Becoming Virtually Untraceable (Eps6.0_H4rdc0r3_St34lth.cfg)

*Note: This article was originally published by the author on October 4, 2018. This article is also available in Spanish here.

H.L. Mencken quote

“Subtle and insubstantial, the expert leaves no trace; divinely mysterious, he is inaudible. Thus he is the master of his enemy’s fate.” ~ Sun Tzu

Mr. Smith pulls up to the public library in his 1986 Jeep CJ-7. Being a practical, low-key guy he prefers reliable non-flashy vehicles that don’t rely on a computer chip to run and that are capable of going off-road. He likes to visit the library a couple of times a week to check his email on the public computer and exchange books he has already read for some new selections. The library parking lot has a Closed Circuit TV (CCTV) camera on the building’s roof that captures Mr. Smith’s arrival in his vehicle, but it can’t get a good read on the license plate because it is righteously covered in mud.

1986 Jeep CJ-7; image courtesy of Cars For Sale

The camera also captures Mr. Smith walking into the library front entrance but cannot make out his face as Mr. Smith is wearing a red ball cap with tiny LED lights on the brim and the words “Make America Greedy Again” printed in white letters and sunglasses that break up the contour of his face. The slogan is meant to be a play on words referencing the 2016 Trump presidential campaign slogan, the alternative version is meant as a slight and subtle sarcastic statement against the 1% elite rich that control most of the wealth in the country. Mr. Smith considers himself somewhat of an outsider, part of the Resistance against the gross overreach of power by the local, state, and federal governments.

He values his privacy and is not a fan of the government collecting information about his habits such as what books he checks out from the library. Other than his ball cap, Mr. Smith’s clothing is nondescript so as to not stand out in any way whatsoever. Just another guy wearing blue jeans with a black belt, a plain black t-shirt with white/black Converse shoes. Mr. Smith drops his books off in the return cart and walks over to sit down at one of the available public computers that offer free Internet access. This being one of several libraries he regularly visits, Mr. Smith has already scoped out where all of the CCTV cameras are located and chooses an available computer that is somewhat out of the direct line of sight of the cameras.

Mr. Smith opens up the default Internet browser on the library computer, which just so happens to be Internet Explorer version 11 (i.e., version: 11.285.17134.0) because the machine is still running Windows 7. You see, the library hasn’t received the necessary funds from the city in several years to be able to upgrade its 15 public computers. IE version 11 is like the jalopy car of Web browsers. It is buggy, vulnerable to several unpatched exploits, and is completely unsupported as it stopped being supported by Microsoft back on January 12, 2016.

IE 11 Common Vulnerabilities & Exposures; courtesy of the MITRE Corporation

Mr. Smith’s first action involves clearing the browser history, cache, and cookies if this ability has not been disabled by the administrator. Often the public library computers are locked down so that they are very restricted to prevent people from using them inappropriately. Next, Mr. Smith navigates to Gmail and creates a throw-away email account (garbage2434234@gmail.com) specifically for the purposes of signing up for a free 7-day trial of the Hide My Ass Virtual Private Network (VPN). Once the throw-away Gmail account is established, Mr. Smith enters fake information into the HideMyAss VPN 7-day trial webpage registration to include payment information from a prepaid gift card he purchased earlier with cash.

The card only has a $1.67 balance left on it, but technically it is still valid. Since it is a gift card, Mr. Smith enters a fake address into the address field along with his newly established throw-away email address. He attempts to open a command prompt and discovers that he doesn’t have permission to open the Command Prompt application. Being familiar with the Windows OS, Mr. Smith searches for the PowerShell application instead and finds it, completely accessible. Mr. Smith types, “ipconfig /all” and notes his current unprotected (true) Ethernet adapter IPv4 address of the library computer he’s using. He leaves the PowerShell window open.

