Naive criminals. How lay people hide digital evidence.

Carding 4 Carders

Carding 4 Carders

Professional
Messages
2,731
Reputation
13
Reaction score
1,367
Points
113
2e2cb5bb942d21d827862.png


Most criminals are far from professionals, so the methods they use to hide data are naive. And nevertheless, these methods work for the most part - simply because the investigator may not have the time or sufficient qualifications to conduct a qualitative analysis. What are the ways the average John and the average Mary use to hide evidence? The set of tricks is small, and the tricks themselves are quite ingenuous.

One day I was setting up a nested crypto container, protected by a hardware crypto key, and trying to figure out how to get to the information if the key was pulled out of the computer. The answer was more and more clearly formed in my head: no way. At this very moment, I was asked to comment on the document - essentially a police expert guide to finding digital evidence. The document delighted me so much that, without asking for official permission from its authors, I decided to write an article based on it. The enclosed cryptocontainers, along with the hardware encryption key, went to the side, and I sat down to study the methods by which, according to the police, most of the suspects are trying to cover their tracks and hide evidence.

Moving data to another folder​

No, now we are not discussing the "hiding" of the collection of pornographic pictures in the "Coursework on strength of materials" folder. We are discussing a naive, but quite effective way to hide evidence, simply by moving certain data to another location on the disk.

What is this, obvious stupidity or transcendental innocence? As naive as this method may seem, it may well work for rare and exotic data, such as jump lists (by the way, do you know what this is?) Or the WhatsApp messenger database. An expert may simply not have the time or sufficient determination to rummage around the entire computer in search of a database from ... and from what, in fact? There are hundreds, if not thousands, of instant messaging programs; go and understand which of them was used by the criminal. And, mind you, each application has purely its own file paths, names, and even its own database formats. Searching for them manually on a computer with tens of thousands of folders and hundreds of thousands of files is a futile task.

Obviously, this method of hiding evidence will only work if crimes that are not related to information security are being investigated. The investigator may not have any questions about the contents of the suspect's hard drive, and his analysis will turn into a formality. In such and only such cases, a method - let's call it the "Elusive Joe Method" - can work.

Using "safe" communication methods​

I especially admired this item. Curiously enough, modern criminals are well versed in security issues. They have a pretty good idea of how messages are transferred between chat participants, where they are saved and how to delete them.

The document describes in detail the possibilities that the investigation can use in order to still gain access to the chats. Here is the study of the areas of freelist databases in the SQLite format, and official requests to the manufacturers of messengers (for example, Microsoft will give the investigation logs of Skype conversations without unnecessary questions - after all, they are stored on the company's servers ), and even requests to smartphone manufacturers (here I recall a story, in which BlackBerry helped the Canadian police localize a gang of drug dealers who decided to use the company's proprietary messenger on the old BlackBerry OS platform).

In this regard, a curious incident comes to mind, which I heard about at a police event. The American police detained a person suspected of drug trafficking on an especially large scale. The suspect was technically well-versed and chose Apple iMessage as his only method of communication. IMessages are not stored on Apple's servers, and the suspect has carefully cleared the chat history after each session. Nothing interesting was found in the backup of his iPhone.

However, when the police began to investigate his computer (the criminal had a Mac), their joy knew no bounds: there were hundreds of thousands (!) Messages on the computer, the very existence of which the criminal (now definitely a criminal) did not even suspect. A novelty (at that time) from Apple helped to condemn the drug dealer - the Continuity system, which synchronized iMessages between all devices registered in one account.

By the way, the speaker complained that all the programs for analyzing the iMessage databases that existed at that time could not cope with so many messages and simply fell; the police had to write their own utility to parse the swollen database.

Morality? There is no moral here: if you are not an IT specialist, it is impossible to know about such moments.

Renaming files​

Another naive attempt to hide evidence is the renaming of files. As simple as it may sound, renaming, for example, an encrypted database of some secure messenger into something like C:\Windows\System32\oobe\en-US\audit.mui it is quite capable of passing by the attentive gaze of an expert. Indeed, there are thousands of files stored in Windows directories; to find something unusual among them (especially if it does not stand out in size) is a task that cannot be solved by manual labor.

