page-079

2,4 General Advice for AF Techniques

Naturally, a forensic analyst will want to leverage automation to case his

workload and speed things up. There's an entire segment of the software

industry that caters to this need. By developing your own custom tools, you

effectively raise the bar by forcing the investigator to reverse your work, and

this can buy you enough time to put the investigator at a disadvantage.

Low and Slow Versus Scorched Earth

As stated earlier, the goal of AF is to buy time. There are different ways to

do this: noisy and quiet. I'll refer to the noisy way as scorched earth AF.

For instance, you could flood the system with malware or a few gigabytes of

legitimate drivers and applications so that an investigator might mistakenly

attribute the incident to something other than your rootkit. Another dirty trick

would be to sabotage the file system's internal data structures so that the

machine's disks can't be mounted or traversed postmortem.

The problem with scorched earth AF is that it alerts the investigator to the

fact that something is wrong. Although noisy tactics may buy you time, they

also raise a red flag. Recall that we're interested in the ease where an incident

hasn't yet been detected, and forensic analysis is being conducted preemp¬

tively to augment security.

We want to reinforce the impression that everything is operating normally.

We want lo rely on AF techniques that adhere to the low-and-slow modus

operandi. In other words, our rootkits should use only those AF tools that are

conducive to sustaining a minimal profile. Anything that has the potential to

make us conspicuous is to be avoided.

Shun Instance-Specific Attacks

Instance-specific attacks against known tools are discouraged. Recall that

we're assuming the worst-case scenario: You're facing off against a skilled

forensic investigator. These types aren't beholden to their toolset. Forget Nin¬

tendo forensics. The experts focus on methodology, not technology. They're

aware of:

■ the data that's available;

■ the various ways to access that data.

If you landmine one tool, they'll simply use something else (even if it means

going so far as to crank up a hex editor). Like it or not, eventually they'll get

at the data.

Parti I 49