Antiforensics: When Tools Enable the Masses

Email Print Digg This Add to del.icio.us

Once again, the bad guys are lining their arsenals with new tools to use against you. Computer forensics is an emerging field of study and anti-forensics is certainly developing right alongside.

Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible.

Make it hard for them to find you and impossible for them to prove they found you.

Scott Berinato of CIO.com sums up the situation thusly:

"The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it’s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something non-technical users can operate. What’s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises."

One of the most well known exploit toolkits on the net is the Metasploit project. While it’s most notorious for penetration testing, it also moved into the area of anti-forensics back around 2005. Those who run the project have made these tools and papers available for awareness and research but like anything else, the bad guys have leveraged the tools to their advantage.

Nowadays, criminals aren’t even bothering to hide the actual exploits because they know that they can make it nearly impossible to track them down. They have a host of tools available to them now that continue to work even though forensic tool vendors understand how these tools work.

Some of the MetaSploit tools you’ll find in use by the cybercriminal are Slacker, Transmogrify and Timestomp.

Slacker is named after the slack space at the end of files. This tool takes data and breaks it up into thousands of pieces and spreads it across file slack space. To the unassuming forensic investigator, this will appear as nothing more than white noise rather than a database containing millions of credit card numbers.

Transmogrify is most notorious for being the first tool to ever to defeat the file signature capabilities of Encase. The tool allows you to mask and unmask files as any type.

Timestomp simply changes attributes relating to file date stamps, which can disrupt the forensic timeline the investigator is attempting to establish.

One of the emerging areas of interest is diskless data storage - data stored and executed directly from memory. There are many places where this technique can tap resources these days. Memory is plentiful in video cards, and so on. Also, once the host is rebooted, the exploit and all traces go with it. Not a bad way to flush the evidence.

But why do tools like these and other work so well? The truthful answer is that a number practicing computer forensic experts are not very skilled. In fact, many rely heavily on automated forensic tools that leave much to be desired.

For instance, Transmogrify only works because EnCase was particularly weak at signature matching files. EnCase based the signature (for performance reasons I assume) on the first few bytes of a file. Clearly, it would be much better to develop file parsers that could validate each file using a more rigorous rule set.

The folks at the MetaSploit project maintain their position is based on the lack of pressure put on the forensics community in regards to innovation. More or less, they are airing the dirty laundry for all to see and abuse. More specifically, they feel that improvements can be made to the forensic tools used and to the skill sets of forensic experts.

Now, to be fair, when the tools and skills of forensic experts excel, the anti-forensic community will always have an alternate approach ready to counter. The endless cat and mouse game will never go away.

The important takeaway here is that if you let the scales fall far out of balance, you’re going to find that research groups are going to call you on it. Worse, the cost of this lesson could be far more than embarrassment or loss of sales.

In some cases you may find yourself personally liable for losses attributed to breaches. A very nice example of this is the Kohls data breach. Investigators discovered that the theft was going on for a very long time before anyone realized it. The cost to the company is immeasurable.

Another point worth mentioning is that forensic tool vendors and forensic investigators are at a heavy financial disadvantage in this game. If an antiforensic tool takes two weeks to write and the criminal is able to steal a hundred thousand dollars, then there is a large payoff. Take that same amount of time and apply it to consulting fees incurred for a forensics investigation. Quickly, we see the law of diminishing returns at work.

Criminals, keenly aware of this, will write antiforensic tools that are good enough to make it economically unfeasible to pursue.