Timestomp
Timestomp is a utility co-authored by developers James C. Foster and Vincent Liu. The software’s goal is to allow for the deletion or modification of time stamp-related information on files.
Timestomp MACE ChangeUsing the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the “Timestomp MACE Change” screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner’s watchful eye if looking for modified files in an entirely different year or date span.
Timestomp MACE Change ProofThe “Timestomp MACE Change Proof” screenshot is a final shot of the Operating System’s interpretation of the Modified time stamp. It reflects the aforementioned change exactly.
Take for example the “Timestomp MACE Values” screenshot displaying a command prompt window displaying the MACE values for a document file titled “text.txt”. There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.
Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.
More Like this My Searches Business : Anti forensics: The End of Computer Forensics?
Computer Forensics is a relatively young discipline. In short it is about using computer science and technology to establish facts and preserve evidence of those facts. (I realize that are definitions are in use.) It is an after the fact reactive method of establishing what has happened or reconstruct crimes that have taken place. More and more tools are coming out that are being used to make reconstruction more difficult if not impossible, computer forensics more and more expensive and legally irrelevant.
During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain “administrators” access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here’s the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?
More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What’s more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.
The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.
Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).
While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as “the guilty machine”.
In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.
Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.
Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.
If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)
Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.
I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect’s premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.
Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.
Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Hoofd Inspecteur Harm Beukenholdt. He once told me, years back: “John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively.”
The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.
What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.
For those considering a business in computer forensics: don’t give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That’s where we at Dierckx & Associates shines. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.
During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain “administrators” access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here’s the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?
More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What’s more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.
The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.
Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).
While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as “the guilty machine”.
In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.
Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.
Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.
If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)
Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.
I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect’s premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.
Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.
Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Hoofd Inspecteur Harm Beukenholdt. He once told me, years back: “John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively.”
The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.
What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.
For those considering a business in computer forensics: don’t give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That’s where we at Dierckx & Associates shines. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.
Computers > Security > Products and Tools > Forensics and Anti-Forensic Degaussers
Deletion
| Computers > Software > File Management > Deletion | Go to Directory Home |
Related Category:
Computers > Security > Products and Tools > Forensics and Anti-Forensic Degaussers (20)
|
|
  | Eraser - http://www.heidi.ie/eraser/ Secure data removal tool for Windows. (Open Source) |
| | NoClone - http://noclone.net Shareware file deletion and management utility, search for duplicate files, zero-size files and same filename. Windows 9x/Me/NT4/XP/2000. |
| | EAST Technologies - http://www.east-tec.com/ Utilities designed to completely eliminate sensitive data from your computer and protect your computer and Internet privacy. Encrypt sensitive files and folders. For all Windows operating systems. |
| | FSlint - http://www.pixelbeat.org/fslint/ A Linux toolkit with GUI and command line modes, to report various forms of disk wastage on a file system. Reporting duplicate files, file name problems, dangling links and redundant binary files. This program is distributed under the terms of the GNU GPL. |
| | Recover98 - http://www.recover98.com/ Recover files from a hard disk drive or floppy diskette with a corrupted file system or a virus. Also access files from an accidentally formatted disk, or recover any files that have been deleted. For all Windows operating systems. |
| | Complete Cleanup Shareware - http://www.softdd.com/complete/index.htm Deletes browsing history, cookies, recent documents and recent files lists. From Softdd. |
