Chapter 2/ Overview of Anti-Forensics

Everyone Has a Budget: Buy Time

Although there is powerful voodoo at our disposal, the ultimate goal isn't

always achieving complete victory. Sometimes the goal is to make forensic

analysis prohibitively expensive; which is to say that raising the bar high

enough can do the trick. After all, the analysts of the real world are often

constrained by budgets and billable hours. In some police departments, the

backlog is so large that it's not uncornmon for a machine to wait up to a year

before being analyzed.* It's a battle of attrition, and we need to find ways to

buy time.

2.1 Incident Response_

Think of incident response (IR) as emergency response for suspicious com¬

puter events. It's a planned series of actions performed in the wake of an is¬

sue that hints at more serious things. For example, the following events could

be considered incidents:

■ The local intrusion detection system generates an alert.

■ The administrator notices odd behavior.

■ Something breaks.

Intrusion Detection System (and Intrusion Prevention

System)

An intrusion detection system (IDS) is like an unarmed, off-duty cop who's

pulling a late-night shift as a security guard. An IDS install doesn't do any¬

thing more than sound an alarm when it detects something suspicious. It can't

change policy or interdict the attacker. It can only hide around the corner with

a walkie-talkie and call HQ with the bad news.

IDS systems can be host-based (HIDS) and network-based (NIDS). An HIDS

is typically a software package that's installed on a single machine, where

it scans for malware locally. An NIDS, in contrast, tends to be an appliance

or dedicated server that sits on the network watching packets as they fly by.

An NIDS can be hooked up to a SPAN port of a switch, a test access port

2. Nick Heath, "Police in Talks over PC Crime 'Breathalysers' Rollout," .silicort.com, June 3,

2009.

36 I Part I