PowerShell example of the “ipconfig /all” command

Meanwhile, the credit card registration goes through successfully and Mr. Smith is presented with the option of downloading the VPN’s software to the computer. He attempts to do so and is able to download the program files to the desktop, but quickly finds that he is blocked from launching the program executable (.exe) file. Mr. Smith receives an error message stating that this action requires elevated permissions.

Being somewhat IT-savvy, Mr. Smith decides to take a stab at guessing the admin credentials and right-clicks on the executable program file, and selects the “Run as administrator” option. Mr. Smith successfully guessed the password after only a few attempts. It turned out to be P@ssW0rd123, what a joke he thinks to himself. “Might as well not even have a password on the account…” He then proceeds to install the HideMyAss VPN program that he downloaded on the computer’s desktop. This took about 5 minutes, and now Mr. Smith is able to surf online anonymously from public library computers.

HideMyAss Virtual Private Network (VPN) service; image courtesy of HideMyAss.com

Once the VPN is working and Mr. Smith has verified the new IP address by opening a simple Cmd prompt and typing “ipconfig /all,” Mr. Smith then re-launches Internet Explorer 11 and proceeds to open his actual email account which happens to be a ProtonMail account (ProtonMail offers their own VPN service for a fee, but for the purposes of this example I chose to highlight HideMyAss). The ProtonMail account is “JackerCrack911@protonmail.com” (notice his real name is not part of his email address). He now also knows the administrator password which will make erasing his tracks easier when he is finished.

Mr. Smith checks his email and personal banking site as well as a few other sites that he normally wouldn’t be allowed to navigate to had he not been using a VPN on the public library computer. After about 20 minutes of surfing the Web, Mr. Smith proceeds to close out the Web browser. Before closing out, however, Mr. Smith is careful to erase the browser search history and clear the cookies and cache again. He goes a step further though and deletes the Pagefile.sys, swap, and thumb file contents so that his browsing history cannot be easily recovered without advanced digital forensic software tools and techniques that are unlikely to be used by city IT personnel unless there is due cause to bring in outside law enforcement assistance as in the event a crime were to be committed.

Mr. Smith then terminates the VPN connection and uninstalls the HideMyAss VPN software. He deletes the program files from the C:\ProgramFiles directory and then types “regedit” in the Windows Search Bar and selects “Run as administrator.” He enters the appropriate administrator account login credentials that he successfully guessed earlier and the Registry Editor module opens. Next, Mr. Smith navigates to

“Computer\HKEY_LOCAL_MACHINE\SOFTWARE”

where he locates and deletes the “HideMyAssVPN” software registry key and follows the steps listed below that he Googled online before erasing his browser history and copied to Notepad:

“You can omit registering an application by removing the RegisterProduct Action, RegisterUser Action, PublishProduct Action, and PublishFeatures Action from the InstallExecuteSequence Table and AdvtExecuteSequence Table. All of these actions must be removed, or some trace of the application may remain in the registry. Removing all of these actions prevents the application from being listed in the Add or Remove Programs feature in Control Panel, and prevents the advertisement of the application. Removing all of these actions also prevents the application from being registered with the Windows Installer configuration data. This means that you cannot remove, repair, or reinstall the application by using the Windows Installer Command-Line Options, or the Windows Installer application programming interface (API).” ~Microsoft Docs

Mr. Smith then opens the Windows Event Viewer by typing “Event Viewer” in the Windows search bar and right-clicking on the application and selecting “Run as administrator.” Mr. Smith enters the administrator account login credentials once again and selects the “Windows Logs,” “Application” option. He then scrolls down to locate the events generated by his installing the HideMyAssVPN application and his program uninstallation. Next, because he completed these actions using the administrator account, Mr. Smith opens the Security log and deletes only the events associated with his actions. Only an amateur would delete the entire audit log because it would be a dead giveaway to any security admin checking the logs that someone had hacked the machine and erased logs.

Windows Event Viewer Application Log example

It should go without saying that this example is a fabrication of hypothetical events and though these events are possible to perform, it is unlikely that the average user would be able to successfully guess the administrator account password so handily and be able to erase their tracks in quick fashion. If this example is simply too much, too detailed, or technical for you to perform, it is not meant to discourage your efforts, but it does suggest that perhaps you have not fully appreciated the lengths one must go to become virtually untraceable.

