0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Update anti-forensic-techniques.md

This commit is contained in:
Taleb Qasem 2022-09-09 22:19:02 +06:00 committed by GitHub
parent 045a219ca8
commit bc2fb31290
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
forensics/basic-forensic-methodology/anti-forensic-techniques.md
View File

@ -32,8 +32,8 @@ This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION
## Usnjrnl
The **USN Journal** (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) which **maintains a record of changes made to the volume**.\
It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) to search for modifications of this record.
The **USN Journal** (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) that **maintains a record of changes made to the volume**.\
It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) to search for modifications to this record.
![](<../../.gitbook/assets/image (449).png>)
@ -55,12 +55,12 @@ Using the same tool it's possible to identify to **which time the timestamps wer
* CTIME: File's creation time
* ATIME: File's modification time
* MTIME: File's MFT registry modifiction
* MTIME: File's MFT registry modification
* RTIME: File's access time
## `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
Another way to identify suspicions modified files would be to compare the time on both attributes looking for **mismatches**.
Another way to identify suspicious modified files would be to compare the time on both attributes looking for **mismatches**.
## Nanoseconds
@ -68,21 +68,21 @@ Another way to identify suspicions modified files would be to compare the time o
## SetMace - Anti-forensic Tool
This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME` . However, from Windows Vista it's necessary a live OS to modify this information.
This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME`. However, from Windows Vista, it's necessary for a live OS to modify this information.
# Data Hiding
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the files is deleted. Then, it's possible to **hide data in this slack space**.
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the file is deleted. Then, it's possible to **hide data in this slack space**.
There are tools like slacker that allows to hide data in this "hidden" space. However, an analysis of the `$logfile` and `$usnjrnl` can show that some data was added:
There are tools like slacker that allow hiding data in this "hidden" space. However, an analysis of the `$logfile` and `$usnjrnl` can show that some data was added:
![](<../../.gitbook/assets/image (452).png>)
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this can of tools can save the content obfuscated or even encrypted.
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this kind of tool can save the content obfuscated or even encrypted.
# UsbKill
This is a tool that will **turn off the computer is any change in the USB** ports is detected.\
This is a tool that will **turn off the computer if any change in the USB** ports is detected.\
A way to discover this would be to inspect the running processes and **review each python script running**.
# Live Linux Distributions
@ -110,7 +110,7 @@ Disabling UserAssist requires two steps:
This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
* Rexecute `regedit`
* Execute `regedit`
* Select the file path `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters`
* Right-click on both `EnablePrefetcher` and `EnableSuperfetch`
* Select Modify on each of these to change the value from 1 (or 3) to 0
@ -127,7 +127,7 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
## Delete USB History
All the **USB Device Entries** are stored in Windows Registry Under **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device in your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
All the **USB Device Entries** are stored in Windows Registry Under the **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
@ -142,7 +142,7 @@ You can also delete them via GUI following the steps proposed in [https://www.ub
To disable shadow copies:
1. Go to the Windows start button and type "services" into the text search box; open the Services program.
2. Locate "Volume Shadow Copy" from the list, highlight it, and then and the right-click > Properties.
2. Locate "Volume Shadow Copy" from the list, highlight it, and then right-click > Properties.
3. From the "Startup type" drop-down menu, select Disabled, and then click Apply and OK.
![](<../../.gitbook/assets/image (453).png>)