Unformatted text preview: The Essentials Series Messaging and Web Security Volume III
by Dan Sullivan Anti-Forensics: Digital Investigations Get More Difficult
By Dan Sullivan Anti-forensics is the practice of hiding evidence of a security breach to prevent detection of the breach and its perpetrators. It is now a major problem for computer security investigators. When a security breach occurs, a common first reaction is to contain the damage by isolating the compromised device and blocking network access. The next major step is to get the system restored to its pre-attack state and functioning normally. Then investigators can turn their attention to analyzing how the breach occurred, but will it do any good? Computer forensics, the practice of analyzing digital information to determine the way a computer crime was committed, is facing serious challenges from attackers using anti-forensic techniques. This article briefly reviews forensic techniques and describes how readily available tools are rendering these techniques far less effective than they have been in the past. Basics of Computer Forensics
The goal of forensics is to discover how a security breach occurred and what data, configurations, programs, or other elements of a system were changed during the breach. Data may be collected in real time if an attack is detected while in progress, or after the fact using evidence left in memory or on disk drives. Computer forensics begins with a data collection process. Assuming an attack has occurred and is no longer in progress, an investigator will make an electronic copy of data on compromised systems. Since digital evidence is easily changed, it is better to analyze copies rather than risk accidently changing the original. Also, data may be collected from multiple sources, such as disk drives, memory, and removable storage devices. User files, operating system (OS) logs, database files, and other types of data may be collected. Investigators may calculate hash values for each piece of evidence to ensure any change to the data after the attack would be easily detected. After collection is complete, analysis begins. This stage of the investigation employs a wide range of techniques looking for information about activity on a system. This includes analyzing • • • • File metadata Data blocks on the file system File system storage information Hidden protected areas on disk drives The objective of this phase is to detect digital traces of activity on a system. For example, when a file is modified, the OS will update the modified date in the file header. If an attacker installs malware, under normal circumstances, there will be a new file created to store the file. The problem for forensic investigators today is that relatively easy-to-use tools are readily available to hide or modify the data investigators depend on. 1 Anti-Forensic Techniques
Anti-forensics is the practice of tampering with or hiding digital evidence of a security breach. Some ways this is done includes: • • • • • Overwrite data Modify timestamps Modify file header information and extensions Hide data in allocated but unused data blocks at the end of files Randomly generate file names for malicious code to avoid detection One of the simplest ways to remove evidence is to overwrite storage devices or files. This requires more than simply deleting a file, which typically changes an entry in a disk management data to indicate the space occupied by the file is available for reuse. One could delete a file but the contents of that file can remain on the disk until the storage is overwritten. (This feature of disk storage is exploited by “undelete” utilities.) Overwriting data blocks with random data several times virtually ensures that the data once there is irrecoverable. Forensic investigators can piece together parts of the sequence of events in an attack if accurate timestamps are available. Although the OS will update timestamps when a file is changed using OS functions, the data can also be updated by anti-forensic tools, leaving investigators with useless information. In addition to timestamps, other information in the file header may be tampered with to throw off investigators. For example, an executable may be masked as an image file so that it is not easily detected. Another anti-forensic technique takes advantage of the way file systems allocate storage. To make storage and block handling more efficient, standard block sizes are used. As files grow, the last data block is written to; once it is full, a new block is added. The last block in a file may have unused space that is used by attackers to hide data. This method helps obfuscate the attackers’ activities by not allocating any new storage from the file system. Signature-based detection is a well-established method for detecting viruses and other malware. To avoid this kind of detection, attackers may use random filename generators. Changing filenames still leaves files susceptible to detection based on hash values, but this can be avoided as well by adding random data to a file in such a way that does not disrupt how the file is used. Summary
Forensic techniques have been used to uncover information about attacks, but the advent of easyto-use anti-forensic tools is reducing the utility of forensic techniques. As detecting and prosecuting attackers becomes more difficult, there is even more reason to pursue defense-indepth measures that block attacks. 2 ...
View Full Document
This note was uploaded on 04/06/2011 for the course CS 6963 taught by Professor Walterbruehs during the Spring '10 term at NYU Poly.
- Spring '10