Hello Reader,
Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.
The Challenge:
Name all of the Windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed.
The Winning Answer:
The majority of Anti-Forensic tools are just programs like any
other, often executed within the host OS. Additionally, the question
specifically asks about proving execution of of Anti-Forensic tools. As
such the first thing I will concern myself with is evidence of program
execution.
Noting that different anti-forensics tools may miss certain
evidence sources (especially if run with basic user privileges) it is important
to be broad in the areas you look as one of the lesser known or used artifacts
may have been left untouched by the tools. Additionally in cases of suspected
anti-forensic efforts I would be interested in the content of all
of these artifacts, including whether they are empty, as this may be
an indication of anti-forensics tool use in and of itself.
Evidence of Tool Execution
Windows
Prefetch
Jump Lists
AppCompatCache
MUICache
UserAssist
RunMRU
LastVisitedMRU
Log Files (tools may be deployed as services or with a scheduled
element, process creation events associated with Audit Process Creation)
Third party application execution monitoring (e.g. AV, DLP,
etc)
WSL (If WSL is in use then this opens a whole other kettle of
fish, .bashhistory, evidence of tool installation etc.)
Evidence of process artifacts in RAM
Command history in RAM
MacOSX
knowledgeC.db database (application usage data)
.bashhistory (if tools used or executed from command line)
FSEvents (evidence of filesystem events including creation of
software files and also deletion and renaming associated with tool use)
com.apple.finder.plist (evidence of finder searches for software)
RecentApplications.sfl
Spotlight Shortcuts plist
.bashhistory in ram
Evidence of process artifacts in RAM
Evidence of Tool Use
In addition, the use of anti-forensics tools can leave their own artifacts
behind. In the case of CCleaner the presence of deleted but recoverable
“ZZZ” files and folders is a classic indicator of use. Other similar unique
fingerprints are associated with different anti-forensic tools. One other such
tell tail sign is recoverable files with random filenames and high
entropy content consistent with being overwritten with pseudo random data,
entropy analysis of recovered deleted files can highlight
these.
Evidence of research/download/installation
Proving the intent of a user can also be useful, whether evidence
of the use of anti-forensic tools is actually identified. Evidencing that tools
were sought, downloaded and installed during an in-scope time frame (such as
just after an employee was notified of an HR interview etc). Additionally
evidence that research was performed into hiding evidence can be helpful
in painting a picture as to a users intentions and help to combat the "My
computer was running slow so I used CCleaner" defense.
Windows
Registry artifacts (installed applications, application specific
entries etc)
OSX
/Library/Receipts/InstallHistory.plist
/Library/Preferences/com.apple.SoftwareUpdate.plist
/Library/LaunchAgents
Both
The disk… (Look for executables for anti-forensics tools on disk
e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’
directories)
Browser History/Cache/Cookies for evidence of search history and
websites visited (location dependant on OS and installed browser(s))
Proxy/ web filtering logs (evidence of browsing to sites
concerning anti-forensics and downloading of tools)
AV Logs (scanning of downloaded executable)
Wildcard
You never know where you might find that smoking gun which
demonstrates the intention to circumvent forensic analysis. In one notable
case, a colleague of mine stumbled across an iOS note which was stored within a
backup on the suspects computer. Within it the suspect had detailed a proposed
methodology to steal data from his employer which would be “undetectable”.
Using throwaway virtual machines (which would then be wiped from disk) he
proposed to collate and extract data from the organisation and transmit it to a
cloud service connected to via the VM. The actions performed left almost no
trace of the IP theft, but what evidence of the existence of a now deleted VM
coupled with the note made compelling reading in court.
---
.png)
