anti-live-forensic toolkit

Well I’ve been developing this for a while now and still haven’t finished, mainly because I’ve got little time to spare for coding. Previously I wrote about using somekind of ping to see if your computer is still connected to the net. The solution is fun but it will not prevent forensic analysis of your computer. I have expanded upon that previous post and started to write a toolkit which could be used if we assume the following:

You want to prevent live-forensic analyses of your computer at all costs. You don’t care about normal forensic analysis because your harddisk is encrypted and you have used a real long password and a keyfile.

So with that in mind I started to construct something which frustrates live forensics and at the same time is easy to expand. If you are concerned about normal forensic analysis you can always turn to some of the current anti-forensics projects like the one at metasploit.

The main reason I concentrated on frustrating live forensics is because if the FDE you use is properly implemented and you have properly followed all security precautions and best practices, it SHOULD be impossible for  normal forensics to break it. So all they are left with is live forensics, that means NOT unplugging the computer and trying to get their software onto the target pc to analyze it. The goal I set was the following:

• Detect alien activity of any kind on the computer and shut down inmediatly.

You could now object that if they somehow manage to get a trojan on your computer it’s game over. That is not entirely true, it all depends on how paranoid you are and the modules you build. The toolkit works as follow.

There is one main application which starts when the computer starts. It then polls every 30 seconds it’s modules, for the time beeing I’ve chosen to use a polling mechanism instead of an event based mechanism, theoretically it could be possible for live forensics to disable the toolkit within those 30 seconds, but then again like I said before it all depends on how paranoid you are and if you want it polling based or event based etc. The main advantage of a toolkit like this one is the surprise factor. Since it’s a modular toolkit the investigator will never know what he is up against. Someone could have implemented this with only two modules and someone else could have implemented it using five modules, so there is no real way to anticipate for all possible modules. At the moment there is only some half working alpha code availible so bare with me. The main application looks like this:

 while(1){
 	for(y=0;y<aPlugins;y++){
 		MyIsScrewed = (BMyIsScrewed) GetProcAddress(LoadedPlugins&#91;y&#93;,"IsScrewed");
 		if(MyIsScrewed != NULL){
 			if(MyIsScrewed()){
 				LockWorkStation();
 			}
 		}
 	}
 	Sleep(TIMEOUTCHECK);
 }

&#91;/sourcecode&#93;

I have ommitted all kind of preloading and other setup sourcecode. All this sourcecode does is walk through every loaded plugin and call it's information function, the information function is called 'IsScrewed()' , and checks to see if it should lock the workstation. I'm working under windows and have chosen to lock the computer instead of shutting it down since that spares me some rebooting time while developing. So each plugin has that function and it returns 1 or 0 depending if the plugin detected alien activity or not. For example I converted the ping application to a plugin for this framework and it looks like this.

&#91;sourcecode language='c'&#93;

#include <winsock.h>
#include <windows.h>
#include <stdlib.h>

#pragma comment(lib,"ws2_32")
#pragma comment(lib,"user32")

void CheckCon();
int IsScrewed();

int doLock;
WSADATA wsaData;

BOOL WINAPI DllMain(__in  HINSTANCE hinstDLL,__in  DWORD fdwReason,  __in  LPVOID lpvReserved){
 doLock = 0;

 switch(fdwReason){
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
 		DisableThreadLibraryCalls((HMODULE)hinstDLL);
 		if(WSAStartup(MAKEWORD(2,0),&wsaData) != 0){
 			doLock = 1;
 			return 0;
 		}
            break;
        case DLL_THREAD_ATTACH:
         // Do thread-specific initialization.
 		//return FALSE;
 		break;
        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
 		//return FALSE;
 		break;
        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
 		Sleep(100);
            break;
 }

 return TRUE;
}

void CheckCon(){
 struct sockaddr_in sin;
 SOCKET sockout;

 sockout = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
 if(sockout == INVALID_SOCKET){
 	doLock = 1;
 	return;
 }
 memset(&sin,0,sizeof(sin));
 sin.sin_family = AF_INET;
 sin.sin_port = htons(80);
 sin.sin_addr.s_addr = inet_addr("64.233.183.147"); //google ip 64.233.183.147

 if ((connect(sockout, (struct sockaddr *)&sin, sizeof(sin))) == SOCKET_ERROR) {
 	doLock = 1;
 	closesocket(sockout);
 	return;
 }

 closesocket(sockout);
}

int IsScrewed(){
 MessageBox(NULL,"PingLock_ALF.dll","LoadLibrary()",MB_OK);
 CheckCon();
 return doLock;
}

That is all. With this setup you could write tons of plugins aimed at detecting specific live forensic activity and then perform some actions.  Here are some examples of plugins I’m writing or could be written for this framework and some possible actions.

Possible Plugins

• Ping a website, perform <action> when the ping fails.

• Check router mac address, perform <action> if the address has changed(could indicate rogue wireless router to make it possible to move the computer)
• Detect insertion of hardware like usb,harddisk,pcmcia etc.
• Detect case movement use external accelerometer for this
• Detect access to file/folder, perform <action> if the file/folder beeing watched is accessed(could indicate possible remote forensic analysis by means of a trojan)
• Detect access to memory location where your FDE key material is stored
• listen for incomming skype calls(so you can always prevent live forensics,even if you are not home)
• listen for incomming cellphone calls(so you can always prevent live forensics,even if you are not home)

Possible Actions

• Lock the workstation
• Shutdown the computer
• Initiate thermite melt.
• Securely erase data

So this is a fairly easy yet powerfull framework to frustrate live forensic investigators. The only weak side is if they decide to perform the cold boot attack right away…in that case i hope you have implemented a few actions simultaniously like…start securely erasing content and lock the workstation then if you notice movement on the case shutdown and initiate thermite melt. You can also just build a cage around your case which prevents them from accessing the ram.