CEIC 2012 - Anti Anti Forensics

CEIC 2012 - Anti Anti Forensics

Hello possible CEIC attendee reader,
                                                            My class 'anti-anti forensics' will be tuesday at 2:00pm and is apperantly full from what I saw in the regestration page. For those of you who wanted to attend it but didn't get to sign up they normally allow people to queue up at the door to take vacant spots/empty space.

So why would you want to queue up? I'm happy you asked! In this class I plan to preview some research we've been doing on the NTFS $logfile. While I'm not ready to give a presentation dedicated to that, I've submitted to blackhat for that (please pick me blackhat reviewers), I will be showing what I consider to be amazing new tricks to defeat anti forensic tools using the NTFS $logfile.

As in prior presentations I will make my slides available on the blog afterwords for anyones review, but I don't feel that they really ever capture everything that I talk about. I'm much more of a talker than a slide writer so my slides typically just cover major topics and points rather than the details that I would hope you want to hear.

See you there!


  1. It was a great session and a great presentation. I wanted to ask you what triggered this research project and why you did not include the parallel between the $LogFile and the USN_Journal?

  2. Research was triggered after two events:
    1. One of my employees did a research paper for their idependent study at UT Austin on system cleaners and noticed that the original names of files remained in the $logfile.
    2. We had a case where a file was deleted and there was record of the file existing other than the $logfile
    With two data points pointing towards the one unknwon source we decided to invest the time to find out what was going on.

    USN_Journal is quite nice and compliments the $logfile analysis, but is a format that is fully understood/known. If it exists it should be fully exploited but I haven't found an image with it enabled yet.

    1. Thanks for the reply. FYI - I did a study on the USN_Journal file recently and I was puzzled why FTK Imager failed to showed the $J ADS for the $UsnJrnl. I had to look at the MFT record for the $Extend folder to see if it existed. Then, locate the MFT record of the $UsnJrnl manually to find the Data run for the $J. It is a great exercise to keep your mind sharp, but finally FTK Imager 3.1 displays $USNJrnl correctly. After playing with it, my conclusions were "old school"- Validate your tools and double check even if a tool can not locate what should be there. Knowing the expected outcome beforehand should bring this field closer to science than just IT. Hexviewer is your best friend, no matter how great our automated tools are. USN_Journal is not enabled on USB drives by default, thus I would recommend corporations to force it manually ( fsutil usn createjournal m=MaxSize a=AllocationDelta VolumePath )

      Would you agree?

    2. Interesting, I think in general more tools need independent testing. I know NIST was working on that project but I haven't seen anything from them in the last 2 years.