[BoB] Indicators of Anti-Forensics Investigator Survey (Korean)

The following survey results are from Korean Digital Forensic Investigators concerning the use of anti-forensics observed in their investigations. This survey has been conducted by the KITRI Best of the Best (BoB) ‘Indicators of Anti-forensics’ project group.

1. 포렌식 분석 업무 기간이 어떻게 되시나요?
2. 포렌식 분석 시 증거물 1개당 혹은 디스크 하나 당 평균 얼마의 시간이 소요되나요?
3. 안티 포렌식 탐지 툴에 대하여 들어보신 적이 있으십니까?
4. 포렌식 분석 시 안티 포렌식 툴이 사용된 시스템을 분석하신 경험이 있으신가요?
5. 안티 포렌식 툴이 사용 된 시스템을 분석하셨다면 그렇지 않은 시스템을 분석할 때 보다 어느정도의 시간소비가 더 있으신가요?
6. 안티 포렌식 탐지 툴의 필요성에 대해서 느끼신 적이 있으신가요?
7. 분석 전 안티포렌식 행위를 탐지 할 수 있다면 분석에 용이하다고 생각하십니까?
8. 안티포렌식 탐지 툴에 있었으면하는 기능이 있다면 무엇인가요?
9. 분석시에 가장 많이 보였던 안티포렌식 툴은 무엇인가요?


<table border="0" cellspacing="0" cols="9"> <colgroup span="9" width="127"></colgroup> <tbody><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">‘4-5일</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">예상할 수 없음</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">안티포렌식의 범위가 어느 정도인지 모르겠음암호 프로그램의 사용부터 전문삭제 프로그램의 사용 또는 steaganography까지 사용하는 것을 전제로 하는 것인지 명확한 정의가 필요할 것 같음.해당 목적에 따라 안티포렌식 탐지 툴이 개별적으로 만들어지고 그것을 마지막에 통합하는 것이 가장 좋을 듯 싶네요.</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">패스워드 설정 암호화</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="10" valign="BOTTOM">10</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="48" valign="BOTTOM">48</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">방식과 설치 혹은 실행 날짜해당 방식에 대한 영향을 미치는 범위에 대한 안내</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">루팅툴</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">24~48</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">24시간 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">- 기존의 삭제된 파일의 정보(제목, 시간, 등)- 안티포렌식 도구 정보</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">spaceEraser</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">500G기준 4시간</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">1-2시간정도</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="24" valign="BOTTOM">24</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="10" valign="BOTTOM">10</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">Install 여부, Portable 실행여부, 총 실행 횟수 및 삭제된 영역 확인 등</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">CCleaner</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="24" valign="BOTTOM">24</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">-</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">메모리 해킹 탐토르 네트워크 탐지</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">timestomp</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">3년 이상</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">타임라인 수정</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">final eraser</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">6개월 이하</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="6" valign="BOTTOM">6</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="3" valign="BOTTOM">3</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">먼저 안티포렌식 툴이 실행되는 것을 탐지할 것인지, 실행된 흔적을 탐지할 것인지에서 기능들이 달라지겠지만, 전자의 기준으로 보았을 때, 활성시스템 상태에서 현재 실행중인 프로세스에 대한 검사를 통해 탐지를 하는 퀵서치, 디스크내의 설치된 프로그램을 확인하는 정밀 검사 등의 기능이 있으면 좋을 듯 합니다.</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">일반적인 클리너, Wipe</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="72" valign="BOTTOM">72</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">상황에따라 다름</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">ccleaner</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">6개월 이상 ~ 1년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="80" valign="BOTTOM">80</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="0" valign="BOTTOM">0</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">
</td> </tr><tr> <td align="LEFT" bgcolor="#EEEEEE" height="17" sdnum="1033;1033;General" valign="BOTTOM">1년 이상 ~ 3년 미만</td> <td align="RIGHT" bgcolor="#EEEEEE" sdnum="1033;1033;General" sdval="120" valign="BOTTOM">120</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">인지한적 없다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">1.3배 정도</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">있다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">용이하다</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">완전삭제 탐지, 레지스트리 정보 및 인터넷 삭제 흔적</td> <td align="LEFT" bgcolor="#EEEEEE" sdnum="1033;1033;General" valign="BOTTOM">고클린</td> </tr></tbody></table>

