Tampering with Truth: Designing a Tool to Undermine Digital Evidence Recovery

Himani Bansal; Manju Nunia

doi:10.65890/RACE.v1i1.42

Authors

Himani Bansal Department of CSE&IT, Jaypee Institute of Information and Technology, Noida, India Author
Manju Nunia Department of CSE, PES University, Bangalore, India Author

DOI:

https://doi.org/10.65890/RACE.v1i1.42

Keywords:

Anti-forensics, Digital Forensics Investigation, Artifacts, , Linux File Systems, EXT2

Abstract

The internet and technology advancements have given rise to too much comfort for both legitimate and malicious users or cyber criminals. Therefore, if these advancements are misused deliberately by the offenders, it can result in many harmful consequences, such as the prevention of services for benign or legitimate users. It is very difficult to investigate and prosecute any electronic crime because investigators need to build their cases or perform the investigation according to the evidence left by the computer criminals on the system. These days, computer criminals or adversaries are very much aware of the Computer Anti-forensic tactics and methods. Criminals apply such anti-forensic techniques to impede the whole digital investigation process efficiently and successfully. Such forensic investigation processes affected by Anti-forensic measures are too expensive and time-consuming to carry out. Numerous anti-forensic techniques can be used by anti-forensic practitioners to thwart the investigation process. Therefore, intruders try to hide or wipe out the evidence from the compromised system so that they cannot fall into the hands of Forensic examiners. Adversaries can try their very best to protect their evidence so that they can use any anti-forensic techniques for the same.

In this study, we have proposed an Anti-Forensic tool for destructing the evidential files stored on the hard disk. Our proposed tool works under the controlled environment of the Secondary extended file system of the Linux distribution. This tool clears out all the inodes which actually store the metadata of the files and folders on the file system, so clearing the inodes corrupts the file system structure in the internal structure of the file system. Detection of such activity performed by the anti-forensic practitioner is possible by the Forensics software or Forensic Investigator during the Investigation. Still, it will not be possible for the analyst to recover the file content as the file will no longer be accessible, as its inode entries have already been cleared out by the intruder. In this research work, we have also compared our proposed tool with similar existing tools and found that none other than the proposed one could clear out all the inode entries of the evidential files on the File System.

References

[1] Yusuf, Y., Ismail, R., & Hassan, Z. (2011). Common phases of computer forensics investigation models. International Journal of Computer Science & Information Technology (IJCSIT), 3(3), 17-31. DOI: https://doi.org/10.5121/ijcsit.2011.3302

[2] Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118- 131.

[3] Slay, J., Lin, Y. C., Turnbull, B., Beckett, J., & Lin, P. (2009, January). Towards a formalization of digital forensics. In IFIP International Conference on Digital Forensics (pp. 37-47). Springer Berlin Heidelberg. DOI: https://doi.org/10.1007/978-3-642-04155-6_3

[4] Rekhis, S., & Boudriga, N. (2012). A system for formal digital forensic investigation aware of anti-forensic attacks. IEEE transactions on Information Forensics and Security, 7(2), 635-650. DOI: https://doi.org/10.1109/TIFS.2011.2176117

[5] Barske, D., Stander, A., & Jordaan, J. (2010, August). A digital forensic readiness framework for South African SME's. In 2010, Information Security for South Africa (pp. 1-6). IEEE. DOI: https://doi.org/10.1109/ISSA.2010.5588281

[6] Grobler, C. P., Louwrens, C. P., & von Solms, S. H. (2010, February). A multicomponent view of digital forensics. In Availability, Reliability, and Security, 2010. ARES'10 International Conference on (pp. 647-652). IEEE. DOI: https://doi.org/10.1109/ARES.2010.61

[7] Alharbi, S., Weber-Jahnke, J., & Traore, I. (2011, August). The proactive and reactive digital forensics investigation process: A systematic literature review. In International Conference on Information Security and Assurance (pp. 87-100). Springer Berlin Heidelberg. DOI: https://doi.org/10.1007/978-3-642-23141-4_9

[8] Jain, A., & Chhabra, G. S. (2014, August). Anti-forensics techniques: an analytical review. In Contemporary Computing (IC3), 2014 Seventh International Conference on (pp. 412-418). IEEE. DOI: https://doi.org/10.1109/IC3.2014.6897209

[9] Kessler, G. C. (2007, March). Anti-forensics and the digital investigator. In Australian Digital Forensics Conference (p. 1).

