to all files stored on that
volume. NTFS encryption is designed to protect sensitive
information between multiple user accounts on the same PC.
Users who logged in under a certain account will not be able to
access NTFS-encrypted files from other accounts without
entering the correct password (which is used to calculate the
decryption key). If the administrator changes or resets the
password to someones accounts, all NTFS encrypted files on
that account become useless and cannot be decrypted.

NTFS encryption is poorly understood by average computer

users. As a result, investigators who can log into a PC with a
suspects credentials will have full unrestricted access to NTFS-
encrypted files. However, if a suspects password is not
known, experts will have to brute-force their password in
order to be able to access NTFS-encrypted files on that
account. Simply resetting the password will render encrypted
files useless.

Live System Analysis: Anti-Debugging

Protection
https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 7/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

Anti-debugging techniques are used extensively by game

manufacturers to enforce licensing and prevent cheating. Many
well-known products such as AutoCAD and certain forensic
tools use anti-debugging code in their license validation code.
Sometimes, suspects may use a dedicated anti-debugging tool
to protect access to their systems volatile memory.

An active anti-debugging protection may effectively block non-

forensic memory dumping tools (and even some forensic
utilities) from accessing areas of RAM protected by anti-
debugging tools.

Examining a live system is always a challenge. You can

significantly increase your chances of successfully acquiring
the complete and unaltered RAM image by using memory
dumping tools that operate in kernel mode. Make sure you
know and understand your tools and their limitations. While
some manufacturers dont disclose which API and
methodology they use to obtain memory dumps, other
manufacturers do. Please note that tools operating in kernel
mode can often produce better results than others user-
mode tools may fail to correctly capture parts of the
computers RAM due to active anti-debugging protection.

Using a memory acquisition tool requires a forensic product

that supports Live RAM analysis in order to be able to extract
and examine the contents of volatile memory. Belkasoft
Evidence Center allows you to analyze the contents of RAM
using powerful carving algorithm, making it possible to find
crucial evidence: social network chats, in-private browsing
histories, full-size pictures and thumbnails, deleted and
damaged registry files, documents, and tons of other data that
would otherwise be lost completely.
https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 8/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

Read more about Live RAM forensics.

Conclusion
Many types of anti-forensic efforts can be countered with
advanced forensic methods. While in certain cases such as
with jumplists, thumbnails and Skype chatsync database
the use of dedicated forensic tools is not necessarily required,
manually searching the disk for all available traces can be a
time-consuming operation requiring a qualified expert to
spend hours on low-level analysis. The overwhelming diversity
of applications, file formats, web browsers, crypto containers,
and image and document formats means there can be a huge
number of places containing hidden evidence. Even the most
qualified investigator may not be able to discover every little
bit of information there is. Time constraints may not allow a
thorough analysis of all but the most important cases.

Specialized forensic tools look for all available artifacts and

find all available traces completely and automatically, greatly
simplifying digital investigations and making them faster and
easier. Forensic tools will help you find more evidence faster,
saving a lot of time and effort.

Using forensic tools often requires no special training or

qualification, enabling in-house discovery of digital evidence.
Finally and most importantly, the use of forensic tools allows
you to find destroyed and hidden evidence, something that is
not possible to do by hand.

Be sure to read Part 1.

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 9/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

Oleg Afonin is a Belkasoft sales and marketing manager. He

is an author, expert, and consultant in computer forensics.

Danil Nikolaev is a Belkasoft sales and marketing manager,

co-author, and content manager.

Yuri Gubanov is a renowned digital forensics expert. He is a

frequent speaker at industry-known conferences such as CEIC,
HTCIA, TechnoSecurity, FT-Day, DE-Day and others. Yuri is
the Founder and CEO of Belkasoft, the manufacturer of digital
forensic software empowering police departments in about 70
countries. With years of experience in digital forensics and
security domain, Yuri led forensic training courses for multiple
law enforcement departments in several countries. You can
add Yuri Gubanov to your LinkedIn network at
http://linkedin.com/in/yurigubanov.

You can contact the authors via email:

research@belkasoft.com
Follow Belkasoft on Twitter: https://twitter.com/Belkasoft
Subscribe to the blog: https://belkasoft.wordpress.com

RELATED READS

Self-Destructing
SSD-Drive
Evidence in 2016

Belkasoft
Evidence Center

Integration of
Belkasoft
Evidence Center
and LACE

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 10/11
8/6/2017 Countering Anti-Forensic Efforts - Part 2

NIST Asks Public

to Help Future-
proof Electronic
Information

0 Comments Forensic Magazine Ciprian Laurentiu

Sort by Best
Recommend Share

Start the discussion

Be the first to comment.

Subscribe d Add Disqus to your siteAdd DisqusAdd Privacy

https://www.forensicmag.com/article/2015/09/countering-anti-forensic-efforts-part-2 11/11