Chapter 2/ Overview of Anti-Forensics

Wondershare

Table 2.1 AF Strategies

Strategy

Tactical Implementations

Data destruction

File scrubbing, file system attacks

Data concealment

In-band, out-of-band, and application layer concealment

Data transformation

Compression, encryption, code morphing, direct edits

Data fabrication

Introduce known files, string decoration, false audit trails

Data source elimination

Data contraception, custom module loaders

Recall that you want to buy time. As an attacker, your goal is to make the

process of forensic analysis so grueling that the investigator is more likely to

give up or perhaps be lured into prematurely reaching a false conclusion (one

that you've carefully staged for just this very reason) because it represents

a less painful, although logically viable, alternative. Put another way: Why

spend 20 years agonizing over a murder case when you can just as easily rule

it out as a suicide? This explains why certain intelligence agencies prefer to

eliminate enemies of the state by means of an "unfortunate accident."

To reiterate our objective in terms of five concepts:

You want to buy time by leaving as little useful evidence as possible {data

source elimination and data destruction).

The evidence you leave behind should be difficult to capture {data con¬

cealment) and even more difficult to understand {data transformation).

You can augment the effectiveness of this approach by planting misinfor¬

mation and luring the investigator into predetermined conclusions {data

fabrication).

Data Destruction

Data destruction helps to limit the amount of forcnsic evidcncc generated

by disposing of data securely after it is no longer needed or by sabotaging

data structures used by forensic tools. This could be as simple as wiping the

memory buffers used by a program or it could involve repeated overwriting

to turn a cluster of data on disk into a random series of bytes. In some cases,

data transformation can be used as a form of data destruction.

Rootkits often implement data destruction in terms of a dissolving hatch file.

One of the limitations of the Windows operating system is that an executing

process can't delete its corresponding binary on disk. But, one thing that an

executing process can do is create a script that does this job on its behalf.

46 I Part I