By Scott Berinato
May 31, 2007
Forensic investigations start at the end. Think of it: You wouldnt start
using science and technology to establish facts (thats the dictionary
definition of forensics) unless you had some reason to establish facts
in the first place. But by that time, the crime has already happened. So
while requisite, forensics is ultimately unrewarding.
A clear illustration of this fact comes from the field investigations
manager for a major credit services company. Sometime last year, he
noticed a clutch of fraudulent purchases on cards that all traced back
to the same aquarium. He learned quite a bit through forensics. He
learned, for example, that an aquarium employee had downloaded an audio
file while eating a sandwich on her lunch break. He learned that when
she played the song, a rootkit hidden inside the song installed itself
on her computer. That rootkit allowed the hacker whod planted it to
establish a secure tunnel so he could work undetected and get
root?administrators access to the aquarium network.
Sounds like a successful investigation. But the investigator was
underwhelmed by the results. Why? Because he hadnt caught the
perpetrator and he knew he never would. Whats worse, that lunch break
with the sandwich and the song download had occurred some time before he
got there. In fact, the hacker had captured every card transaction at
the aquarium for two years.
The investigator (who could only speak anonymously) wonders aloud what
other networks are right now being controlled by criminal enterprises
whose presence is entirely concealed. Computer crime has shifted from a
game of disruption to one of access. The hackers focus has shifted too,
from developing destructive payloads to circumventing detection. Now,
for every tool forensic investigators have come to rely on to discover
and prosecute electronic crimes, criminals have a corresponding tool to
baffle the investigation.
This is antiforensics. It is more than technology. It is an approach to
criminal hacking that can be summed up like this: Make it hard for them
to find you and impossible for them to prove they found you.
The concept is neither new nor foolproof, but in the past 12 months,
forensic investigators have noticed a significant uptick in the use of
antiforensics. This is not because hackers are making more sophisticated
antiforensic tools, though some are. Rather, its because antiforensic
tools have slid down the technical food chain, from Unix to Windows,
from something only elite users could master to something nontechnical
users can operate. Whats more, this transition is taking place right
when (or perhaps because of) a growing number of criminals, technically
unsophisticated, want in on all the cash moving around online and they
need antiforensics to protect their illicit enterprises. Five years ago,
you could count on one hand the number of people who could do a lot of
these things, says the investigator. Now its hobby level.
Researcher Bryan Sartin of Cybertrust says antiforensic tools have
gotten so easy to use that recently hes noticed the hacks themselves are
barely disguised. I can pick up a network diagram and see where the
breach occurred in a second, says Sartin. Thats the boring part of my
job now. Theyll use FTP and they dont care if it logs the transfer,
because they know I have no idea who they are or how they got there.
Veteran forensic investigator Paul Henry, who works for a vendor called
Secure Computing, says, Weve got ourselves in a bit of a fix. From a
purely forensic standpoint, its real ugly out there. Vincent Liu,
partner at Stach & Liu, has developed antiforensic tools. But he stopped
because the evidence exists that we cant rely on forensic tools anymore.
It was no longer necessary to drive the point home. There was no point
rubbing salt in the wound, he says.
The investigator in the aquarium case says, Antiforensics are part of my
everyday life now. As this article is being written, details of the TJX
breachcalled the biggest data heist in history, with more than 45
million credit card records compromisedstrongly suggest that the
criminals used antiforensics to maintain undetected access to the
systems for months or years and capture data in real time. In fact, the
TJX case, from the sparse details made public, sounds remarkably like
the aquarium case on a massive scale. Several experts said it would be
surprising if antiforensics werent used. Who knows how many databases
containing how many millions of identities are out there being
compromised? asks the investigator. That is the unspoken nightmare.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com