I had presented general method of network & computer forensics for Depkominfo at November, 23th, 2011. You can enjoy my presentation on my slideshare below:
Several years ago, i create backdoor which sends root shell to attacker without opening TCP/UDP port. Reverse shell is sent to attacker based on packet sniffed by backdoor. I can easily hide the file and process created by rootkit with system call redirection. But wait, i remember some things, common mistakes which usually left by attacker, here are their mistakes:
- Mesh up with binary file hash checksum, since i use kernel based rootkit this is not my concern.
- Forget to hide files, directory, process, tcp/udp ports.
- Forget to hide kernel rootkit from detection command likes lsmod, modinfo, modstat, kldstat.
- Forget to hide interface promiscuous mode and network sniffers.
- Above mistake can be detected by common rootkit hunters like chkrootkit and rkhunters
So what should we do?! My kernel rootkit almost solve all that mistakes except hiding my sniffer from chkrootkit. Rkhunter shows no anomaly but chkrootkit shows my sniffer.
eth0: PACKET SNIFFER(/opt/_xhidex_/_xhidex_getraw[14848])
System administrator will aware that someone runs sniffer on their machine, i did some hack to solve this issue which finally i decide to hack chkrootkit. Some years ago, i found someone did rush trick by aliasing chkrootkit to ‘cat <some_static_file>’. I bet that system administrator can quickly detect this trick. Fortunately chkrootkit is just shell script so we can modify this file easily. Here, you can download freely chkrootkit patch to hide your sniffers.
After patch being applied on chkrootkit, below are chkrootkit output:
eth0: not promisc and no packet sniffer sockets
Lesson which can be taken is that people talk so much things about rootkit, backdoor, malware, worm, botnet but they ussually forget to secure their toys. Starting now, install your tool on your own system before install them on some else machine. Check if gnu standard utility, chkrootkit, and rkhunter can detect your tool. The other lesson is that rootkit hunters should check itself so it can check its integrity. This check can be based on hash or other secure method so self detection can be perform accurately. As workaround for system administrator, after doing rootkit hunter installation please save its hash checksum. Please save both MD5 and SHA checksum to guarantee rootkit hunter integrity.
Computer forensics is part of information security in finding legal evidence on computers and digital storage media. You can find more about forensics resource on internet which some of them are free, yeah it’s free!
We have Open Source Computer Forensics Manual at http://oscfmanual.sourceforge.net. We also have cool article (book) entitled with “Forensic Discovery” at http://www.porcupine.org/forensics/ which published freely and completed with some tools. You can follow http://blogs.sans.org/computer-forensics/ or read First Responders Guide to Computer Forensics at CERT.
Finally, you can download some free book about forensics and information security here.
DEFINITION
Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene†approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conductâ€.
A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.†Interestingly, neither author takes into account using anti-forensics methods to ensure the privacy of one’s personal data.
Sub-Categories
Anti-forensics methods are often broken down into several sub-categories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories, data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) process/tools.
Read more »
Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics.
The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The explanation can be as straightforward as “what information is here?” and as detailed as “what is the sequence of events responsible for the present situation?”
The field of Computer Forensics also has sub branches within it such as Firewall Forensics, Database Forensics and Mobile Device Forensics.
There are many reasons to employ the techniques of computer forensics:
- In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
- To recover data in the event of a hardware or software failure.
- To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
- To gather evidence against an employee that an organization wishes to terminate.
- To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Read more »