Metasploit Anti-Forensics Project

The Metasploit Anti-Forensics Project, originally created by our team and now maintained by the community, seeks to develop tools and techniques for removing forensic evidence from computer systems.  This project includes a number of tools, including Timestomp, Slacker, and SAM Juicer, many of which have been integrated in the Metasploit Framework.

Downloads currently unavailable


Metasploit Anti-Forensics Project Tools

Timestomp

Timestomp allows you to delete or modify all four New Technology File System (NTFS) timestamp values: Modified, Accessed, Created and Entry Modified.

timestomp

Downloads currently unavailable

Slacker

Slacker allows you to hide data in the slack space of NTFS. This slack space is created when a file system allocates space for a file to be written, it will typically allocate more space than it actually uses. The unused space is called slack space and perfect data-hiding grounds for the hacker.

slacker

Downloads currently unavailable

Sam Juicer

The Sam Juicer runs over a memory/LSASS channel to dump password hashes on a Windows system without leaving any sort of trace or signature on the disk or registry.
Downloads currently unavailable

Metasploit Anti-Forensics Project Advisories

PGP Desktop Wipe Free Space Flaw

December 8, 2005

PGP Desktop includes a Wipe Free Space utility that claims to eliminate data in all the free space on your hard drive including the little areas after the end of existing files which may still have old data left behind. In short, the utility claims to wipe file slack space, the unused space in a disk cluster. The software does not work as advertised. It does not clean slack space.

Read more

Windows File Time Stamp Display Flaw

December 7, 2005

Windows file time stamps can be set to extremely low values via the NtSetInformationFile() system call. The Windows API does not properly translate the low 64-bit time values stored on disk into human readable format, and displays no information instead. Although this is not a security vulnerability in itself, it adversely affects third-party applications that rely upon the Windows API to perform the translation.

Read more

Metasploit Anti-Forensics Project Documents

Articles

Articles discussing research related to this tool project.

Downloads

CSO Magazine - The Rise of Antiforensics - June 2007

CIO Magazine - How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab - May 2007

Forensic investigations start at the end. Think of it: You wouldn’t start using science and technology to establish facts (that’s the dictionary definition of forensics) unless you had some reason to establish facts in the first place. But by that time, the crime has already happened. So while requisite, forensics is ultimately unrewarding.

Journal of Digital Forensic Practice – Challenging the Presumption of Reliability – Mar2006 PDF

There is a general tendency among courts to presume that forensic software reliably yields accurate digital evidence. As a judicial construct, this presumption is unjustified in that it is not tailored to separate accurate results from inaccurate ones. Vincent Liu illustrate this unfortunate truth by the presentation of two currently uncorrected weaknesses in popular computer forensic tools, methods, and assumptions.