Skip to content

A Repository to Track Anti-Forensic Techniques

Notifications You must be signed in to change notification settings

arjaypogs/Anti-Forensics

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 

Repository files navigation

Anti-Forensics

A Repository to Track Anti-Forensic Techniques

This list is built based on the response of the #DFIR community and the techniques we currently cover in our Anti-Forensics course.

Do you have any cool Anti-Forensic ideas to share? #DFIR #DigitalForensics

https://twitter.com/binaryz0ne/status/1618828773268520961

Data, Web, and Application Related

  • File Formats Manupilation: -- PDF: modify the structure of the file to hide objects -- ZIP: modify the structure of the file to hide other data/files -- DOCX: extract and hide other content within the structure, all you need to do is change them to .xml -- RAR, 7zip: modify their structures to hold/hide other data -- etc
  • Data Hiding
  • Steganography -- LSB
  • Encryption -- EFS, Bit Locker, GnuPG, AES -- TreuCrypt, VeraCrypt, etc -- Others "Encrypt all the things" @rwx_08, https://twitter.com/rwx_08/status/1618904019816292355
  • "If you're using a web shell, disable IIS logging via appcmd" @keydet89, https://twitter.com/keydet89/status/1618952758287286273

Operating System, Virtualization, and Cloud Related

Logs Related

File System Related

  • NTFS File Tunneling
  • Hiding Data in Slack Space (e.g. using Slacker)
  • Hidden Volumes (WDM, Diskpart, TrueCrypt/VeraCrypt, etc)
  • Alternate Data Streams (ADS)
  • Timestomping Files
  • Hiding Data in $EA Attributes
  • File System Corruption: data destruction and wiping
  • "time stomping FN attribute of the MFT (most analysts dont know this is even possible)"
  • "tampering with $J to evade timestomp detection" @inversecos, https://twitter.com/inversecos/status/1618862849572605955
  • "Depending on the system, disable USN change journal" @keydet89, https://twitter.com/keydet89/status/1618952758287286273
  • "SSD information hiding, there is a way of hiding information in SSDs so it can't be read by the firmware and OS subsequently. I worked on that when I was a Master’s student a long time ago, it had great potential at the time." @ask_mecca, https://twitter.com/ask_mecca/status/1618886955395350528

Time Related (Wasting the analyst time by misleading them)

Videos

Good Anti-Forensics AF, https://www.youtube.com/watch?v=A4GYhGDCRSM

Great ideas

  • "" The key thing to understand is this:
  1. You don't have to do anti-forensics in most cases; it's likely not necessary.
  2. Don't delete artifacts when you can configure the system so that they're never written."" @Keydet89, https://twitter.com/keydet89/status/1618954586685075459

More coming...

About

A Repository to Track Anti-Forensic Techniques

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published