How are such files searched for? It is forgivable for a naive average person not to know about the existence of a whole class of specialized programs designed specifically to search for such files on disks (and disk images) of suspects. It is not only the file name search that is used; an integrated approach is taken when traces (for example, in the Windows registry) of installed applications are analyzed, after which the paths to the files accessed by these applications are tracked.

Another popular way to find renamed files is the so-called carving, or end-to-end content search. Exactly the same approach, otherwise known as "signature search", has been used since the beginning of time in absolutely all anti-virus programs. Using carving, you can analyze both the contents of files on the disk and the contents of the disk itself (or only occupied areas) at a low level.

Should you rename your files? This is another trick of the "Elusive Joe", able to protect only from a very lazy investigator.

Deleting files​

Not sure how “naive” it is today to try to hide evidence by deleting files. The fact is that files deleted from ordinary hard disks, as a rule, are quite easily using the already well-known signature search: the disk is scanned restored block-by-block (now we are interested in fragments not occupied by existing files and other structures of the file system), each block read data is analyzed for compliance with a number of criteria (whether it is a file header of a certain format, part of a text file, and so on). With the help of such a scan, which is performed, by the way, in a fully automatic mode, the probability of successful (at least partial) recovery of deleted files is quite high.

BEC_deleted_skype.jpg

Forensic software (in the screenshot - Belkasoft Evidence Center) can recover deleted data, such as Skype chats, using deep analysis of SQLite databases
It would seem that deleting files is a classic "naive" attempt to hide evidence. But not when files are deleted from SSD drives.

Here you need to tell a little more about how the deletion (and subsequent reading) of data on an SSD works. You've probably heard about the existence of a "garbage collector" and the TRIM function, which allows modern SSDs to maintain high performance when writing (and especially overwriting) data. The TRIM command is issued by the operating system; it informs the SSD controller that certain blocks of data with certain physical (not really) addresses have been released and are no longer used.

The task of the controller is now to clear (erase data) the specified blocks, preparing them in such a way that new information can be quickly written into them.

But erasing data is a very slow process, and it happens in the background when the disk load drops. But what if, immediately after the TRIM command, a write command arrives in the same "physical" block? In this case, the controller instantly replaces such a block with an empty one, simply by modifying the value in the forwarding table. And the block, which is intended for erasure, receives a different "physical" address or is completely placed in an unaddressed pool from the reserve area.

Backfill question: if the controller did not have time to physically erase data from TRIM blocks, will the signature search be able to find anything in the free areas of the SSD?

Correct answer: in most cases, when trying to read data from a block that received a TRIM command, the controller will return either zeros or another data sequence that has nothing to do with the actual contents of the block. This is due to the implementation features in modern SSD protocols, which clearly define the controller's behavior when trying to read a block after the TRIM command. There are only three values here: Undefined (the controller will return the actual contents of the block; in modern SSDs it practically does not occur), DRAT (Determined Read After Trim, or fixed data after Trim; in consumer models it is most often found) and DZAT (Determined Zeroes After Trim, or always return zeros after Trim; common in models designed for RAID, NAS, and server-side scenarios).

Thus, in the overwhelming majority of cases, the controller will return us data that has nothing to do with the real contents of the drive. In most cases, you will not be able to recover deleted files from an SSD even seconds after they were deleted.

Data storage in the cloud​

Data in the cloud? You will say that there are no more such stupid criminals left, and you will be wrong. Users with an enviable consistency forget to disable either iCloud Photo Library, or OneDrive or Google Drive synchronization, or even more exotic types of synchronization - for example, a setting (which, by the way, does not exist in iOS at all; maybe that's why they forget?), Thanks to which information about calls from the iPhone (both by phone and via FaceTime) are immediately sent to Apple's servers. I have already given examples with the "forgotten" Continuity mode and BlackBerry messenger.

