Counter forensics (anti-computer forensics)
In this section we will look at the measures to counter forensic analysis. More specifically, this chapter provides a bird’s eye view of tasks and solutions.
There are three main ways to counter forensic analysis:
- Protection (encryption)
- Hiding (steganography)
We focus on encryption and steganography in separate chapters, and before you start learning about counter-forensics techniques, you should already know how to encrypt your hard drive, how to create encrypted file-hosted volumes, know about the methods of defeating them and, of course, be aware of the techniques for disguising encrypted file containers. Even better if you know about the methods of creating strong passwords, specifically the part where we give you the recommendations on how to protect yourself from forensic analysis.
Overall encryption is a reliable method provided you encrypt a system, use encrypted file-hosted volumes inside it and follow these recommendations. But sometimes the use of encrypted file-hosted volumes can lead to legal issues. We have already mentioned a few such cases in this course, and just recently we’ve heard about another precedent related to the user’s refusal to give up the password to his phone.
A Florida man William Montanez was on the road and pulled over by the local police for not properly yielding. Who doesn’t get traffic stops, but during the search the police also found 4,5 grams of weed, THC oil and a concealed handgun.
But it’s not the police, guns and drugs that put Montanez in the media spotlight – it’s the two iPhones found in his car. After the police saw a text message that read “OMG did they find it” on the screen, they asked Montanez to unlock his phone, a request he denied because he’d suddenly forgotten his code like many of us would have if we found ourselves in his shoes.
Though Montanez’s decision is justified considering the situation he was in, the judge thought otherwise. The court demanded he should unlock his phone, and after Montanez denied, the judge found him in civil contempt and threw him in jail. Allegedly, Montanez is hiding the evidence on his phone that may lead to drug trafficking charges. Allegedly…
After hearing such stories, you may start thinking that forensic analysis can threaten only drug dealers and criminals. But you may remember that your laptops and phones are often searched when you are crossing the borders of different countries, and your refusal to yield to such requests will lead to serious problems for you.
So far it is the Chinese authorities that have taken the most disturbing measures when it comes to forensic analysis. There the police can perform a forensic analysis of mobile phones rights in the street. You may be taking a stroll, and suddenly get pulled over, your phone – retrieved to be subjected to a forensic analysis. If you are asking yourself, how will the police know your password? Well, you will be more than willing to give it up of your own accord (It’s China, right?).
Then your phone is connected to a laptop, all its contents are uploaded and then analyzed with the help of forensic software. The police would be especially interested in correspondence, videos, photos, user activity on social networks, call and text message history, downloaded applications. As you see, the threat of forensic analysis is much closer than you can imagine.
If there’s one takeaway from the William Montanez story, it should be the following: you need to use stenography and erasure. Not let’s move to stenography: when it comes to counter-forensics, we should mainly focus on hidden operating systems and secret compartment.
A hidden operating system is a second system, whose existence is impossible to prove directly. If you enter one password, you will run one system, if you enter another password, this will run a different operating system. A hidden compartment in an encrypted file-hosted volume is a secret section of your file container whose existence is impossible to prove: if you enter one password, you will get a common encrypted file-hosted volume; if you enter a different password, this will unlock the secret compartment. You can learn how to create a hidden operating system and encrypted file-hosted volumes with a hidden compartment with the help of TrueCrypt and VeraCrypt – in our course.
You may become interested in all kinds of covering up files and encrypted file-hosted volumes, like hiding one and the same document in a picture or create a hidden folder, but while these methods can protect you from a curious wife, a forensic expert will have no trouble locating such files or folders. He will show even more dedication when he finds out you keep stenography software on your computer.
One of the goals of anti-computer forensics is to prevent a forensic analysis of a device and subsequent retrieval of sensitive information. Even if your device is encrypted, forensic experts have methods of gaining access to it, for instance, through a DMA attack. If a forensic expert obtains a turned on but locked device, there is a chance that he will be able to retrieve decryption keys from RAM. He will then use it to decrypt the information on the encrypted hard drive of the device.
The keys for encryption and decryption are stored in RAM of the device as you enter the password when switching on and, as a rule, until you switch off the device. This lets you encrypt and decrypt data on the fly, even forgetting you are working with an encrypted hard drive. We will reveal you more in this section, recommending some effective protection measures.
Analogously RAM stores decryption keys as encrypted file-hosted volumes are mounted. Forensic experts would probably add that RAM stores not the keys per se, and it would be a valuable correction. However this still doesn’t make much difference and I don’t really want to confuse users who don’t possess the profound knowledge of sophisticated encryption.
You are especially unprotected if you have old computers that are vulnerable to DMA attacks and the so-called side-channel attacks, for instance, an attack over the FireWire port and cold boot attack. In a cold boot attack, RAM is frozen in liquid nitrogen and recovered from the shell. While this is a truly ingenious technology, an attack through the FireWire port is far more dangerous. An attacker doesn’t have to retrieve, freeze anything with this type of attack, he just connects a cable and gains direct access to the contents of RAM.
In this chapter you will learn how to check the capacity of your devices to withstand the attacks over the FireWire port and cold boot attacks, as well as other direct memory access and side channel attacks.
We mention emergency data destruction in different parts of this course, for instance, in this chapter we talk about emergency data erasure techniques for encrypted file-hosted volumes. This section provides an overview of all practices, and in addition to Panic Button, will look at various emergency data erasure systems, from USB Killer to ultrasound hard drive wiping.
A significant part of the section will reveal how forensic analysis is performed. For instance, you are going to learn where the system stores the thumbnails of all the images you’ve opened, the information about opened documents and launched applications. Toward the end of the section, we will tell you about forensic software and devices so that you will get an idea of the capabilities and solutions computer forensics experts have at their disposal.