This essay was originally written 03 Oct 2021 for Professor Leinecker's Digital Forensics I course.
- xxUSBSentinel (https://github.com/thereisnotime/xxUSBSentinel)
You can download the executable from github.com for this tool. It’s goal is to “make recovering your encryption drive keys almost impossible.” I had trouble understanding this tool at first so I did more research. When a computer is shut down, there is a chance that a key storage utility will lose the encryption key for an encrypted drive, requiring the user input it again [1]. Knowing this information, the tool’s purpose is a quick key-loss implementation. You launch the program, plug and un-plug your USB stick, and then next time you put your USB stick in, you can arm the device to listen for the disconnect message - after which it will shut down your computer.
Let’s say you have an encrypted USB stick on your computer. You want the key for this drive to be forgotten should investigators look at your computer. This utility makes it so that when the user pulls their USB stick from the computer, the encryption key is forgotten and must be entered again upon the next use of the drive. An investigator can get around this via social engineering, by accessing the computer while the USB stick is still inserted.
- Metadata-Remover (https://github.com/Anish-M-code/Metadata-Remover)
This tool is simple - it removes identifiable metadata from images and videos. The use of this tool is to protect your anonymity when posting media. This is a CLI tool written in C and Python3. To use it you can just download the latest release, install to a directory, and run the exe. This launches a command line. Drag your image to the “images” folder in the tool directory, then you put the name of the image. This scrubs it.
The importance of this tool is to protect your anonymity. People can use image and video metadata to identify your location and other personally identifiable information. A forensic investigator can thwart these efforts by gaining access to the original file. The unfortunate part with this method, is that it is supposed to be used when uploading files online, so an investigator would need access to the host machine and there may be a copy of the original.
- ForensicsF***er (https://github.com/NoahGWood/FileChanger)
This tool modifies timestamps after a pre-determined length of time passes. Basically, a user can run this program and modify the file times in EXT-4 filesystem (Linux only.) The tool also has a really cool feature called self-destruct mode that will delete the python script after use. This tool is more of a proof-of-concept than an actually usable tool (only works on Linux, uses pre-determined files.) But the POC could be used in a more user-friendly tool.
The real-world use of this tool is to remove data integrity. If you have evidence, and all the timestamps are from a date after the investigation started, this could ruin the integrity of the investigation (at least from an outside perspective) and force evidence to be thrown out. A forensic investigator could prevent this by removing the program before it goes off, or by imaging the file system multiple times and only working on those that have not been modified by the program.
Sources:
[1] Afonin, O. (2021, September 23). Forensic implications of sleep, hybrid sleep, hibernation, and fast startup in Windows 10. ElcomSoft blog. Retrieved October 3, 2021, from https://blog.elcomsoft.com/2021/09/forensic-implications-of-sleep-hybrid-sleep-hibernation-and-fast-startup-in-windows-10/.