As I’ve mentioned before, it is not easy to become virtually untraceable and you have to be technically savvy enough to know your way around computer systems and networks to a certain extent. Would you be able to perform the same actions on a Mac iOS, or Linux-variant operating system? Would you know where to find the files or even what they are named? I should also note that you get what you pay for with VPN services, so the free and trial versions may not be as secure as you think. Sometimes the VPN service providers are also collecting browsing information on you.

Digital Forensics

Hex Editing; Image courtesy of SANS DFIR

Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. ~Wikipedia

There are methods that digital forensics investigators could use to find evidence of such actions if they were to perform network forensics. While an entire introduction to what digital forensics encompasses is beyond the scope of this article, I’d like to point out that there are methods and tools that can be used to recover deleted files and extract key information from computer systems and hardware. If investigators were able to determine that Mr. Smith had downloaded and installed the HideMyAss VPN, then they could also obtain a warrant to have the VPN service provide a copy of their logs as part of the forensic investigation to build their case against him.

Even when you think you are completely untraceable online, there are still stones that can be overturned to find traces of your activity whether they be on the local machine, on the network, or at some distant Internet Service Provider (ISP) such as Google, Facebook, or Comcast. For this reason, one can never become completely untraceable. However, that doesn’t mean you cannot become virtually untraceable because let’s face it, how likely is it that this type of scenario would occur in real life?

It is doubtful, to say the least. The primary goal of digital forensics investigations is to put the criminal suspect behind the keyboard, and to do so the prosecution must be able to demonstrate that the digital evidence came from the computer alleged to have been used by the offending suspect and that the data is an exact bit-stream copy. That said, someone wishing to remain untraceable will attempt to subvert that goal by whatever means necessary. Enter the field of anti-forensics.

Anti-Forensics Techniques & Countermeasures

Anti-Forensics Extended Taxonomy; M. Rogers & the 16th Annual USA Digital Forensics Research Conference

To be virtually untraceable is to also recognize that there are skilled, knowledgeable, and experienced IT professionals, and in particular, law enforcement digital forensics investigators and intelligence agency cyber analysts who have various methods, techniques, and tools that can recover deleted files, track your online activity, and help to uncover your true identity.

Maintain awareness of this fact and operate accordingly. Just as there is an entire industry dedicated to manufacturing digital forensics software applications that are used by law enforcement and corporate “eDiscovery” investigators, there’s also an entire industry dedicated to anti-forensic tools that are specifically designed to defeat forensic tools. Let’s have a look at some techniques and tools that can be used to help achieve virtual untraceability.

Data Hiding

Digital forensic investigator; image courtesy of Ali Hadi

Digital steganography was previously covered in this series and can be used to hide data by embedding and encrypting the secret data within other carrier files such as images, text, video, and audio files. Nearly any type of file can be used to hide data given you find a steganography application that supports it and with over 1,100 of them, it shouldn’t be too difficult to find one. Cryptography is another means of hiding data that has also been previously covered. Of course, I always recommend using Full Disk Encryption (FDE) on your HDD and phone (to include the SD card).

However, there are numerous methods of hiding data. For instance, changing the file header or burying a file in the slack space between hard drive partitions are other options to consider. Packer and binder programs such as those listed on the chart below that compress executable files into other types of files and bind them together also make executables harder to reverse engineer forensically.

List of Executable Packers; courtesy of Wikipedia

Rootkits are formed this way. A rootkit is basically malware consisting of “…a set of programs and code that allows a permanent or consistent, undetectable presence [root-level access] on a computer (Donzal, 2005).” Rootkits are the very definition of Advanced Persistent Threat (APT) malware in that they enable persistent system access via a backdoor (i.e., the malware is similar to a Remote Access Trojan or RAT) at the administrator level with an assortment of tools within the kit that allows for other remotely administered capabilities such as listening and watching (e.g., remotely activating the microphone and Webcam), hidden data exfiltration, and more.

