enterprisesecuritymag

Evaluating Challenges and Impacts of Anti-Forensics

Steve Stawski, Director of Electronic Discovery and Forensics, Sony Electronics

Steve Stawski, Director of Electronic Discovery and Forensics, Sony Electronics

Anti-Forensic tools and  methods challenge  and disrupt a Forensic  Examiner’s defensible  conclusions and  observations. The  “realm” of Anti-Forensics (AF) range  from wiping and encryption tools  through apps that eliminate evidentiary  artifacts. Almost no device is immune  from AF, including the Cloud. Conclusions  and even testimony based on tainted  digital evidence is a huge risk. 

We might start by expanding the  realm of what we define as AF. Let’s  include apps that by design are not AF  but could be utilized for AF activities.  Hackers are using AF as part of their  toolset, but let us go a step further and  include the insider threat. A corporate  investigation on compromised systems  or IP theft, a breach of security controls,  Law enforcement digital investigations,  Critical Government Counter Intelligence  investigations, all of these examples  have one thing in common. They all rely  on the integrity and completeness of  digital artifacts. It is this integrity that  can be unknowingly compromised by AF. 

Best practices call for users to  complete an annual Security Awareness  Program. Users are trained to  implement strong passwords and to  change them frequently. Strong and  complex passwords can be an AF Tool.  During an investigation, circumventing  password protected files, containers,  and devices can be straight forward or  insurmountable. A corporate user turned  bad actor could impact access to files  and devices through strong passwords.  As an exercise, think of all the standard  security controls that users have at  their disposal (Encryption, Archiving,  Biometrics, 2FA, Data Sanitization,  Cloud Storage) and how they can be  leveraged for AF. Think about how you  would identify malicious or accidental AF  activities from legitimate ones for these  controls. 

Phones and cell service enabled  tablets can be remotely wiped. A  determination would have to be made  if this was malicious. Hackers have the  technical backgrounds and expertise to  leverage all of these methods. However,  many of the methods don’t require a lot  of technical expertise and are readily  available to anyone. Missing laptop or  cell phone credentials can lead to actions  resulting in spoliation. For example,  rebooting systems or interacting  with active devices will impact digital  artifacts. The insider threat combined  with AF tools can have devastating  results on an investigation. We might call  this User Security Control Hijacking. 

Further examples are: AV, DLP, EP  Agents, HIPS, HIDS, GPO, and Firewalls.  These are the necessary security  controls. Used together they form a  concentric layer of security on personal  devices, IOT, Cloud, and small-to-large  enterprise environments. However, they  have the unintentional effect of creating  major challenges to the preservation  of digital evidence. These controls may  need to be defused (disabled or even  removed) during acquisition. If not,  this can prevent defensible acquisition  of ethereal artifacts and data-at-rest.  Consider that even defusing security  controls can lead to unintended AF  consequences. 

How can we address the impact of  AF? The answer to this question may  lie in Digital Forensic best practices:  education, tool-mastery, defensible and  repeatable methodologies, consistent  testing, and at times perseverance. Anti-  Forensics is considered by some to be a  myth. Consider that the simplest security  control, i.e. a ten-digit code on a phone  versus four digits, can make evidence  inaccessible. Locating Anti- Forensic  activity may be the most important  finding of a forensic investigation.

Weekly Brief

Read Also

Endpoint Security

Endpoint Security

Aleksandar Radosavljevi, Global Chief Information Security Officer, STADA Group
Cyber 911

Cyber 911

Ardie Kleijn, CISO Chief Information Security Officer at Transavia
CISO 2022

CISO 2022

Boris Awdejew, Head of Information Security, Global CISO at FIEGE
A Roadmap To Investment For Healthcare Innovation

A Roadmap To Investment For Healthcare Innovation

Baiyin (Zhou) Murphy, General Partner , Indicator Ventures
Eliminating the After-Market of Security

Eliminating the After-Market of Security

Janet Heins, Chief Information Security Officer,iHeartMedia
Cyber security attacks

Cyber security attacks

Charla Griffy-Brown, Professor of Information Systems and Technology Management At Graziadio Business School