Metasploit Anti-Forensics Project
News
03/27/2007 - Metasploit 3.0 has been released and includes full support for Timestomp and SAM Juicer through the "priv" extension to the Meterpreter payload.
12/7/2005 - Release of SAM Juicer. You can either download it and manually install it or run msfupdate (the easier option).
10/2/2005 - Updated site with the latest versions of Timestomp and Slacker. Please play around with it and let me know if you all have any suggestions or comments. Also working with HD to get SAM Juicer finalized and integrated into Metasploit Framework 2.5.
8/17/2005 - I previously uploaded the wrong version of slacker.exe, so I uploaded the correct (functional) copy. Thanks to g4m3cub3 for pointing this out. This version also supports random XOR obfuscation of the data being hidden in slack space.
8/14/2005 - Updated Timestomp with the recursive blanking option, so now you can blank entire drives at once. It doesn't work on directories, but that's not the point ;-) Also discovered that the low time values will cause Windows Explorer to get confused as well.
Conferences
May 3-6, 2006 - Presented Defeating Forensic Analysis at the Computer and Enterprise Investigations Conference 2006
April 3-5, 2006 - Presented Bleeding-Edge Anti-Forensics at InfoSecWorld 2006
October 13-14, 2005 - Presented The Metasploit Anti-Forensics Project v2 at Microsoft BlueHat
September 16-18, 2005 - Presented The Metasploit Anti-Forensics Project at Toorcon 7
July 27-28, 2005 - Presented Catch Me If You Can at BlackHat 2005
Metasploit Anti-Forensic Investigation Arsenal (MAFIA)
Timestomp - First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.
Slacker - First ever tool that allows you to hide files within the slack space of the NTFS file system.
Sam Juicer - A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk.
Contact
Questions, comments, suggestions? E-mail msfdev[at]metasploit.com.