Rootkits are also sometimes used for remote access/monitoring purposes by law enforcement or even corporate IT departments. They are often difficult to detect due to the fact that they are hidden and buried deep within the computer operating system files in locations that anti-virus/malware software might not scan and due to polymorphism whereby the rootkit actually modifies its own code making detection very difficult. Typically, rootkits are not self-propagating like a worm. You could get a rootkit downloaded to your computer by clicking on a malicious link from an email or website that while opening that link you wanted to see also simultaneously begins quietly downloading what is known as a ‘dropper’ file. The dropper loads the malware ‘launcher’ program that installs the rootkit which is typically deleted after the install is complete.

Artifact Wiping

If you have sensitive information on your computer that you cannot afford to have anyone find, it is possible to program your computer to auto-wipe the entire operating system if it is not booted up in the designated sequence order or with the correct password. This way, if an investigator tries to get around your full drive encryption by plugging in a USB device to your computer to run Linux or EnCase/FTK and boot from it directly, it will automatically start deleting files making the job of the forensic investigator harder, if not impossible.

This could also pose problems for you if you forget the proper boot sequence. Better have backups! If the investigator is paying attention and notices what is happening then perhaps they can shut the system down quickly, but then at most, they will have a partial drive full of data. Anti-forensic wiper tools such as some of those found in the Kali or Black Arch Linux OS distributions like SRM, Wipe, Overwrite, DBAN, BCWipe, Eraser, R-Wipe, DiskZapper, Cryptomite, or Evidence Eliminator will effectively delete and overwrite the memory on an artifact rendering it unrecoverable.

To understand why these techniques won’t work for Solid State Drives (SSD), you’ll need to first understand how SSDs write data to memory on a one-time use memory allocation process. If there is a need to completely wipe a hard disk drive (HDD), sanitization can be accomplished through magnetic degaussing. The National Institute of Standards and Technology (NIST) recommends disintegration, incineration, pulverizing, shredding, and melting. In Linux, the dd command will forensically wipe the drive as well.

Degaussing will not work for SSDs, however, actual physical destruction of the drive into tiny pieces or by fire is necessary. There are other techniques that can be used to wipe artifacts so don’t be afraid to experiment on your own. It is also possible to rig your computer to blow up if the chassis is not carefully opened in a certain way (you may have seen this on Season 2, Episode 3 of Mr. Robot) if you really want to get sinister, but I’ll stop short of explaining exactly how to do this.

Trail Obfuscation

Think of trail obfuscation as planting misinformation about yourself on the Web to throw someone off your scent, but in this sense, it involves using sophisticated tools to modify data about your activity. For instance, deleting audit logs, spoofing your identity when accessing a system or Website, intentionally providing misinformation, IP address hopping (Tor, I2P, FreeNet), using throwaway (“zombie”) accounts, and tools such as Timestomp or Transmogrify to modify timestamp metadata and file header information.

The point to remember from all of this forensic/anti-forensic talk is that becoming virtually untraceable is much more difficult than you may have initially thought it was. Technology is not on your side in this endeavor. I am not saying technology is bad, but there are a lot of holes in security with most technologies that we haven’t quite figured out how to fill yet. There is the physical component of becoming virtually untraceable, the mental component of how one thinks and sees the world, and then there is the virtual or cyberspace component which is very technical but also easily obfuscated if you know how to do so. That should give you enough to chomp on until the next episode… Stay low-key and continue making yourself a bastion host.

Zero Trust, Always Verify.

Thank you for reading! If you enjoy these articles and want to support me as a writer, you can become a Medium member. For $5 per month or $50 per year (a better deal), you receive unlimited access to Medium stories. If you use my referral link, I receive a small commission. Cheers!

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ian Barwise

Ian Barwise

experienced privacy & security engineer **stepping away from blogging for an undetermined amount of time to focus elsewhere**