Perhaps I have nothing to add here, except that the data from the company's cloud is given out to the police without much resistance.

Using external drives​

Using encrypted flash drives to store information related to illegal activities seems like a brilliant idea to criminals. It would seem that nothing needs to be deleted - it is enough to pull out the USB flash drive from the computer, and no one will ever get access to the data (if the protection is strong). This is how naive criminals reason.

Why naive? The fact is that most ordinary users have no idea about the "tails" that remain after almost any manipulation of USB devices. So, once a case was investigated with the distribution of child pornography. The criminals used exclusively external drives (ordinary flash drives); nothing was stored on the disks.

The criminals did not take into account two points at once. First: information about connecting USB devices is saved in the Windows registry; if it is not removed, then it is stored there for a very, very long time. And the second point: if you use the Windows built-in explorer to access the images, then thumbnails of thumbnails are automatically created (and saved!), Usually at %LocalAppData%\Microsoft\Windows\Explorer\. After analyzing the thumbnail images and comparing the identifiers of the USB devices with the confiscated ones, the investigation was able to prove the involvement of the accused in the alleged crime.

What about encryption? And not everything is obvious here. First, there are specialized applications that allow you to create a dump of the computer's RAM and extract cryptographic keys from it that are used to access encrypted volumes (in particular, BitLocker To Go, which is popular among naive criminals). An example of such a program is Elcomsoft Forensic Disk Decryptor, with which you can analyze a dump in a fully automatic mode. And you can create an image of RAM using the free Belkasoft RAM Capturer utility .

RamCapturer.jpg

Belkasoft RAM Capturer

Secondly, it is no secret to anyone that many crypto-containers automatically deposit encryption keys into the cloud. And if Apple, upon activating FileVault 2, several times notifies the user that it will be possible to restore access to the partition through iCloud, then Microsoft, when encrypting the volume using BitLocker Device Protection, simply silently creates the escrow key in the user's Microsoft Account. These keys are available directly on the user account page.

How do I access my account? If the computer is configured to login using a Microsoft Account (and not a local Windows account), then an offline brute-force attack can recover the password, which is a surprise! - will match your Microsoft Account password.

Instead of a conclusion. Nested crypto-containers with a hardware key​

Seemingly impenetrable protection. Pioneer Vasya can giggle and rub his pens, confident that now his data is completely safe.

In theory, yes. Practically ... practically - there are subtleties of the legal plan. And here's a prime example.

The accused of downloading and possessing child pornography has been imprisoned in an American prison for more than two years. The official charge is the suspect's refusal to give out passwords for encrypted external storage (NAS), where, according to the court, child pornography is stored.

Whether it is stored there or not is unknown; no relevant content was found on the defendant. But the charge is very serious, and here you can sacrifice such trifles as the presumption of innocence and the right not to testify against oneself. So the accused sits and will sit until he reveals the passwords or dies of old age or other reasons.

Not so long ago, human rights defenders filed an appeal, which indicated that according to the law under this article (refusal to cooperate with the investigation), the maximum term of imprisonment is 18 months. The appeal was dismissed by the court despite the judge finding the lawyer's arguments “interesting and versatile”. The accusation is more serious - and the judges will turn a blind eye to anything, including written laws.

(c) xakep.ru
 
You must log in or register to reply here.

Similar threads

Carding
Quishing and the evolution of deepfakes: what do cybercriminals teach naive neural networks?
Replies
0
Views
103
Carding
Carding
Father
Dev Popper: Hackers lure naive programmers looking for work into their networks
Replies
0
Views
52
Father
Father
Teacher
Zero Trust as a Foundation: NSA asks Companies not to be so Naive in Cyberspace
Replies
0
Views
48
Teacher
Teacher
Lord777
Malvertising to the masses: hackers manipulate Google search results and infect naive users with malware
Replies
0
Views
160
Lord777
Lord777
CarderPlanet
The "groom" from Germany threw a naive girl for 2.5 million rubles
Replies
0
Views
86
CarderPlanet
CarderPlanet
Top