Digital forensics is the field of determining who was responsible for a digital intrusion or other computer crime. It uses a wide range of techniques to gain attribution to the perpetrator.
It relies upon the fundamental concept that whenever a digital intrusion or crime is committed, the perpetrator inadvertently leaves a bit of themselves behind for the investigator to find. These "bits" could be entries in log files, changes to the registry, hacking software, malware, remnants of deleted files, etc. All of these can provide clues and evidence to determine their identity and lead to the capture and arrest of the hacker.
As a hacker, the more you know and understand about digital forensics, the better you can evade the standard forensic techniques and even implement anti-forensic measures to throw off the investigator.
The Digital Forensic Tools
Just like in hacking, there are a number of software tools for doing digital forensics. For the hacker, becoming familiar with these tools and how they work is crucial to evading them. Most digital forensic investigators rely upon three major commercial digital forensic suites.
- Guidance Software's EnCase Forensic
- Access Data's Forensic Tool Kit (FTK)
These three suites are comprised of multiple tools and reporting features and can be fairly expensive. While these suites are widely used by law enforcement, they use the same or similar techniques as the free open-source suites without the fancy interfaces.
By using the open source and free suites, we can come to understand how such tools as EnCase work without the expense. EnCase is the most widely used tool by law enforcement, but not necessarily the most effective and sophisticated. These tools are designed for user-friendliness, efficiency, certification, good training, and reporting.
There are a number of the free, open-source forensic suites, including the following three.
- The Sleuthkit Kit (TSK)
We will look at each of these suites to better understand what digital forensic investigators can see and find about an intrusion and the perpetrator.
Some of the better tools in BackTrack include the following, among many others.
Digital forensics can do many things, all of which the aspiring hacker should be aware of. Below is a list of just some of the things.
- Recovering deleted files, including emails
- Determine what computer, device, and/or software created the malicious file, software, and/or attack
- Trail the source IP and/or MAC address of the attack
- Track the source of malware by its signature and components
- Determine the time, place, and device that took a picture
- Track the location of a cell phone enabled device (with or without GPS enabled)
- Determine the time a file was modified, accessed or created (MAC)
- Crack passwords on encrypted hard drives, files, or communication
- Determine which websites the perpetrator visited and what files he downloaded
- Determine what commands and software the suspect has utilized
- Extract critical information from volatile memory
- Determine who hacked the wireless network and who the unauthorized users are
- And that' just some of the things you can do with digital forensics!
Anti-forensics are techniques that can be used to obfuscate information and evade the tools and techniques of the forensic investigator. Some of these techniques include the following.
- Hiding Data: Hiding data can include such things as encryption and steganography.
- Artefact wiping: Every attack leaves a signature or artefact behind. Sometimes it's wise to attempt to wipe these artifacts from the victim machine so as to leave no tell-tale trail for the investigator.
- Trail Obfuscation: A decent forensic investigator can trail nearly any remote attack to an IP address and/or MAC address. Trail obfuscation is a technique that leads them to another source of the attack, rather than the actual attack.
- Change the timestamp: Change the file timestamp (modify, access, and change) to evade detection by forensic tools.