There is an interesting article by Scott Berinato at CSOonline about the widespread use of “antiforensics” tools, and how they are changing the information security landscape in general, and the forensics practice in particular.
This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.
The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it’s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. What’s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. “Five years ago, you could count on one hand the number of people who could do a lot of these things,” says the investigator. “Now it’s hobby level.”
The article describes some tools currently used, such as Timestomp, Slacker, Sam Juicer, etc. and how the “arms race” has moved from the disk to memory.
It would seem that the forensics practice is currently sitting at the bottom of a “trough of disillusionment“.
Some months ago I prepared a presentation about “Forensics in the Corporation” (sorry, only in Spanish!) which should have been really called “Why everything you learned at forensics training won’t be really useful in the real world”. And I didn’t include anything about antiforensics, just focusing on the technical, political and organizational challenges that big corporations pose to the forensics investigator.
The forensics practice is much too focused around the PC world. That is, you normally have physical access to the “suspect” machine, you can power it off or unplug it from the network, hard drive sizes are reasonable, and some expectations are always met. That is fine. This kind of forensics work… works! But mostly in the workstation/laptop world.
What about servers? Virtualization, huge storage capacities (SAN, NAS, RAID arrays, etc.), distributed systems (as in “distributed all over the world”), business critical systems that cannot be unplugged or turned off (come on, in how many LOB servers could you do such things?)
I’m sure the forensics practice will evolve in the following years. I’m sure it’ll be damn interesting to see.
0 Responses to “Antiforensics”
Leave a Reply