Techniques used by Cybercriminals to Conceal their Digital Footprint During Forensics and How to Defeat.

Anti-forensics is like a way to play hide and seek with computer investigators. Cybercriminals hide information in many clever ways. Cybercriminals can even change the name of a file to make it look like something else. For example, they might change a file's name from .jpg to .mp3 to trick people into thinking it's a music file. This makes it hard for investigators to find any clues sometimes.

Anti-forensic techniques are used to:

• Delete evidence of their cybercrimes.
• Delete or modify the log records to tamper with evidence.
• Data removal, covering tracks and evading detection.
• Mislead investigators.
• Erase digital footprints and conceal actions.
• Obstruct forensic analysis and destroy evidence.

Techniques Include:

1. File Deletion

File deletion is a critical element in anti-forensics, especially within the Windows operating system. To understand the mechanics of file deletion in anti-forensics, it's essential to understand the roles of the FAT (File Allocation Table) and NTFS (New Technology File System) file systems, as well as the Recycle Bin, along with the specific tools used in this context.

FAT File System:

1. Simplified Record-Keeping: In the FAT file system, a basic table called the File Allocation Table manages the locations of data on the disk.
2. Deleting a File: When a user deletes a file, the FAT merely marks the space as available, but the file's data persists on the disk until it's overwritten.
3. File Recovery: This feature can be exploited in anti-forensics. Even after deletion, the file's data might remain on the disk, and it could be potentially retrieved using tools such as Recuva or TestDisk.

NTFS File System:

1. More Complex Structure: NTFS is a more modern and advanced file system used in newer versions of Windows. It offers features like file encryption and access control.
2. Recycle Bin: NTFS employs a "Recycle Bin" to temporarily store deleted files before permanent removal. This plays a pivotal role in anti-forensics.

Recycle Bin:

1. Temporary Storage: Deleted files in Windows typically find their way into the Recycle Bin, allowing users to recover them conveniently.

2. Anti-Forensic Potential: The Recycle Bin can be harnessed for anti-forensic purposes. Cybercriminals might delete files, sending them to the Recycle Bin, and then empty the Recycle Bin to eliminate them.

3. File Recovery: However, files aren't immediately gone even after "emptying" the Recycle Bin. Their data persists on the disk until overwritten. This allows forensic investigators to potentially recover deleted files using tools such as Autopsy, EnCase, or Forensic Toolkit (FTK).

Anti-Forensic Implications:

In anti-forensics, cybercriminals may leverage the characteristics of the FAT and NTFS file systems and the Recycle Bin to conceal their activities. They sometimes intentionally delete incriminating files, thinking they're gone for good. Yet, traces of these files may linger on the disk.

Defending Against Anti-Forensic File Deletion:

• ?To counter these anti-forensic tactics, forensic experts employ specialized tools such as Recuva, TestDisk, Autopsy, EnCase, or FTK to recover deleted files, even if they've been removed from the Recycle Bin.
• Regularly overwriting free disk space using tools like Eraser can thwart attempts to recover deleted data.

Tool of Recovery and How to Use:

Recovering Deleted Files Using Recuva (for FAT and NTFS File Systems)

Step 1: Installation

• Download and install Recuva on your computer.

Step 2: Scanning for Deleted Files

• Launch Recuva and select the type of files you want to recover (e.g., Documents, Pictures).
• Choose the location where the deleted files were stored.

Step 3: Scanning Process

• Click the "Start" button to begin the scanning process. Recuva will search for deleted files on the selected drive.

Step 4: File Recovery

• Once the scan is complete, Recuva will display a list of recoverable files. Select the files you want to recover and click "Recover."

Step 5: Choose a Recovery Location

• Choose a different location to save the recovered files to, so they don't overwrite any remaining traces of the deleted data.

Recovering Deleted Files Using TestDisk (for FAT and NTFS File Systems):

Step 1: Installation

• Download and install TestDisk on your computer.

Step 2: Launching TestDisk

• Open TestDisk and select the disk you want to recover files from.

Step 3: Analyzing the Disk

• Choose the "Analyse" option to scan the disk for deleted partitions and files.

Step 4: File Selection

• TestDisk will display a list of deleted files and partitions found during the analysis. Select the files you want to recover.

Step 5: Recovering Files

• Follow the on-screen prompts to recover the selected files. You can choose a destination where the recovered files will be saved.

Recovering Deleted Files Using Autopsy (for NTFS File System):

Step 1: Installation

Download and install Autopsy on your computer.

Step 2: Creating a New Case

• Start Autopsy and create a new case. Specify the case details and the location of the disk image.

Step 3: Adding the Disk Image

• Add the disk image containing the deleted files to the case.

Step 4: File Analysis

• Autopsy will analyze the disk image for file artifacts, including deleted files. You can explore the recovered files within Autopsy's interface.

Step 5: Recovering Files

• To recover a file, right-click on it in Autopsy and choose the "Export" option. Select the destination for the recovered file.

Recovering Deleted Files Using EnCase (for NTFS File System):

Step 1: Installation

• Download and install EnCase on your computer.