| | Fast Cleaner Gold - http://www.eshinesoft.com/ Utilities to scan and clean up error making and useless garbage files, clear IE cache, cookies, history, for Internet privacy protection and perform disk usage analysis. |
| | Delenda - http://peccatte.karefil.com/Software/Purge/DelendaEng.htm Automatically deletes old files in a set of folders. Continuously displays the number of files in each defined folder or tree. Automatically purges Macintosh files stored on NT/2000 file server. |
| | Acronis Drive Cleanser - http://www.acronis.com/enterprise/products/drivecleanser/ Guarantees the complete destruction of data on selected partitions and/or entire disks. |
| | Data Destroyer - http://www.hermetic.ch/dd/dd.htm A Windows program for secure file deletion which destroys (or purges) data in multiple files and multiple folders on floppy, ZIP or hard disk so that the data cannot be recovered, a process also known as ’sanitization’. |
| | Destroy - http://www.destroy.com.au/ A Data Removal System that securely erases all data from every hard disk on a PC. |
| | PANTERASoft Utilities - http://www.panterasoft.com/ Smart Cleaner and Advanced Cleaner Lite, clean unwanted files from disks. Windows shareware. Note: May not support some browsers. |
| | Mutilate File Wiper - http://mutilatefilewiper.com Mutilate destroys sensitive files so they can never be recovered or undeleted. |
| | X-Ways Security Permanent Erasure - http://www.x-ways.net/security/ Erase logical drives or entire physical disks completely and irreversibly. Clean formerly used NTFS file records, which contain filenames and other data. |
| | Check Identical Files - http://www.abc-view.com/cif.html Utility that checks your hard disk for annoying duplicate files and allows you to delete them easily. [Win 9x/NT/2000/Me] |
| | 4Diskclean Gold - http://4diskclean.com/ Cleans up temporary, duplicate, internet and garbage files. Windows 95/98/ME/2000/NT/XP shareware from RSS Systems. |
| | QuickWiper - http://www.aks-labs.com/products/quickwiper.htm Windows file wipe utility with NSA erasure algorithm, works with FAT16, FAT32 and NTFS. |
| | Remove 3.1.2 - http://www.mikasalonen.com/remove/ Full featured uninstaller program for removing shown and hidden applications and entries from the Windows Add/Remove applet in the Control Panel. Software overview, screenshots, and trial download. [Windows 95/98/ME/NT/2000/XP] |
| | Miniwish Software - http://www.miniwish.com/ Application to free up disk space by deleting junk files that are no longer used by any software on the system. Additionally this software will clean cookies and many other temporary folders on the hard drive. [Windows 95/98/Me/NT/2000/XP] |
| | CleanEm - http://camtech2000.net/Pages/CleanEm.html Safely remove unnecessary files of temporary, duplicate, internet and garbage files. Designed in an XP style theme. Windows 95/98/Me/NT/2000] |
| | CleanCenter - http://www.cleancenter.net/ Delete unwanted files from hard drives. Free trial offer, supports all Windows systems. |
| | 123 Cleaner - http://www.zminsoft.com/123cleaner Protect your privacy by cleaning your tracks on the Internet and protecting personal information. |
| | PC Garbage Remover - http://www.softdd.com/pcgarb/index.htm Scans for different types of useless files, includes viewers. Windows shareware from Softdd. |
| | Duplic8 - http://www.kewlit.com/duplic8/ Duplicate file manager for Windows 95/98/ME/NT/2000. Load and save search profiles for quick repeat searches. With Mark Wizard select all the oldest/newest files for deletion, or target them by drive automatically. Features many unique and powerful features. |
| | Find Unused Files - http://kanadepro.com/findunusedfiles/ Check for old and unused files for deletion. Specify which folder to look in and whether to include the subfolders when looking for such files. [Freeware] |
| | WinClean - http://www.batl.com/winclean.html Cleans up unnecessary files and components of operating system, scan the registry, delete broken shortcuts. Equipped with a ‘Safety Net’ mechanism that allows reverting major changes made to the operating system. |
| | SeeknClean - http://www.seeknclean.com/ Fixes and prevents errors by finding and deleting 40 different types of error producing and space-wasting garbage files. Targets specific types of error producing files that common disk utilities, uninstall, and defrag miss. [Win 95/98/Me/NT/2000] |
| | Disk Secure Eraser - http://www2.neweb.ne.jp/wd/morimoto/en/diskeraser/ Windows shareware utility to erase all files, and hidden data on a storage media. |
| | TimesUp - http://timesup.hartsoft.com Command-line tool for deleting files after a given number of days. Delete old tmp files, log files and orphaned directories. Software overview, screenshot, FAQs, and download. |
| | File Pulverizer - http://www.toplang.com/filepulverizer.htm Delete files and folders directly to prevent others from recovering, support delete files/folders in explorer directly. |
| | Lizard Labs - http://lizardlabs.tripod.com/ XT File Shredder Lizard is a secure file removal shareware utility, to remove sensitive data from disk drives by overwriting it and than delete it. Multi lingual site in English and Macedonian language. |
| | File Monster - http://members.aol.com/PurpleTSoft/monster Completely erases and deletes files from your system by overwriting all the data in the file to ensure that a file recovery utility will not be able to recover the file. [Shareware] |
| | CHAOS Shredder - http://www.safechaos.net/cs.htm Completely erase files from the hard disk, without the possibility to recover it by any practical software or hardware methods. [Windows 95/98/Me/NT/2000/XP] |
| | CleanKeeper - http://www.cleankeeper.esmartweb.com/ An easy and powerful tool to find and delete garbage files. Download the shareware version and get free disk space. |
 | Smart Cleaner - http://www.scaramouch.com/en_home.php Disk cleaner which removes more than 25 unnecessary file types from your hard drive. Program can be set to run automatically at specified times. Time limited demo for all versions of Windows. |
Slacker
A program to hide files within the slack space of the NTFS file system. Developed by James C. Foster and Vincent Liu.
