Chapter 2/ Overview of Anti-Forensics

Wondershare

Data Fabrication

Data fabrication is a truly devious strategy. Its goal is to flood the forensic

analyst with false positives and bogus leads so that he ends up spending most

of his time chasing his tail. You essentially create a huge mess and let the

forensic analysts clean it up. For example, if a forcnsic analyst is going to try

and identify an intruder using file checksums, then simply alter as many files

on the volume as possible.

Data Source Elimination

Sometimes prevention is the best cure. This is particularly true when it comes

to AF. Rather than put all sorts of energy into covering up a trace after it gets

generated, the most effective route is one that never generates the evidence to

begin with. In my opinion, this is where the bleeding edge developments in

AF are occurring.

Rootkits that are autonomous and rely very little (or perhaps even not at all)

on the targeted system are using the strategy of data source elimination. They

remain hidden not because they've altered underlying system data structures,

as in the case of active concealment, but because they don't touch them at

all. They aren't registered for execution by the kernel, and they don't have a

formal interface to the I/O subsystem. Such rootkits are said to be stealthy by

design.

2.4 General Advice for AF Techniques

Use Custom Tools

Vulnerability frameworks like Metasploit and application packers like UPX

are no doubt impressive tools. However, because they are publicly available

and have such a large following, they've been analyzed to death, resulting in

the identification of well-known signatures and the construction of special-

purpose forensic tools. For example, at Black Hat USA 2009, Peter Silberman

and Steve Davis led a talk called "Metasploit Autopsy: Reconstructing the

Crime Scene"'-� that demonstrated how you could parse through memory and

recover the command history of a Meterpreter session.

13. http://www.blackhat.coni/presentation!i/bh-usa-09/SILBERMAN/BHUSA09-Silberman-

MetasploitAutopsy-PAPER.pdf.

48 I Part I