Anti-Forensics Techniques Part 1
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
17 hours 41 minutes
Hey, everyone, welcome back to the course. So in the last module we wrapped up our discussion on data acquisition.
In this video, we're gonna talk about our goal with anti forensics as well as some information about deleting files and windows.
So just a quick pre assessment question here. Ah, file of Windows 98 has been deleted, and we see d c zero dot doc
So, in this example, what does this c represent?
***? If he gets to drive, you are correct. So answer d is correct.
It won't kind of go through that in just a little bit.
So what are our goals with anti forensics? So number one in attacker wants or a criminal wants the investigator to have a large amount of data to try to sift through right. So if we put so much volume out there than potentially, the investigator can't either look in all the areas or
you know what time becomes a factor and money becomes a factor, right? So,
um, especially for like, smaller law enforcement departments, they now have the budget to sift through, you know, terabytes of data, right? They just have to look at kind of the main areas. So that's one goal with anti forensics is we throw so much data, you know, a lot of it corrupted that the investigation has to seize
bus lines, integrity of data, right. So we want to affect the integrity of the data. So that way the investigator or, you know, the prosecutor whomever can't take that data and then use it against us in a court of law. So Attackers goal with anti forensics is to corrupt the data
difficulty. So again, kind of going along with both of these two volume and integrity, we want to make it more difficult for the investigator to actually perform their job right and actually acquire and analyze the data. So, you know, thinking of the volume aspect with again, we throw so much data at the investigator that they can't actually continue the investigation either due to cost
or just due to the sheer amount of data.
Also integrity, right? We make it more difficult for them to use it in a court of law.
And then, of course, another aspect of anti forensics is the existence of data. So what I mean about that is just you know, deleting data, right? So, believing logs, deleting files. You know, whatever the case might be the attacker or, you know, criminal in that aspect could
be deleting the data, so we can basically it no longer exist, right? Or at least it does not exist in a capacity that we can retrieve it.
now we've talked about, you know, some of the goals of anti forensics. Let's talk about different file deletion in windows. So this is very important for your examination with fat file system that you need to understand the operating system replaces the first letter. Excuse me? The first letter of delete a file name with e
five. So remember that for your examination,
just in case you see it on there.
Now, with the fat file deletion, it's gonna mark the unused clusters as available. But until those clusters are overwritten, the file information can be recovered. The files can be recovered until the clusters are overwritten. So just keep that in mind as well for your exam.
So we're just fired a leash in an anti FSO
the index file in anti offenses in the master file travel, it's gonna be marked with special codes. And that's kind of the difference between fact and anti fso fat again. Remember that it's gonna label that the first character as e five and then here,
um, and and he if s is gonna use the index field in mmm ft or the master file table. It's gonna mark That was a special code
Windows 98 in earlier. So I just remember the file path here for the recycle bin, so c colon backwards slash recycled. So just keep in mind if you see that on the exam. That's for Windows 98 earlier.
It also is gonna rename the deleted files D X y dot e exterior. You know, essentially the ex isn't gonna be the drive, not e x t. And then also the wise the sequence numbers are starting at zero. So, in this example here D c zero dot doc is going to be
d and then C is gonna be the C drive. Why is gonna be sequence number, which is zero in that example, and then dial name its extension.
What does 2000 x p. Just remember the file path here is gonna be see recycler
and then also, the file details are stored in the info to file, which we'll talk about it just a little bit.
Window 78 in 10 and you know future generations as well. Likely it's gonna be in C colon backwards slash the dollar sign and then recycled dot been. So again, that's the file past So again for your exam, you just want to memorize those file past. It's gonna be very important. As you're looking through the questions just in case it's tested again. I can't tell you what's on the exam.
So in this one is gonna label it as dollar signs are why don t x t So again, the wise A sequence number and of course, the E X. He's original extension. Just an example there of dollar sign are zero you know, for the ah,
the sequence number and then dot doc for our extension.
So we have to, as I mentioned. So basically, this is a hidden file. The stores data about the deleted file s o. This one can be recovered with a tool. So, um, remember that for your exam. If you happen to see a question about that on there in some capacity of like, how do we recover
our retrieve info to file. So once you know, once you reboot the system, you'll need to,
um, you know, use the data recovery tool to get that file.
So again, a hidden file and it contains it. Things like the original file name didn't date and time of the deletion original file size and the drive number.
So in this video, we talked about the goal of anti forensics. We also talked about Windows File Galician kind of at a high level there, but we talked about some specific file pass for the recycle bin that you'll want to memorize for the exam. And we also touched on the info to file a little bit.
And the next video, we're gonna go over some password cracking and just a high level. We'll talk about different ways. We can do password cracking