Anti-forensics Demonstrate: Combination of Obscurity Methods

This page will explain about how to make the DFIR investigator more working harder and todo more complex problem to solve, before you start Terms are advice to read the author will not take any responsibility about what happen in the future.

Zuhri

May 5, 2025 | 9 min reads

Introduction #

This page will bit sensitive due not much people explain about this topic in internet surface, again please read Terms.

Anti-forensic Technique #

is any intentional or accidental change that can obscure, encrypt, or hide data from forensic tools. That suppose to make the investigator working hard at todo it, this technique will implemented by suspect within that all technique will work like they want. Few will, but not at all. In reversed of course that happend to the investigator too.

This howto will executed in linux machine!

Methodology #

The methodology we using now is just obscurity things, the reason why we not talk about encryption because that the ace card when you perform something like this, its impossible when we faceoff something like asymetric’s encryption, there is no choice just asking for the key with no matter how.

Obscurity Methods #

An obscurity method is used by someone to try to obscure the true nature or meaning of some data, typically by changing its name. for example change the extension of file or its content, or it can be both. That make the identifier file get wrong decision to put what exactly the file is.

File Extension Renaming #

┌[ root@server: ~ ]
└# cat obscure.txt
HI, this content of .txt file.

┌[ root@server: ~ ]
└# mv obscure.txt file.mp4

┌[ root@server: ~ ]
└# ls
file.mp4

That can be prevent with header of file, the header of file will explain what the this file is, you can use file command in linux to make PoC (Proof of Concept).

┌[ root@server: ~ ]
└# file file.mp4
file.mp4: ASCII text

It will detect the magic header or signature of this file then show what exactly it is.

Encoding Methods #

Encoding means that a file’s contents are changed in some way that can be easily reversed.

┌[ root@server: ~ ]
└# cat obscure.txt
HI, this content of .txt file.

┌[ root@server: ~ ]
└# base64 obscure.txt | tee obscure.txt
SEksIHRoaXMgY29udGFpbiBvZiAudHh0IGZpbGUuCg==

┌[ root@server: ~ ]
└# cat obscure.txt
SEksIHRoaXMgY29udGFpbiBvZiAudHh0IGZpbGUuCg==

┌[ root@server: ~ ]
└# cat obscure.txt
SEksIHRoaXMgY29udGFpbiBvZiAudHh0IGZpbGUuCg==

┌[ root@server: ~ ]
└# cat obscure.txt | base64 -d
HI, this content of .txt file.

To detect that file are encode or not you can use identifier. find it on the internet!

Compression Methods #

Compression allows the content of a file to be reduced in size for storage and transmission. this mean the algorithm make changes to the data inside which it makes more complicates if we do forensics to that file, because it can be corrupt or we cannot retrive all complete files.

┌[ root@server: env ]
└# cat obscure.txt | head -n 5
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
┌[ root@server: env ]
└#

I’ve been create some change to that file to get more big size, that just list of 5 lines.

┌[ root@server: env ]
└# zip obscure.zip obscure.txt
  adding: obscure.txt (deflated 69%)

┌[ root@server: env ]
└# ls -la
total 8820
drwxr-xr-x 2 root root    4096 May  5 14:09 .
drwx------ 7 root root    4096 May  5 13:54 ..
-rw-r--r-- 1 root root 6889681 May  5 14:08 obscure.txt
-rw-r--r-- 1 root root 2129412 May  5 14:09 obscure.zip

That will archive obscure.txt into zip file, as you can see the size of file reduced the previous 6889681 then now just 2129412, after that lets try todo something.

┌[ root@server: env ]
└# zip obscure.zip --out new_obscure.zip -s 1
 copying: obscure.txt

┌[ root@server: env ]
└# ls
new_obscure.z01  new_obscure.z02  new_obscure.zip  obscure.txt  obscure.zip

┌[ root@server: env ]
└# ls -la
total 10900
drwxr-xr-x 2 root root    4096 May  5 14:12 .
drwx------ 7 root root    4096 May  5 13:54 ..
-rw-r--r-- 1 root root 1048576 May  5 14:12 new_obscure.z01
-rw-r--r-- 1 root root 1048576 May  5 14:12 new_obscure.z02
-rw-r--r-- 1 root root   32264 May  5 14:12 new_obscure.zip
-rw-r--r-- 1 root root 6889681 May  5 14:08 obscure.txt
-rw-r--r-- 1 root root 2129412 May  5 14:09 obscure.zip

What that mean? zip obscure.zip --out new_obscure.zip -s 1 this command will make obscure.zip split into 1MB size and make the output into new_obscure.* archive file.As you can see the size up there both is 1048576 and the origin output is 32264, which mean the algorithm start to split from the end of file, then the remain of that will be the origin.