[10] Pajek, P., & Pimenidis, E. (2009, September). Computer anti-forensics methods and their impact on computer forensic investigation. In International Conference on Global Security, Safety, and Sustainability (pp. 145-155). Springer Berlin Heidelberg. DOI: https://doi.org/10.1007/978-3-642-04062-7_16

[11] Rekhis, S., & Boudriga, N. (2010, May). Formal digital investigation of antiforensic attacks. In Systematic Approaches to Digital Forensic Engineering (SADFE), DOI: https://doi.org/10.1109/SADFE.2010.9

2010 Fifth IEEE International Workshop on (pp. 33-44). IEEE.

[12] Stamm, M. C., Lin, W. S., & Liu, K. R. (2012, March). Forensics vs. antiforensics: A decision and game theoretic framework. In 2012 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) (pp. 1749- 1752). IEEE. DOI: https://doi.org/10.1109/ICASSP.2012.6288237

[13] Dahbur, K., & Mohammad, B. (2011, April). The anti-forensics challenge. In Proceedings of the 2011 International Conference on Intelligent Semantic Web- Services and Applications (p. 14). ACM. DOI: https://doi.org/10.1145/1980822.1980836

[14] Geiger, M. (2006, June). Counter-forensic tools: Analysis and data recovery. In 18th Annual FIRST Conference, Maltimore, Maryland (pp. 25-30).

[15] http://e2fsprogs.sourceforge.net/ext2intro.html

[16] http://www.science.unitn.it/~fiorella/guidelinux/tlk/node95.html

[17] http://teaching.csse.uwa.edu.au/units/CITS2002/fs-ext2/

[18] Carrier, Brian. File system forensic analysis. Addison Wesley Professional, 2005.

[19] Liu, Dale. Cisco router and switch forensics: Investigating and analyzing malicious network activity. Syngress, 2009. DOI: https://doi.org/10.1016/B978-1-59749-418-2.00006-5

[20] Bilby, Darren. "Low down and dirty: anti-forensic rootkits." Proceedings of Ruxcon 2006 (2006).

[21] Botas, Álvaro, et al. "Counterfeiting and Defending the Digital Forensic Process." Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on. IEEE, 2015. DOI: https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.291

[22] https://www.slideshare.net/santoshkhadsare/linux- forensics-15854317

[23] http://www.slashroot.in/inode-and-its-structure- linux

[24] Conti, M., Dehghantanha, A., Franke, K., & Watson, S. (2018). 'Internet of Things security and forensics: Challenges and opportunities.' Future Generation Computer Systems, 78, 544–546. doi:10.1016/j.future.2017.07.060 DOI: https://doi.org/10.1016/j.future.2017.07.060

[25] Quick, D., & Choo, K. K. R. (2018). 'Digital forensic intelligence: Data subsets and open source intelligence (DFINT+OSINT): A timely and cohesive mix.' Future Generation Computer Systems, 79, 584–595. doi:10.1016/j.future.2017.06.043

[26] Al Mutawa, N., Baggili, I., & Marrington, A. (2016). 'Forensic analysis of social networking applications on mobile devices.' Digital Investigation, 9, S24–S33. doi:10.1016/j.diin.2016.06.004 DOI: https://doi.org/10.1016/j.diin.2012.05.007

[27] Faheem, M., Gungor, V. C., & Koçak, T. (2020). 'A survey on secure communication and authentication in IoT forensics and anti-forensics.' Journal of Network and Computer Applications, 162, 102630. doi:10.1016/j.jnca.2020.102630 DOI: https://doi.org/10.1016/j.jnca.2020.102630

[28] Karpisek, F., Baggili, I., & Breitinger, F. (2019). 'WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages.' Digital Investigation, 29, S66–S76. doi:10.1016/j.diin.2019.04.008 DOI: https://doi.org/10.1016/j.diin.2019.04.008