Evaluating Challenges and Impacts of Anti-Forensics
By Steve Stawski - Director of eDiscovery and Forensics for a large Global Company
Anti-Forensic tools and methods challenge and disrupt a Forensic Examiner’s defensible conclusions and observations. The “realm” of Anti-Forensics (AF) range from wiping and encryption tools through apps that eliminate evidentiary artifacts. Almost no device is immune from AF, including the Cloud. Conclusions and even testimony based on tainted digital evidence is a huge risk.
We might start by expanding the realm of what we define as AF. Let’s include apps that by design are not AF but could be utilized for AF activities. Hackers are using AF as part of their toolset, but let us go a step further and include the insider threat. A corporate investigation on compromised systems or IP theft, a breach of security controls, Law enforcement digital investigations, Critical Government Counter Intelligence investigations, all of these examples have one thing in common. They all rely on the integrity and completeness of digital artifacts. It is this integrity that can be unknowingly compromised by AF.
Best practices call for users to complete an annual Security Awareness Program. Users are trained to implement strong passwords and to change them frequently. Strong and complex passwords can be an AF Tool. During an investigation, circumventing password protected files, containers, and devices can be straight forward or insurmountable. A corporate user turned bad actor could impact access to files and devices through strong passwords. As an exercise, think of all the standard security controls that users have at their disposal (Encryption, Archiving, Biometrics, 2FA, Data Sanitization, Cloud Storage) and how they can be leveraged for AF. Think about how you would identify malicious or accidental AF activities from legitimate ones for these controls.
"Locating Anti- Forensic activity may be the most important finding of a forensic investigation"
Phones and cell service enabled tablets can be remotely wiped. A determination would have to be made if this was malicious. Hackers have the technical backgrounds and expertise to leverage all of these methods. However, many of the methods don’t require a lot of technical expertise and are readily available to anyone. Missing laptop or cell phone credentials can lead to actions resulting in spoliation. For example, rebooting systems or interacting with active devices will impact digital artifacts. The insider threat combined with AF tools can have devastating results on an investigation. We might call this User Security Control Hijacking.
Further examples are: AV, DLP, EP Agents, HIPS, HIDS, GPO, and Firewalls. These are the necessary security controls. Used together they form a concentric layer of security on personal devices, IOT, Cloud, and small-to-large enterprise environments. However, they have the unintentional effect of creating major challenges to the preservation of digital evidence. These controls may need to be defused (disabled or even removed) during acquisition. If not, this can prevent defensible acquisition of ethereal artifacts and data-at-rest. Consider that even defusing security controls can lead to unintended AF consequences.
How can we address the impact of AF? The answer to this question may lie in Digital Forensic best practices: education, tool-mastery, defensible and repeatable methodologies, consistent testing, and at times perseverance. Anti-Forensics is considered by some to be a myth. Consider that the simplest security control, i.e. a ten-digit code on a phone versus four digits, can make evidence inaccessible. Locating Anti- Forensic activity may be the most important finding of a forensic investigation.