Anti-forensics and its Techniques

Which of the following is a set of techniques that attackers use to avert or sidetrack the forensics investigation process or increase its difficulty?

Anti-forensics

Identify the type of password that is a signature of the original password generated using a one-way algorithm such as MD5.

Password hashes

Ronan, a forensic investigator, was tasked with investigating a system based on NTFS. After thoroughly examining the system’s hard drive, he discovered that most files were recently deleted from the file system but were recoverable. Ronan employed an automated tool to recover the deleted files from the hard disk.

Identify the tool that Ronan used to recover the deleted files from the drive.

Autopsy

Sherin, a forensic investigator, is attempting to recover deleted files and data from a suspected system. To recover the deleted files and data, he used an automated tool that scans the system’s hard drive.

Which of the following tools was utilized by Sherin in the above scenario?

Autopsy

The older FAT file system, used across Windows 98 and earlier versions, stored the deleted files in

Drive:\RECYCLED

On Windows 2000, NT, and XP, recycle bin storage located in

Drive:\RECYCLER\<SID>

On Windows Vista and later versions, recycle bin storage located in

Drive:\$Recycle.Bin\<SID>

Williams, a forensic investigator, was tasked with analyzing an image file. In this process, he identified that the metadata of the image file was deleted; therefore, he could only recover the files using the file header signature, which is a constant numeric or text value.

Which of the following tools can help Williams identify and recover the files using the file header signatures?

Hex Editor Neo

Hendrix, a forensic investigator, was appointed to investigate cybercrime. As part of this investigation, he was examining a forensically cloned hard disk. Hendrix identified that most of the files on the hard disk were password protected. He employed a password cracking tool to read and recover the password-protected files.

Identify the tool that Hendrix used to recover the password-protected files.

Cain & Abel

Which of the following techniques uses a program that attempts every combination of characters until the correct password is discovered?

Brute-forcing attack

Steganography

the art of hiding data “behind” other data without the target’s knowledge, thereby hiding the existence of the message itself.

Artifact Wiping

involves various methods aimed at permanent deletion of particular files or entire file systems.

Trail Obfuscation

to confuse and mislead the forensics investigation process.

Password Protection

shields information, protects networks, applications, files, documents, etc. from unauthorized users.

Lennox, a security specialist, was attempting to recover the data from an encrypted drive of a compromised system. Lennox suspected that the system might contain potential evidence related to the attack. For this purpose, he employed a technique using which he tried every possible key to recover the data and files stored in the drive.

Identify the technique employed by Lennox to recover the encrypted drive.

Brute-force attack

Keylogger attack

a type of spyware that is used to capture the keystrokes.

Dictionary attack

a dictionary file is loaded into the cracking application that runs against user accounts. A dictionary is a text file that contains several dictionary words or predetermined character combinations. The program uses every word present in the dictionary to find the password. They are more useful than a brute-force attack. However, this attack does not work against a system that uses passphrases or passwords not contained within the dictionary used.

Cryptanalytic attack

is essentially a brute-force attack used to decrypt any encrypted data (which may be referred to as a cipher).

While verifying the file format of evidence files, Patrick, a forensic investigator, detected that the suspect had changed the file extensions of some files from .jpg to .dll. Patrick used an automated tool to verify the file formats.

Identify the tool employed by Patrick in the above scenario.

Hexinator

Identify the hidden file in Windows that is crucial for the recovery of data and contains various details of deleted files such as their original file names, original file sizes, date and time of deletion, unique identifying number, and the drive number in which the files were stored.

INFO2

Timestomp

one of the most widely used trail obfuscation tools that allow deletion or modification of timestamp-related information on files. Procedure to defeat this technique is covered in “Detecting Overwritten Data/Metadata” section.

SafeBack

have software drivers to write data to a tape backup system from a suspect drive through the standard PCI/SCSI

DriveSpace

A Microsoft disk compression tool which excludes slack disk space between the files

ophcrack

a Windows password-cracking tool that uses rainbow tables for cracking passwords. It comes with a graphical user interface (GUI) and runs on different OSs such as Windows, Linux/UNIX, etc.

/bin/rm/

In Linux, users can delete files using /bin/rm/ command, wherein the inode pointing to the file is deleted but the file remains on the disk. If a user removes a file that is being used by any running processes, the contents of the file would occupy a disk space that cannot be reclaimed by any other files or programs.

copy

If the metadata files related to the original files are not present in the folder, then the investigator can use ‘copy’ command to recover the deleted files ($R files)

dd

Raw format creates a bit-by-bit copy of the suspect drive. Images in this format are usually obtained by using the dd command.

net file

The net file command reflects names of all files that are open on the server and the number of file locks on each file, if any. This command can also close individually shared files and remove file locks.

Erick, a forensics expert, was tasked with investigating a compromised machine that had been involved in various online attacks. In this process, Erick identified a corrupted file in the system. He scanned the Recycle Bin folder for the metadata of that file, but it was deleted from that location. Subsequently, he used a command to recover the deleted file.

Identify the command that Erick used to recover the deleted file.

<copy $R

Identify the technique that includes the disintegration, incineration, pulverizing, shredding, and melting of digital media to make evidentiary data unavailable to forensics investigators.

Disk destruction

Which of the following is a process by which a strong magnetic field is applied to a storage device, resulting in a device devoid of any previously stored data?

Disk degaussing

To solve a case, Steve, a digital forensics investigator, was inspecting a disk from which the attacker wiped all the data using a technique that deletes only address tables and unlinks all the files in the file system. Steve used an automated tool to recover the erased data from the disk.

Identify the artifact wiping technique employed by the attacker in the above scenario.

Disk formatting

Jude, a forensic professional in an investigation department, was tasked with analyzing a suspected Windows machine. During the investigation, Jude found that some of the drive’s volumes were encrypted and needed to be decrypted for further investigation.

Which of the following tools can help Jude in decrypting the drive?

CrypTool