Now lets try to verify that file or make to the default again.

┌[ root@server: env ]
└# md5sum obscure.zip obscure.txt
2646c769e73cb7835e0fa8a18f33c999  obscure.zip
67a70c2b4092fe70716ce697f976376a  obscure.txt

That hash of default files, then create another directory for more cleaned env purpose.

┌[ root@server: env ]
└# mkdir new_env

┌[ root@server: env ]
└# cp new_obscure.z* new_env/

┌[ root@server: env ]
└# cd new_env/

┌[ root@server: new_env ]
└#
┌[ root@server: new_env ]
└# ls
new_obscure.z01  new_obscure.z02  new_obscure.zip

new_env has been created. then lets get it back.

┌[ root@server: new_env ]
└# zip -s 0 new_obscure.zip --out obscure.zip
 copying: obscure.txt

┌[ root@server: new_env ]
└# ls -la
total 4140
drwxr-xr-x 2 root root    4096 May  5 14:40 .
drwxr-xr-x 3 root root    4096 May  5 14:37 ..
-rw-r--r-- 1 root root 1048576 May  5 14:37 new_obscure.z01
-rw-r--r-- 1 root root 1048576 May  5 14:37 new_obscure.z02
-rw-r--r-- 1 root root   32264 May  5 14:37 new_obscure.zip
-rw-r--r-- 1 root root 2097251 May  5 14:40 obscure.zip

┌[ root@server: new_env ]
└# unzip obscure.zip
Archive:  obscure.zip
  inflating: obscure.txt              bad CRC 2b86dac1  (should be fcfcdc1c)
error: invalid zip file with overlapped components (possible zip bomb)

Error happen!


┌[ root@server: new_env ]
└# ls -la
total 10768
drwxr-xr-x 2 root root    4096 May  5 14:40 .
drwxr-xr-x 3 root root    4096 May  5 14:37 ..
-rw-r--r-- 1 root root 1048576 May  5 14:37 new_obscure.z01
-rw-r--r-- 1 root root 1048576 May  5 14:37 new_obscure.z02
-rw-r--r-- 1 root root   32264 May  5 14:37 new_obscure.zip
-rw-r--r-- 1 root root 6784530 May  5 14:08 obscure.txt
-rw-r--r-- 1 root root 2097251 May  5 14:40 obscure.zip

┌[ root@server: new_env ]
└# md5sum obscure.zip obscure.txt
2ce9adea39e18911771f8fe941d3a466  obscure.zip
0bc249bf4387d95b67246c90b270fa11  obscure.txt

origin hash	error hash	name
2646c769e73cb7835e0fa8a18f33c999	2ce9adea39e18911771f8fe941d3a466	obscure.zip
67a70c2b4092fe70716ce697f976376a	0bc249bf4387d95b67246c90b270fa11	obscure.txt

Here we got bit problem, we got an error as result the hash are diffrent. but its not our problem we do anti-forensics now! thats a good news.

but atleast if we try to see, the output cat obscure.txt | head -n 10 the content of file still same.

┌[ root@server: new_env ]
└# cat obscure.txt | head -n 10
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.

For now lets say this file is back! but, in uncomplete way. as we know the world un-smooth like butter. Then now lets make it more un-smooth (implemented the technique).

Combined Methods #

Kind of eazy yaa, but what if we just combined those all technique? is that will least smooth like before?

Now what we gonna do is, try to combine that all into one complex problem to solve.