1 min read

[Survey] Investigation Prioritization of Crimes Involving Digital Evidence

The following survey is being conducted by Joshua James of the Digital Forensic Investigation Research Laboratory (DigitalFIRE) to assess public opinion on the investigation prioritization of crimes involving digital evidence.

This survey consists of 10 questions, which will take approximately 5 minutes to complete.

English version: http://goo.gl/qbpo77
Korean version: http://goo.gl/AKIhV1

Please share!


~1 min read

[CFP] DFRWS EU 2014

From http://dfrws.org/2014eu/cfp.shtml

The DFRWS-EU Conference that will be held in Amsterdam on the 7-9 May 2014.

Important Dates
Submission deadline: December 9, 2013 (any time zone). This is a firm deadline.
Author notification: March 1, 2014
Final draft and speaker registration: March 30, 2014
Conference dates: May 7-9, 2014

The DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop in 2001, the DFRWS continues to bring academics and practitioners together in an informal environment. The digital forensics community is rapidly growing worldwide. To better serve the needs of the community, the DFRWS is starting a sister conference in Europe. The new conference will continue the DFRWS tradition of publishing high quality research outcomes selected in a thorough peer review process. The proceedings will be published on the DFRWS Website as well as in traditional the DFRWS proceedings format. DFRWS-EU will act as a focal point for the European digital forensic community allowing practitioners and researchers meet and exchange ideas without the need to pay for a transatlantic flight.

~1 min read

Installing Cinnamon 2.0 on Linux Mint 14

With only a few weeks (hopefully) until Linux Mint 16 is released, I have been installing different software that I may want to start using. With all my data backed up and ready to migrate, this is essentially a few weeks to experiment with different programs to see how well they work.


The major consideration for me is ‘Cinnamon 2.0’ - the Gnome replacement desktop with Linux Mint. Cinnamon 2.0 has a lot of features and fixes that I have been looking forward to that were not pushed down. The other major piece of software I am looking for is a good desktop search tool.

If you are already running Linux Mint with a prior version of Cinnamon, it will not be upgraded automatically to 2.0. You can upgrade the following way:
<blockquote class="tr_bq">sudo add-apt-repository ppa:gwendal-lebihan-dev/cinnamon-stable</blockquote>Then add the following to /etc/apt/preferences
<blockquote>Package: *
Pin: release o=LP-PPA-gwendal-lebihan-dev-cinnamon-stable
Pin-Priority: 800 </blockquote>Do a apt-get update, and apt-get dist-upgrade.
For me on Linux Mint 14, the package ‘mint-translations’ did not want to install, so I had to re-run apt-get dist-upgrade with ‘-f’.
<blockquote class="tr_bq">sudo apt-get dist-upgrade -f</blockquote>Once installed, reboot.

On reboot the theme and background are changed, but all my settings were saved. Even conky still worked fine. Date and time settings were reset, however, and there is no app to change them back. Time and calendar still work, but you have to manually configure them.

The first thing I noticed, however, is that Cinnamon 2.0’s default settings are not as pretty as 1.8. To change it back to Mint’s old Cinnamon look (which is more sleek IMO), right click on menu -> ‘system settings’ -> ‘themes’ -> ‘other settings tab’. From there, I changed the controls, icons, etc. to ‘Mint-X’. From the ‘installed’ tab, you can also change the applied theme.

Overall Cinnamon 2.0 is much more responsive than 1.8. Even without reformatting I am seeing noticeably better performance. The look and feel is a bit more clean and polished.

