Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Daily Blog #449: Solution Saturday


Hello Reader,

Another week , another winning answer by Adam Harrison! The CTF is ending in an hour and I look forward to seeing how this all shakes out.

The Challenge:

Name all of the windows and OSX artifacts you would examine to determine if Anti Forensics tools have been executed.

The Winning Answer:

The majority of Anti-Forensic tools are just programs like any other, often executed within the host OS. Additionally, the question specifically asks about proving execution of of Anti-Forensic tools.As such the first thing I will concern myself with is evidence of program execution.

Noting that different anti-forensics tools may miss certain evidence sources (especially if run with basic user privileges) it is important to be broad in the areas you look as one of the lesser known or used artifacts may have been left untouched by the tools. Additionally in cases of suspected anti-forensic effortsI would be interested in the content of all ofthese artifacts, including whether they are empty,as this may be an indication of anti-forensics tool use in and of itself.

Evidence of Tool Execution



Jump Lists





Log Files (tools may be deployed as services or with a scheduled element, process creation events associated with Audit Process Creation)

Third party application execution monitoring (e.g.AV, DLP, etc)

WSL (If WSL is in use then this opens a whole other kettle of fish, .bashhistory, evidence of tool installation etc.)

Evidence of process artifacts in RAM

Command history in RAM


knowledgeC.db database (application usage data)

.bashhistory (if tools used or executed from command line)

FSEvents (evidence of filesystem events including creation of software files and also deletion and renaming associated with tool use)

com.apple.finder.plist (evidence of finder searches for software)


Spotlight Shortcuts plist

.bashhistory in ram

Evidence of process artifacts in RAM

Evidence of Tool Use

In addition, the use of anti-forensics tools can leave their ownartifacts behind. In the case of CCleaner the presence of deleted butrecoverable “ZZZ” files and folders is a classic indicator of use. Other similar unique fingerprints are associated with different anti-forensic tools. One other such tell tail sign is recoverable files with random filenames and high entropycontent consistent with being overwritten with pseudo random data, entropyanalysis of recovereddeletedfiles can highlight these.

Evidence of research/download/installation

Proving the intent of a user can also be useful, whether evidence of the use of anti-forensic tools is actually identified. Evidencing that tools were sought, downloaded and installed during an in-scope time frame (such as just after an employee was notified of an HR interview etc). Additionally evidencethat research was performed into hiding evidence can be helpful in painting a picture as to a users intentions and help to combat the "My computer was running slow so I used CCleaner" defense.


Registry artifacts (installed applications, application specific entries etc)






The disk… (Look for executables for anti-forensics tools on disk e.g. ‘Program Files’ Directories, ‘Applications’ directories, ‘Downloads’ directories)

Browser History/Cache/Cookies for evidence of search history and websites visited (location dependant on OS and installed browser(s))

Proxy/ web filtering logs (evidence of browsing to sites concerning anti-forensics and downloading of tools)

AV Logs (scanning of downloaded executable)


You never know where you might find that smoking gun which demonstrates the intention to circumvent forensic analysis. In one notable case, a colleague of mine stumbled across an iOS note which was stored within a backup on the suspects computer. Within it the suspect had detailed a proposed methodology to steal data from his employer which would be “undetectable”. Using throwaway virtual machines (which would then be wiped from disk) he proposed to collate and extract data from the organisation and transmit it to a cloud service connected to via the VM. The actions performed left almost no trace of the IP theft, but what evidence of the existence of a now deleted VM coupled with the note made compelling reading in court.

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images