┌[ root@server: new_env ]
└# cd ..
┌[ root@server: env ]
└# ls
new_env  new_obscure.z01  new_obscure.z02  new_obscure.zip  obscure.txt  obscure.zip
┌[ root@server: env ]
└#

Lets back to previous directory. and make new directory to perform combined methods after that copy the obscure.txt to that dir. for now i will not gonna explain what am gonna do. lets your brain activated.

┌[ root@server: combined ]
└# ls
obscure.txt

┌[ root@server: combined ]
└# md5sum obscure.txt
67a70c2b4092fe70716ce697f976376a  obscure.txt

mv obscure.txt obscure.mp4; zip obscure.zip obscure.mp4; zip obscure.zip --out obscure_new.zip -s 1;sleep 1; base64 obscure_new.zip  | tee obscure_new.txt;rm -f obscure_new.zip; mv obscure_new.txt obscure_new.zip

┌[ root@server: combined ]
└# ls -la
total 8832
drwxr-xr-x 2 root root    4096 May  5 15:24 .
drwxr-xr-x 4 root root    4096 May  5 15:03 ..
-rw-r--r-- 1 root root 6889681 May  5 15:03 obscure.mp4
-rw-r--r-- 1 root root 1048576 May  5 15:24 obscure_new.z01
-rw-r--r-- 1 root root 1048576 May  5 15:24 obscure_new.z02
-rw-r--r-- 1 root root   43587 May  5 15:24 obscure_new.zip
┌[ root@server: combined ]
└# file *
obscure.mp4:     CSV text
obscure_new.z01: Zip multi-volume archive data, at least PKZIP v2.50 to extract
obscure_new.z02: data
obscure_new.zip:     ASCII text


┌[ root@server: combined ]
└# zip -s 0 obscure_new.zip --out finale_obscure.zip
	zip warning: missing end signature--probably not a zip file (did you
	zip warning: remember to use binary mode when you transferred it?)
	zip warning: (if you are trying to read a damaged archive try -F)

zip error: Zip file structure invalid (obscure_new.zip)

Fail to recover!

Revert back to default

cat obscure_new.zip | base64 -d | tee obscure_new.txt; rm -f obscure_new.zip; mv obscure_new.txt obscure_new.zip ; zip -s 0 obscure_new.zip --out finale_obscure.zip

┌[ root@server: combined ]
└# file *
finale_obscure.zip: Zip archive data, at least v2.0 to extract
obscure.mp4:        CSV text
obscure_new.z01:    Zip multi-volume archive data, at least PKZIP v2.50 to extract
obscure_new.z02:    data
obscure_new.zip:    Zip archive data, made by v3.0 UNIX, extract using at least v2.0, last modified Sun Mar 11 18:42:08 2018, uncompressed size 6889681, method=deflate, \253\005W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-\270Zp\265\357Y\321.W\013\256\026\-\270Zp\265\340j\301\325\202\253\005W\013\256\026\-
┌[ root@server: combined ]
└#

┌[ root@server: combined ]
└# unzip finale_obscure.zip
Archive:  finale_obscure.zip
replace obscure.mp4? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: final_obscure.mp4
  inflating: final_obscure.mp4        bad CRC a38e66af  (should be fcfcdc1c)
error: invalid zip file with overlapped components (possible zip bomb)

┌[ root@server: combined ]
└# md5sum final_obscure.mp4 obscure.mp4
e147a008913257c404e180c5c3f4dc84  final_obscure.mp4
67a70c2b4092fe70716ce697f976376a  obscure.mp4

┌[ root@server: combined ]
└# ls -la final_obscure.mp4 obscure.mp4
-rw-r--r-- 1 root root 6784532 May  5 15:03 final_obscure.mp4
-rw-r--r-- 1 root root 6889681 May  5 15:03 obscure.mp4

┌[ root@server: combined ]
└# file final_obscure.mp4 obscure.mp4
final_obscure.mp4: CSV text
obscure.mp4:       CSV text

┌[ root@server: combined ]
└# cat final_obscure.mp4 | head -n 10
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.
HI, this contain of .txt file.

Successfully to recover!

The end #

There is still so many types of this technique, but i’m too afraid if sleept in jail. Thank you!

←

Opensource Intelligent Cheatsheet with Google Search Engines

Installing Large Language Model on Tvbox with llama.cpp

→