Evaluating Commercial Counter-Forensic Tools

  2005-11-12

Evaluating Commercial Counter-Forensic Tools

  21:30, by Hagai Bar-El   , 548 words
Categories: IT Security, Sources

I have just enjoyed reading "Evaluating Commercial Counter-Forensic Tools" by Matthew Geiger from Carnegie Mellon University. The paper presents failures in commercially-available applications that offer covering the user's tracks. These applications perform removal of (presumably) all footprints left by browsing and file management activities, and so forth. To make a long story short: seven out of seven such applications failed, to this or that level, in fulfilling their claims.

I did not take the results by a complete surprise because I am for a long time aware of the difficulty in properly removing all tracks of any action on Microsoft Windows. The system is so complex that anything you do instantly affects several areas of the system in a way that it is hard to predict, let alone revert discrete changes. Whenever I read claims made by such "erasers" I kept saying to myself: "Wow, how do they do that?", and, lacking a complete answer, I used to assume that they know what they're doing, as I would probably do if I were making such products myself. Apparently, they don't.

The next thing I was wondering about is how come these products sell so well, given that they do not provide what they state they do, in a way that is sometimes so evident. It must be pointed out: the failures were not such that require sophisticated hardware to exploit - the paper discusses surface-level failures that can be exploited instantly without much knowledge beyond knowing the failure exists. The only answer I can think of is that the customers of such applications are ordinary people who admire privacy and don't like to see their browsing history on the left pane, but yet are people who do not commit crimes that require being able to evade detection by the FBI. The latter guys probably don't use such tools.

So, what would I personally use if I ever needed to cover my tracks? Generally speaking, I don't like approaches that require constantly winning a cat-and-mouse game to retain their robustness. Therefore, I wouldn't like any of these "erasers" even if at one point in time it could be shown that they happen to work properly. Changes in applications that leave tracks occur too often. If it was important enough, I would simply store an image of the OS & applications drive before performing the acts-to-be-hidden, and then wipe the drive once or twice before restoring the drive using the recorded image. Complex? certainly, but as it does, and always did, seem to me - that's the only way that has a chance of working. Moreover, it will eliminate all of the shortcomings that were mentioned in the paper. It will cover all tracks that were generated by the OS, including the less trivial ones. It will remove all tracks left by all applications, recognized or not by the "eraser", including in their future versions and without having to wait for the "eraser" to upgrade as well. It will also not leave its own tracks in the form of awkward deleted file names that are left behind, as demonstrated in the paper. Actually, this approach will not even reveal the existence of an "eraser". All one will ever see is a volume imaging application, but hey, don't you use it for backups?

No feedback yet


Form is loading...