How the Leopard Hides his Spots: OS X Anti-Forensic Techniques presented at HackLu 2008

by The Grugq,

Summary : Anti-Forensics is the new buzzword within forensic circles. Despite significant interest, no significant new information on anti-forensic tools, techniques or methodologies has emerged from the info sec community on this critical topic.
For the first time since 2004, the grugq will be presenting a paper on anti-forensics, revealing new techniques for effective data hiding.
This talk will retrace the core anti-forensic techniques and methodologies, and show how they can be applied to defeat forensic analysis of OS X systems. More importantly, this talk will examine how an anti-forensic attacker can move beyond the file system and where anti-forensic data hiding attacks will move in the future.
This talk will include attacks against the OS X file system (HFS+), as well as attacks beyond the file system. There will be 0-day OS X bugs as well as previously unreleased attacks against Microsoft file systems.
If you are a hacker, you'll discover a new world of data storage, and if you're a forensic investigator... be prepared to never discover anything again.
The Grugqhas been professionally involved in information security since 1999. He pioneered the field of anti-forensics by publishing an article and source code in Phrack magazine [1]. He also worked with reverse engineering and defeating Host Intrusion Prevention Systems [2], [3].
Since 2003 the grugq has presented at numerous of conferences world wide, including Blackhat, Hack in the Box, and dozens of others. His topics have been anti-forensics, VoIP security and most recently a tool called HaSH, which helps automate interaction with the command line for penetration testing. In the coming months he is scheduled to talk on Anti-Forensics on OSX at Hack in the Box and PoC, and he is preparing a paper on mobile financial systems security for BCS in Jakarta.
Over the last decade, the grugq has focussed on infosec research on the following topics:
Anti Forensics
Voice over IP
Reverse Engineering
Penetration Testing