Step 2: Creating a New Case

Launch EnCase and create a new case. Specify the case details and the location of the disk image.

Step 3: Adding the Disk Image

• Add the NTFS disk image that contains the deleted files to the case.

Step 4: File Recovery

• EnCase will examine the disk image for file artifacts, including deleted files. You can browse the recovered files within the EnCase interface.

Step 5: Recovering Files

• To recover a file, right-click on it in EnCase and select the "Recover" option. Specify the destination where the recovered file will be saved.

These tools work by scanning the disk for remnants of deleted files and presenting them to the user for recovery. They are effective in recovering files that have been marked as deleted but not yet overwritten by new data. However, using them responsibly and legally is essential, respecting privacy and data protection laws.

2. Steganography: Hiding data in plain sight.

This crafty technique involves hiding data within other data, like concealing a message within an image. It's a sneaky way to share information without attracting attention.

How CyberCriminals use OpenStego to hide a file

Step 1: Selection of Cover File

• Cybercriminals select a cover file, such as an image or audio file, that will hide the secret data. This carrier file is typically something that won't raise suspicion.

Step 2: Embedding the Secret Data

• Using steganography software, the cybercriminal embeds the secret data within the carrier file. This process involves altering the least significant bits of the carrier file's data, making the changes imperceptible to the human eye or ear.

Step 3: Encryption (Optional)

• In some cases, the hidden data is encrypted to add an extra layer of security. A password is used to encrypt and decrypt the data.

Step 4: Distribution

• Cybercriminals can now distribute the carrier file through various channels, including email, social media, or file-sharing platforms. The hidden data remains concealed within the file.

Detection and Uncovering Hidden Files

Investigators employ specialized tools and techniques to detect and reveal hidden information to counteract the deceptive tactics of cybercriminals using steganography. One such tool is OpenStego, an open-source steganography application that aids in detecting and extracting concealed data. Below are the steps on how to use OpenStego:

Using OpenStego for Detection and Extraction

Step 1: Installation

• Download and install OpenStego on your computer. It is available for various operating systems, making it accessible to many users.

Step 2: Opening Files

• Launch the OpenStego application and select "Open a Steganography File" to choose the suspected file containing hidden data.

Step 3: Password (Optional)

• If a password was used to encrypt the hidden data, enter it in the "Passphrase" field. This step is crucial for decrypting the concealed information.

Step 4: Extraction

• Click on the "Extract Data" button. OpenStego will analyze the file and attempt to reveal the concealed content.

Step 5: Saving Extracted Data

• OpenStego will prompt you to save the extracted data to your local storage if successful. This data can then be analyzed for evidence.

Step 6: Data Analysis

• Investigators can analyze the extracted data to understand its significance and potential impact on the investigation.

Step 7: Reporting

• The findings and any relevant evidence are compiled into a detailed report, which can be used for legal proceedings or further action.

3. Encryption in the Hands of Cybercriminals:

Cybercriminals often employ encryption to obfuscate their activities and protect sensitive information from forensic investigators. This technique involves converting plaintext data into unreadable ciphertext, rendering it indecipherable without the corresponding decryption key.

Countering Encryption with Password Cracking:

One effective method to defeat encryption is password cracking. Cybersecurity professionals use specialized tools to attempt various combinations of passwords until the correct one is found. Here's a basic step-by-step guide on using a password-cracking tool to brute force a PDF:

1. Choose a Password Cracking Tool:

• Select a reliable password-cracking tool such as John the Ripper or Hashcat.

2. Input the Encrypted File:

• Feed the encrypted PDF file into the password-cracking tool.

3. Select Attack Mode:

• Choose the appropriate attack mode, such as dictionary attack or brute force, depending on the information about the password.

4. Run the Tool:

• Initiate the password-cracking process and allow the tool to test different password combinations systematically.

5. Review Results:

• Once complete, review the results to identify the cracked password.

Rainbow Table Attack: An Alternative Approach:

Another method to counter encryption is the use of rainbow tables. These precomputed tables store hashes and their corresponding plaintext passwords, expediting the decryption process.

Rainbow Table Attack on a File:

1. Generate or Obtain Rainbow Tables:

• Create or acquire rainbow tables suitable for the encryption algorithm used in the file.

2. Import Tables into a Tool:

• Use a tool like RainbowCrack to import the rainbow tables.

3. Select Target File:

• Specify the target encrypted file for decryption.

4. Initiate the Attack:

• Launch the rainbow table attack, allowing the tool to match the hash of the encrypted file with entries in the tables.

5. Retrieve Results:

• Once a match is found, you can just go ahead and retrieve the decrypted password.

Beyond encryption, cybercriminals employ various tactics such as program packing, overwriting data, and onion routing to conceal their tracks. Program packing involves compressing or encrypting malicious code to evade detection by security tools, while overwriting data aims to erase traces of illicit activities. Onion routing, on the other hand, leverages layers of encryption to anonymize internet traffic.?

Which one of this, have you come across?