Chapter 2
01010010, 01101111, 01101111, 01110100, 01101001, 01110100, 01110011, 00100000, 01000011, 01000000
Overview of Anti-Forensics
While I was working on the manuscript to this book's first edition, I came to
the realization that the stealth-centric tactics used by rootkits fall within the
more general realm of anti-forensics (AF). As researchers like The Grugq
have noted, AF is all about quantity and quality. The goal of AF is to mini¬
mize the quantity of useful trace evidence that's generated in addition to en¬
suring that the quality of this information is also limited (as far as a forensic
investigation is concerned). To an extent, this is also the mission that a rootkit
seeks to fulfill.
In light of this, I decided to overhaul the organization of this book. Although
my focus is still on rootkits, the techniques that 1 examine will use AF as a
conccptua! framework. With the first edition of The Rootkit Arsenal� I can see
how a reader might have mistakenly come away with the notion that AF and
rootkit technology arc distinct areas of research. Hopefully, my current ap¬
proach will show how the two are interrelated, such that rootkits are a subset
of AF.
To understand AF, however, we must first look at computer forensics. Foren-
sics and AF are akin to the yin and yang of computer security. They reflect
complementary aspects of the same domain, and yet within one are aspects
of the other. Practicing forensics can teach you how to hide things effectively
and AF can teach you how to identify hidden objects.
In this part of the book, I'll give you an insight into the mindset of the op¬
position so that your rookit might be more resistant to their methodology. As
Sun Tzu says, "Know your enemy." The general approach that I adhere to
is the one described by Richard Bejtlich' in the definitive book on computer
forensics. At each step, I'll explain why an investigator does what he or she
does, and as the book progresses I'll turn around and show you how to under¬
mine an investigator's techniques.
1. Richard Bejllith. Keith Jones, and Curtis Rose, Real Digital Forensics; Computer Security
and Incident Response, Addison-Wesley Professional, 2005.
35