1 min read

Comparing Similarity of Images using SIFT Features

I’ve been playing around with VLFeat, and specifically SIFT to compare images using sift feature extraction. A while back I was looking at comparing files and images using sdhash and ssdeep, and they did not work well with images (which completely makes sense sense!).

So I was looking at some computer vision implementations, and found programming computer vision with python. From a basic example in the book, we can now visually compare similarity on the kitty corpus used last time.

5a762d8cdf4f1beae208595e79990a01 /corpus/kitty_hex.jpg
1704cd46c5c0f994278769e533015525 /corpus/kitty_sm.jpg
bcbed42be68cd81b4d903d487d19d790 /corpus/kitty_text.jpg
6d5663de34cd53e900d486a2c3b811fd /corpus/kitty_orig.jpg
4312932e8b91b301c5f33872e0b9ad98 /corpus/kitty_whirl.jpg

comparing corpus/kitty_text.jpg corpus/kitty_sm.jpg number of matches = 107
comparing corpus/kitty_text.jpg corpus/kitty_orig.jpg number of matches = 375
comparing corpus/kitty_text.jpg corpus/kitty_hex.jpg number of matches = 375
comparing corpus/kitty_text.jpg corpus/kitty_whirl.jpg number of matches = 358
comparing corpus/kitty_sm.jpg corpus/kitty_orig.jpg number of matches = 108
comparing corpus/kitty_sm.jpg corpus/kitty_hex.jpg number of matches = 108
comparing corpus/kitty_sm.jpg corpus/kitty_whirl.jpg number of matches = 88
comparing corpus/kitty_orig.jpg corpus/kitty_hex.jpg number of matches = 389
comparing corpus/kitty_orig.jpg corpus/kitty_whirl.jpg number of matches = 343
comparing corpus/kitty_hex.jpg corpus/kitty_whirl.jpg number of matches = 343

Just extracting SIFT features and comparing which features match we can do pretty well at identifying similar images. As a reference, see an unrelated image compared to a kitty image:

comparing corpus/kitty_text.jpg corpus/cheese.jpg number of matches = 0

It is interesting to note that even if the image is modified, the swirled face for example, similarity to the original image is still relatively high. The lowest performance was seen when the image size was reduced, which is probably because fewer features would be extracted from the smaller image. Note in this experiment the only image pre-processing we are doing is conversion to gray scale. We are not resizing, doing PCA or anything like that.

I also want to point out something:
comparing corpus/kitty_text.jpg corpus/cheese_text.jpg number of matches = 2

In this case there are two different images that have a small bit of text inserted into the image. Feature detection was able to determine some similarity (the text looked the same) on completely different images. This could potentially be used to determine if a string or watermark was added to a group of pictures in a directory.

1 min read

Convert EnCase hash sets to md5sum

I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase “.hash” format.
<div>
</div><div>I am mostly using the SleuthKit’s hfind to do some hash comparisons. My setup could already use the NSRL hash sets with no problem, and TSK is supposed to support EnCase hash sets. I was able to create an index for the EnCase hash sets, but when I attempted to query, I would get an error:</div><div>
</div><div>Command: hfind db.hash [hash value] 
Error: “Cannot determine hash database type (hdb_setupindx: Unknown 
Database Type in index header: encase)</div><div>
</div><div>No responses when asking about the error on the mailing list, so I looked for other ways to access the hashes.</div><div>
</div><div>Finally, I came across Jesse Kornblum’s EnCase hash file converter (encase2txt). The tool built fine in Linux (Ubuntu), and the Windows binary worked with no issue on Windows 7 (64bit).</div><div>
</div><div>Just point the tool at the EnCase hash database and it will output all the hashes in a format like md5sum. Pipe this plain text output to a file, and you have an md5sum hash file. From this I was able to build the index (hfind -i md5sum hashes.md5) and query the database with no problems.</div><div>
</div><div>Thanks Jesse!</div><div>
</div><div>Building and usage: http://jessekornblum.livejournal.com/166275.html</div>

1 min read