In Depth
The Rise of Anti-Forensics
New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant
By Scott Berinato
Under the current computing infrastructure, data is untrustworthy, then. The implications of this, of courts limiting or flat-out denying digital forensics as reliable evidence, can’t be understated. Without the presumption of reliability, prosecution becomes a more severe challenge and thus, a less appealing option. Criminals reasonably skilled with antiforensics would operate with a kind of de facto legal immunity.
Making It Not Worth It
Despite all that, casting doubt over evidence is just a secondary benefit of antiforensics for criminals. Usually cases will never get to the legal phase because antiforensics makes investigations a bad business decision. This is the primary function of antiforensics: Make investigations an exercise in throwing good money after bad. It becomes so costly and time-consuming to figure out what happened, with an increasingly limited chance that figuring it out will be legally useful, that companies abandon investigations and write off their losses.
“Business leaders start to say, ‘I can’t be paying $400 an hour for forensics that aren’t going to get me anything in return,’” says Liu. “The attackers know this. They contaminate the scene so badly you’d have to spend unbelievable money to unravel it. They make giving up the smartest business decision.”
“You get to a point of diminishing returns,” says Sartin. “It takes time to figure it out and apply countermeasures. And time is money. At this point, it’s not worth spending more money to understand these attacks conclusively.”
One rule hackers used to go by, says Grugq, was the 17-hour rule. “Police officers [in London’s forensics unit] had two days to examine a computer. So your attack didn’t have to be perfect. It just had to take more than two eight-hour working days for someone to figure out. That was like an unwritten rule. They only had those 16 hours to work on it. So if you made it take 17 hours to figure out, you win.” Since then, Grugq says, law enforcement has built up 18-month backlogs on systems to investigate, giving them even less time per machine.
“Time and again I’ve seen it,” says Liu. “They start down a rat hole with an investigation and find themselves saying, ‘This makes no sense. We’re not running a business to do an investigation.’ I’ve seen it at Fortune 100s. The company says, ‘We think we know what they got and where. Let’s close it up.’ Because they know that for every forensic technique they have, there’s an antiforensic answer. Unfortunately, the converse isn’t true.”
antiforensics
Log Management in a Cyber World
With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
