How the Leopard Hides his Spots: OS X Anti-Forensic Techniques

No ratings

Presented at HackLu 2008 by

Anti-Forensics is the new buzzword within forensic circles. Despite significant interest, no significant new information on anti-forensic tools, techniques or methodologies has emerged from the info sec community on this critical topic. For the first time since 2004, the grugq will be presenting a paper on anti-forensics, revealing new techniques for effective data hiding. This talk will retrace the core anti-forensic techniques and methodologies, and show how they can be applied to defeat forensic analysis of OS X systems. More importantly, this talk will examine how an anti-forensic attacker can move beyond the file system and where anti-forensic data hiding attacks will move in the future. This talk will include attacks against the OS X file system (HFS+), as well as attacks beyond the file system. There will be 0-day OS X bugs as well as previously unreleased attacks against Microsoft file systems. If you are a hacker, you'll discover a new world of data storage, and if you're a forensic investigator... be prepared to never discover anything again. The Grugqhas been professionally involved in information security since 1999. He pioneered the field of anti-forensics by publishing an article and source code in Phrack magazine [1]. He also worked with reverse engineering and defeating Host Intrusion Prevention Systems [2], [3]. Since 2003 the grugq has presented at numerous of conferences world wide, including Blackhat, Hack in the Box, and dozens of others. His topics have been anti-forensics, VoIP security and most recently a tool called HaSH, which helps automate interaction with the command line for penetration testing. In the coming months he is scheduled to talk on Anti-Forensics on OSX at Hack in the Box and PoC, and he is preparing a paper on mobile financial systems security for BCS in Jakarta. Over the last decade, the grugq has focussed on infosec research on the following topics: Anti Forensics Voice over IP Reverse Engineering Penetration Testing