Anti-Forensics in Incident Response: Disrupting Cybercrime Investigations
By Mark Bird, Date published: 2020-10-12
Like how criminals try to cover their tracks, the same can happen to cyber incidents. Mark Bird, Cyber Incident Response Head from Pragma UK explains how criminals use Anti-Forensic techniques to disrupt cybercrime investigations.
What is Computer Forensics?
Computer forensics is the examination of evidence found on computers and digital storage media to identify whether an incident has taken place or to identify exactly what has happened. In this article, I am referring to cyber incidents involving businesses, rather than criminal-based investigations, although the concept is still the same.
Computer Forensics in Incident Response
Following an incident, an examination is conducted in a forensically sound manner to preserve evidence and identify the key facts. This includes:
Scope of the incident – What devices and user accounts have been affected by the incident? This knowledge is essential to identify how many, and which devices have been affected, and what level of privileges the attacker has. If the attacker has been able to achieve Admin level credentials, the potential for serious damage is greatly increased.
Period – Some incidents can last weeks, months or even years. Computer forensics can be used to find out how long the incident has been ongoing and whether it is still ongoing.
Root cause – Computer forensics are used to identify the attack vector, or how the attacker managed to initially breach cyber defences. This is essential in any investigation to make sure that the door is firmly shut.
Systems affected – This identifies what type of information could be accessed and allows us to understand the attacker’s methodology.
Breakdown of Threat Actor activity – Following the trail of breadcrumbs and placing the pieces of the jigsaw together allows an investigator to identify what data may have been accessed, whether personally identifiable information has been viewed or exfiltrated, and exactly what the attacker’s actions were whilst in the network or system.
Data affected – As mentioned above it is important to identify whether personal data has been viewed or accessed during an incident. Computer forensics can identify whether data has been viewed, exfiltrated or both, or whether the attacker has failed to access and personal data.
Ultimately forensics also allows us to answer the most important question, has the attacker been eradicated from the system.
What evidence is available on a computer?
Each computer is different depending upon its setup, but most devices contain a wealth of information if you know where to look. This is an enormous topic with constantly evolving content, but a handful of examples are:
- Evidence of program execution
- Evidence of incoming and outgoing connections
- Account logins/logouts
- Internet browsing activity
This is literally the tip of the iceberg. A thorough analysis allows a forensic investigator to follow the trail of breadcrumbs and provide a very good idea of the attacker’s activity whilst inside the network or device, and more importantly how to shut the door and make sure it stays shut.
What makes the job of computer forensics more difficult is that sophisticated attacks can often incorporate Anti-Forensic Techniques.
What are Anti-Forensics Techniques?
Anti-forensics is, in layman’s terms, is the minimising or complete removal of evidence from a digital crime scene which is done to make the analysis and examination of evidence difficult or impossible to conduct. The subject can be broken down into three sub-categories for easier understanding:
1. Data hiding
Encryption – Attackers often encrypt contents of files that they are stealing
Steganography – This is the practice of hiding information inside innocuous files such as images, video and audio. Steganography is used by attackers to hide payloads and malicious files inside files which appear to be harmless, hence the terms Trojan.
Fileless malware – Attackers often use techniques that do not run executables and therefore leave only leave a trace in the memory of the computer which is lost when the device is powered off.
Hiding data in the registry – Fileless malware scripts can be stored in the registry, for example, PowerShell scripts, which are then encrypted or obfuscated to prevent detection. These changes are often only identified through complex memory forensics methods or registry key forensics which require specialist skills to conduct.
Transmography – This is the practice of hiding of files by the changing of format and is often seen in investigations. This can be easily detected by carrying out signature analysis but again requires specialist knowledge to investigate, e.g. docx altered to appear as a .jpg file.
2. Artefact Wiping
Disk cleaning – CCleaner and other tools are often used by attackers to not only delete files or evidence from victims computers but also completely remove any residual data by overwriting it with a byte level default value such as ‘00’ or ‘FF’. If tools like these are used to cover the attacker’s tracks there is no way of getting that data back and investigators rely on other aspects of an investigation.
3. Trail obfuscation
Log cleaning – There are potentially hundreds of logs available to forensic investigators on the average computer, however, attackers can target these logs and remove them or alter their settings.
Timestomping – Attackers with the prerequisite skills can use tools to modify metadata resulting in the alteration of time stamps. This can make investigation extremely challenging, but with the relevant skills and knowledge, there are usually additional locations where timestamps are stored for several artefacts. This just means specialist knowledge is required to carry out an investigation where ‘timestomping’ is suspected.
Why do Threat Actors use Anti-Forensic Techniques?
Attackers use these techniques for their own reasons but in personal experience from law enforcement and dealing with many of these high-profile attackers they have said:
- To make themselves hard to find
- Because if experts know how attackers get in, the attack vector will be publicised, patched or remedied, and the method will cease working
- If the victim doesn’t know or appreciate the effects of what has occurred, they may be naïve about the subsequent response
- If it is difficult to identify what has occurred, a level of persistence may remain, i.e. a backdoor might remain in place and allow them to access again, or to sell the access on to another attacker.
Lastly, let’s not forget about the insider threat who may use anti-forensics techniques to remain inside an organisation whilst they continue to act against the organisation or individuals.
Most incidents use some form of Anti-Forensics techniques to conceal details of the attacks. Without specialist Forensic analysis, there is a strong chance that key evidence may be deleted.
Mark Bird is a Consultant in Cyber Incident Response, Pragma Europe Ltd. Mark spent 17 years working in the UK police and over 5 years as a Detective on the prestigious West Midlands Regional Organised Crime Unit Cyber Crime team. After his successful law enforcement career, he entered the private sector and investigated incidents for various industries, including large multinational companies experiencing widespread encryption due to sophisticated Ransomware infection. Mark now leads the Incident Response division for Pragma Europe based in Central England. Pragma provides Incident Response services to organisations from diverse industries in over 135 countries globally. If you require immediate assistance, please email firstname.lastname@example.org
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.