Forensics is the branch of computer science that seeks to discover evidence of activity in computers, digital storage media, and networks. Most hacking activities and tools leave direct or indirect evidence that can be discovered by a forensic investigator. The following table summarizes some popular cyber forensics tools.
Anti-forensics is the process of disrupting or impeding a forensic investigation. You can do this by:
- Negatively affecting the quality, quantity, or integrity of evidence.
- Making forensic analysis more difficult or impossible.
- Deceiving forensic investigators.
The purpose of forensics is to discover who did something and how. Therefore, an attacker will likely have one or more of the following reasons for disrupting that process:
- To escape notice while they are still inside the perimeter.
- To eliminate themselves as a suspect after they have concluded the attack.
- To frame another person or group of people as suspects.
- To waste the organization's time and resources.
In a pen test, anti-forensics is important because it goes beyond just demonstrating to the organization that it has specific weaknesses that can be exploited. The organization may also be failing its own response operations and personnel, whereas it should be enabling them to perform as effectively as possible. The pen test, through anti-forensics, can assess any such issues.
Note: Consider all of the hacking tools and techniques you have learned in this course. What possible digital evidence might they leave behind that you would want to erase to cover your tracks?
The anti-forensics process relies on weaknesses inherent in computer systems, forensic tools, and the human investigators themselves. There are several techniques available to the attacker that can exploit these weaknesses. The following are examples of anti-forensics techniques that disrupt forensic processes or confuse or deceive investigators:
- Buffer overflow and heap spraying. You may be able to initiate a buffer overflow on an investigator's forensic tools when they use them. This is often done by setting a malicious file as a trap—when the investigator opens the file, it causes the forensic tool to hang or crash, making it or related files difficult to examine. One tactic is to craft a file that exploits vulnerable dynamic-link libraries (DLLs) to create an infinite loop in memory. Another tactic is heap spraying, in which malicious code is injected into an application's memory heap in specific places. When an investigator opens a file (e.g., a bitmap) in their forensic tool, the file forces the tool to read memory from the sprayed heap, executing the malicious code. Note that most up-to-date forensic tools include protections against buffer overflows and heap spraying.
- Memory residents. This describes code whose location in memory the OS is not allowed to swap to permanent storage. Malware can run as a memory resident to stay active even while the application it is normally attached to is no longer running. This may fool an investigator or their automated tools into believing that a computer has no trace of malware, despite the malware still being active. Note that modern forensic tools can scan a system's memory for malicious code.
- Program packing. This is a method of compression in which an executable is mostly compressed, and the part that isn't compressed includes code to decompress the executable. In other words, a packed program is a type of self-extracting archive that makes reverse engineering its contents more difficult. Packed malware, until it's unpacked, can mask string literals and modify its signatures to avoid triggering signature-based scanners. So a forensic analyst may be unable to ascertain the nature of a packed program until it runs and potentially infects the system. Note that unpacking the executable in a controlled sandbox environment can help an analyst get around this problem.
- VM detection. Analysts use VMs to create a sandbox with which to safely examine and run malware. However, some clever malware can detect that it's running in a sandbox by exploiting unpatched zero-day vulnerabilities in the sandbox software, or by detecting that the sandbox has direct hooks into the malware so that it can monitor the malware for system calls. Malware that knows it's in a sandbox can alter its behavior to fool an investigator into thinking it's benign, like only activating when it detects human behavior such as mouse movement.
- Alternate data streams (ADSs). This is a feature of Microsoft's NT File System (NTFS) that enables multiple data streams for a single file name by forking one or more files to another. Apps like File Explorer won't display any changes in file size or other attributes when observing the file being forked to. So, a malicious executable that injects itself as a stream into a legitimate program can remain hidden to everyday end-user tools. More advanced tools will be able to detect ADSs, however. Also note that, starting with Windows 7, the ability to execute a file with ADS is disabled by default.