Tag : tools

SEPTEMBER 26, 2008 | 4:15 PM -- When I became interested in incident response backin 2001, I was spurred on by the excellent Incident Response book by Kevin Mandia and the fun Scan of the Month challenges put out by the Honeynet Project. That interest naturally led toforensics, which was an interesting area of research since I spenda lot of time testing tools that often blur the lines of whethertheyre designed for good or evil, though they often have thedisclaimer of being proof of concept.
Ive spent many late nights running tools as simple as EvidenceEliminator, to more devious things like timestomp, sam juicer , and their newer integrations into the Metasploit Frameworksmeterpreter payload. If youve read  The Rise of Anti-Forensics  or the comments in response to my Network Forensics blog entry , youll know those tools are designed to thwart computerforensics. Do they work? Yes. In fact, they work extremely well,and theyve been working well since their release three years ago.
What does that mean to digital forensic investigators? Should theyfind a new line of work because their hard work could easily becomeworthless because an attacker used these tools? No. While the toolswork very well at what theyre designed to do, they leave artifactsof their usage.
For example, if the tools were downloaded once an attacker hadaccess to the machine being analyzed, network logs (either networkflow data or a network forensics tool) would show that download.Suppose the attacker was a malicious insider who brought in toolson a USB thumb drive. The simple act of inserting the thumb driveinto a Windows computer leaves evidence in the registry that adrive was plugged in.
Not good enough, you say? How about artifacts left on a systembecause of characteristics of the anti-forensic tools themselves?Most of the "wiping" tools for consumers are more likely to be usedby malicious insiders who aren't technical, either, and these toolsleave clues behind on the hard drive that the forensicsinvestigator can detect. Even the use of timestomp is blatantlyevident because it sets a files timestamps to 000-milliseconds --no matter what time is chosen.
Even better, the telltale sign of those tools is the fact thatmemory analysis is a rapidly advancing field. More and moreforensic companies are including features in their products toanalyze the contents of memory dumped during the initial incidentresponse phase. Any of the tools mentioned will leave traces inmemory. Some of them, like meterpreter and sam juicer, are designedto run only in memory, making it impossible to detect usingtraditional disk-based forensic methods. However, research datingback to the DFRWS 2005 Forensics Challenge shows that processesthat have exited can still be identified in memory, even after areboot.
There are also attacks against the forensic tools themselves, aspresented by iSEC Partners at BlackHat USA 2007 in their talk  Breaking Forensics Software: Weaknesses in Critical EvidenceCollection . While their attacks were quite effective, they didnt impact all forensic tools, so if one tool was impacted, a forensicinvestigator could use another one to do the same analysis --without the same impact.
Do I think anti-forensics has an impact on digital forensics? Yes,but Ill argue that an experienced, knowledgeable investigatorshould be able to identify whether these tools were used, and beable to explain their impact on the evidence, as well as still do asufficient analysis -- provided they have enough data sources tocorrelate their findings. Considering that there are so manysources for evidence -- system memory, network flow data, networkforensic appliances, log monitoring systems, disk- based forensics,etc. -- its nearly impossible for an attacker to performanti-forensics against all of those sources and get away completelyundetected.
If anti-forensics tool usage were really as pervasive anddestructive as some of the articles out there have depicted it,then forensics wouldn't be allowed in courts anymore. And that'scertainly not the case. Personally, I believe the laws being considered and passed in some states that make forensic analysis illegal ifyou don't hold a private investigators license are moredetrimental to digital forensics than anti-forensics is.
 John H. Sawyer is a Senior Security Engineer on the IT Security Team at theUniversity of Florida. The views and opinions expressed in thisblog are his own and do not represent the views and opinions of theUF IT Security Team or the University of Florida. When John's notfighting flaming, malware-infested machines or performing autopsieson blitzed boxes, he can usually be found hanging with his family,bouncing a baby on one knee and balancing a laptop on the other.Special to Dark Reading