enterprisesecuritymag

Evaluating Challenges and Impacts of Anti-Forensics

By Steve Stawski, eDiscovery Program Architect, Digital Forensic & IR Analyst, Enterprise Security Practitioner, Sony Electronics

Steve Stawski, eDiscovery Program Architect, Digital Forensic & IR Analyst, Enterprise Security Practitioner, Sony Electronics

Anti-Forensic tools and methods challenge and disrupt a Forensic Examiner’s defensible conclusions and observations. The “realm” of Anti-Forensics (AF) range from wiping and encryption tools through apps that eliminate evidentiary artifacts. Almost no device is immune from AF, including the Cloud. Conclusions and even testimony based on tainted digital evidence is a huge risk.

We might start by expanding the realm of what we define as AF. Let’s include apps that by design are not AF but could be utilized for AF activities. Hackers are using AF as part of their toolset, but let us go a step further and include the insider threat. A corporate investigation on compromised systems or IP theft, a breach of security controls, Law enforcement digital investigations, Critical Government Counter Intelligence investigations, all of these examples have one thing in common. They all rely on the integrity and completeness of digital artifacts. It is this integrity that can be unknowingly compromised by AF.

Best practices call for users to complete an annual Security Awareness Program. Users are trained to implement strong passwords and to change them frequently. Strong and complex passwords can be an AF Tool. During an investigation, circumventing password protected files, containers, and devices can be straight forward or insurmountable. A corporate user turned bad actor could impact access to files and devices through strong passwords. As an exercise, think of all the standard security controls that users have at their disposal (Encryption, Archiving, Biometrics, 2FA, Data Sanitization, Cloud Storage) and how they can be leveraged for AF. Think about how you would identify malicious or accidental AF activities from legitimate ones for these controls.

"Locating Anti- Forensic activity may be the most important finding of a forensic investigation"

Phones and cell service enabled tablets can be remotely wiped. A determination would have to be made if this was malicious. Hackers have the technical backgrounds and expertise to leverage all of these methods. However, many of the methods don’t require a lot of technical expertise and are readily available to anyone. Missing laptop or cell phone credentials can lead to actions resulting in spoliation. For example, rebooting systems or interacting with active devices will impact digital artifacts. The insider threat combined with AF tools can have devastating results on an investigation. We might call this User Security Control Hijacking.

Further examples are: AV, DLP, EP Agents, HIPS, HIDS, GPO, and Firewalls. These are the necessary security controls. Used together they form a concentric layer of security on personal devices, IOT, Cloud, and small-to-large enterprise environments. However, they have the unintentional effect of creating major challenges to the preservation of digital evidence. These controls may need to be defused (disabled or even removed) during acquisition. If not, this can prevent defensible acquisition of ethereal artifacts and data-at-rest. Consider that even defusing security controls can lead to unintended AF consequences.

How can we address the impact of AF? The answer to this question may lie in Digital Forensic best practices: education, tool-mastery, defensible and repeatable methodologies, consistent testing, and at times perseverance. Anti-Forensics is considered by some to be a myth. Consider that the simplest security control, i.e. a ten-digit code on a phone versus four digits, can make evidence inaccessible. Locating Anti- Forensic activity may be the most important finding of a forensic investigation. 

- The Opinions of the editorial are my own and do not reflect those of Sony Electronics

 

Weekly Brief

Read Also

Business Crisis: Understand/ Plan / Prepare / Act

Business Crisis: Understand/ Plan / Prepare / Act

Jason Blumenauer, Vice President Head of Security, FirstGroup
Blockchain: The Paradox

Blockchain: The Paradox

Sean Khozin, MD, MPH, Associate Director, FDA
Blockchain and the Law: How a Simple Project can get Complicated Quickly

Blockchain and the Law: How a Simple Project can get Complicated...

Evan Abrams, Associate, Steptoe & Johnson LLP
The Prevalence of Blockchain

The Prevalence of Blockchain

Matt Barbaro, Director of Applications & BI at BI, Town Fair Tire
Unfolding the Real Potential of Blockchain

Unfolding the Real Potential of Blockchain

Vincent Annunziato, Director of Business Transformation and Innovation, U.S. Customs and Border Protection
The Truth About Blockchain: Separating the Hype from its Value-Creating Reality

The Truth About Blockchain: Separating the Hype from its...

Arun Ghosh, U.S. Blockchain Leader, KPMG US