External Links
Eraser
Eraser
From Forensics Wiki
| eraser | |
|---|---|
| Maintainer: | Heidi Computers |
| OS: | Windows |
| Genre: | Secure deletion |
| License: | GPL |
| Website: | heidi.ie/eraser |
Eraser is a Windows tool that allows you to securely remove files from your computers hard drive and securely wipe free space so as to remove the residual data of previously deleted files by overwriting with specially selected wiping paterns.
Eraser currently works with Windows 95, 98, ME, NT, 2000, XP, Windows 2003 Server and DOS and supports FAT and NTFS formatted IDE/SATA/SCSI hard drives. Support for Vista was introduced in 5.83beta.
The software supports the scheduled wiping of files via its Scheduler console as well as on demand file wiping which can be done via an Explorer context menu or dragging files to the Eraser application. It can attempt to wipe locked files (e.g. index.dat files) after the next reboot by forcing a wipe before Windows takes control again.
Methodology
Eraser overwrites the filename for each deleted file with zeros up to the maximum filename length.
Supported wiping patterns include
| Erase File | Erase Free Space |
|---|---|
| Gutmann | Gutmann |
| US DoD 5220.22-M (8-306 /E, C and E) | US DoD 5220.22-M (8-306 /E, C and E) |
| US DoD 5220.22-M (8-306 /E) | US DoD 5220.22-M (8-306 /E) |
| Pseudorandom Data | Pseudorandom Data |
| First and Last 2kb | - |
| Schneier’s 7 Pass | Schneier’s 7 Pass |
Authors
Eraser was originally developed by Sami Tolvanen and now maintained by Garrett Trant of Heidi Computers Ltd.
Darik’s Boot and Nuke
Darik’s Boot and Nuke is a disk image that can create a bootable CD/DVD/Floppy/USB Device that can securely wipes the hard disks of most computers. Dban has support for all 32-bit x86 machines as well as beta builds for Cisco Routers, Sparc, PowerPC and HP PA-RISC hardware architecture. DBan is bundled with Eraser
Wipe Methods
- Quick Erase
- Canadian RCMP TSSIT OPS-II Standard Wipe
- American DoD 5220-22.M Standard Wipe
- Gutmann Wipe
- PRNG Stream Wipe
Data Destroyer
Data Destroyer is for:
- Purging disk files (by overwriting them many times) so that not only are the files deleted but the data which was in them cannot be recovered by any means.
- Removing (using the same purge process) all data (or, optionally, almost all data) on a disk.
If you wish to make sure that information which has been written to disk (such as financial data, etc.) can never be seen again after you remove it then you need a program with the capabilities of this one. Also, if you sell your old PC you may wish to make sure that all data is erased (permanently and irrecoverably) from the hard disk, including data in the swap file.
Beware of data removal programs that are claimed to delete files quickly. The only way data can be removed permanently is to overwrite it (on disk, not just in the disk cache) several times at least, and this takes time.
Data Destroyer can purge multiple files in multiple folders in a single operation. You can also tell it to purge the slack area at the end of files. You can tell Data Destroyer not to delete a purged file so that you can inspect the contents with a hex editor. And you can request an estimate of the time required for a file purge or a disk wipe operation.
Here is a typical screenshot:
Here is the user manual for the software: