By Kelly Jackson Higgins
MARCH 19, 2007
A breadth of anti-forensics tools -- most of them free -- is making it
easier for the bad guys to cover their tracks in malware and data theft
"The bottom line is most criminals are not the brightest bolts in the
box and they tend to make mistakes, which forensics has been able to use
to its advantage," says Paul Henry, vice president of technology
evangelism for Secure Computing. Henry will discuss the increasingly
popular anti-forensics tools at a session at InfoSec World in Orlando
this week. "But a smarter individual can [today] easily find tools to
cover his tracks."
Many of these tools help attackers mask or alter timestamps, which
forensics investigators traditionally have used to track down and
implicate attackers. "The problem today, in a nutshell, is these freely
downloadable tools on the Net make it nearly impossible to use file
timestamps as a true evidentiary trail," he says. "There are a few tools
that let you change MAC times [timestamps] after the fact... Today you
can alter MAC times so that it shows you could not have possibly been
the one that perpetrated the crime."
The main types of anti-forensics tools include encryption, disk-wiping,
steganography, packing, and binder techniques, Henry says, as well as
bypassing known signatures, virtualization, and hiding in memory/RAM.
If an attacker encrypts his malware or evidence of an attack, "all bets
are off," Henry says. TrueCrypt, for instance, can randomize data in an
encrypted partition so you can't even prove that it's encrypted. It
basically creates a hidden encrypted volume of data within another
encrypted volume. That way, the key data is undetectable, he says.
Disk-wiping is gaining in popularity among the black hat set, and fast,
Henry says. CyberScrub is one such tool, another is Wipe&Clean.
Packing programs, which let you change the signature of an execute file
and cannot be detected by an antivirus scanner, are enjoying a
resurgence -- within trojans and worms, Henry says. "Packers keep
changing themselves so signatures don't recognize them," he says. "They
are getting quite good" and difficult to detect.
Binders roll two or more executables into one executable file so the
attacker can attach a keylogger or trojan with it as well, he says.
And virtualization technology is making forensics investigation even
more difficult. Tools like MojoPac make your USB fob or your iPod
basically become a PC around your neck, and running them leaves no
timestamp trace on the host system, Henry says. "All you get on the host
is a registry entry that the new USB device was inserted, or when you
configure it to auto-start on insertion." But it doesn't show any trace
of malicious activity that may have occurred while running Mojo, he
"The BartPE tool creates a bootable environment off a CD-ROM, and then
it never touches the hard drive... It's only resident in RAM," he says.
That's bad news for forensics investigators. Still, if organizations
deploy application-layer security, such as application proxies rather
than just packet-filtering firewalls, they can capture some attack
evidence that can help track attacks and attackers, he says. You need
application-layer firewalls (which Secure Computing sells) that enable
logging so you can capture more than the IP address and port number
security, he says. "Then you can get evidence of a break-in in firewall
logs, even if the perpetrator wiped off the PC he compromised."
And all is not lost for the forensics field yet, he says. But whole-disk
encryption, such as that of Windows Vista, won't help. "Encryption has
always been the bane of forensics."
Visit the InfoSec News Security Bookstore