[ISN] Tools Fight Forensics

From: InfoSec News (alerts@private)
Date: Tue Mar 20 2007 - 21:24:14 PST


By Kelly Jackson Higgins
Senior Editor
Dark Reading
MARCH 19, 2007 

A breadth of anti-forensics tools -- most of them free -- is making it 
easier for the bad guys to cover their tracks in malware and data theft 

"The bottom line is most criminals are not the brightest bolts in the 
box and they tend to make mistakes, which forensics has been able to use 
to its advantage," says Paul Henry, vice president of technology 
evangelism for Secure Computing. Henry will discuss the increasingly 
popular anti-forensics tools at a session at InfoSec World in Orlando 
this week. "But a smarter individual can [today] easily find tools to 
cover his tracks."

Many of these tools help attackers mask or alter timestamps, which 
forensics investigators traditionally have used to track down and 
implicate attackers. "The problem today, in a nutshell, is these freely 
downloadable tools on the Net make it nearly impossible to use file 
timestamps as a true evidentiary trail," he says. "There are a few tools 
that let you change MAC times [timestamps] after the fact... Today you 
can alter MAC times so that it shows you could not have possibly been 
the one that perpetrated the crime."

The main types of anti-forensics tools include encryption, disk-wiping, 
steganography, packing, and binder techniques, Henry says, as well as 
bypassing known signatures, virtualization, and hiding in memory/RAM.

If an attacker encrypts his malware or evidence of an attack, "all bets 
are off," Henry says. TrueCrypt, for instance, can randomize data in an 
encrypted partition so you can't even prove that it's encrypted. It 
basically creates a hidden encrypted volume of data within another 
encrypted volume. That way, the key data is undetectable, he says.

Disk-wiping is gaining in popularity among the black hat set, and fast, 
Henry says. CyberScrub is one such tool, another is Wipe&Clean.

Packing programs, which let you change the signature of an execute file 
and cannot be detected by an antivirus scanner, are enjoying a 
resurgence -- within trojans and worms, Henry says. "Packers keep 
changing themselves so signatures don't recognize them," he says. "They 
are getting quite good" and difficult to detect.

Binders roll two or more executables into one executable file so the 
attacker can attach a keylogger or trojan with it as well, he says.

And virtualization technology is making forensics investigation even 
more difficult. Tools like MojoPac make your USB fob or your iPod 
basically become a PC around your neck, and running them leaves no 
timestamp trace on the host system, Henry says. "All you get on the host 
is a registry entry that the new USB device was inserted, or when you 
configure it to auto-start on insertion." But it doesn't show any trace 
of malicious activity that may have occurred while running Mojo, he 

"The BartPE tool creates a bootable environment off a CD-ROM, and then 
it never touches the hard drive... It's only resident in RAM," he says.

That's bad news for forensics investigators. Still, if organizations 
deploy application-layer security, such as application proxies rather 
than just packet-filtering firewalls, they can capture some attack 
evidence that can help track attacks and attackers, he says. You need 
application-layer firewalls (which Secure Computing sells) that enable 
logging so you can capture more than the IP address and port number 
security, he says. "Then you can get evidence of a break-in in firewall 
logs, even if the perpetrator wiped off the PC he compromised."

And all is not lost for the forensics field yet, he says. But whole-disk 
encryption, such as that of Windows Vista, won't help. "Encryption has 
always been the bane of forensics."

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 20 2007 - 21:28:56 PST