Home » Data Protection » Network Security

The Rise of Anti-Forensics

New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant

By Scott Berinato

Page 9

It will be the interviews with those people, and not system analysis, that will lead to more information and, potentially, more arrests in the case.

“Every successful forensics case I’ve worked on turned into a physical security investigation,” says Bill Pennington, a researcher at White Hat Security and veteran technical forensics investigator. “In one case, it was an interview with someone who turned on someone else. You layer the evidence. Build it up. He sees the writing on the wall, and he cracks. But if we had to rely on what the computer evidence told us, we would have been stuck.”

Moving Targets

Behind the portfolio of easy-to-use Windows-based antiforensic tools, criminal hackers are building up a next-generation arsenal of sophisticated technical tools that impress even veterans like Grugq. “There are now direct attacks against forensic tools,” he says. “You can rootkit the analysis tool and tell it what not to see, and then store all your evil stuff in that area you told the analysis tool to ignore. It is not trivial to do, but finding the flaw in the analysis tool to exploit is trivial.”

Another new technique involves scrambling packets to avoid finding data’s point of origin. The old-school way of avoiding detection was to build up a dozen or so “hop points” around the world—servers you bounced your traffic off of that confounded investigations because of the international nature of the traffic and because it was just difficult to determine where the traffic came from, really. The state-of-the-art antiforensic technique is to scramble the packets of data themselves instead of the path. If you have a database of credit card information, you can divvy it up and send each set of packets along a different route and then reassemble the scatterlings at the destination point—sort of like a stage direction in a play for all the actors to go wherever as long as they end up on their mark.

The aquarium attack, two years later, already bears tinges of computer crime antiquity. It was clever but today is hardly state of the art. Someday, the TJX case will be considered ordinary, a quaint precursor to an age of rampant electronic crime, run by well-organized syndicates and driven by easy-to-use, widely available antiforensic tools. Grugq’s hacking mentor once said it’s how you behave once you have root access that’s interesting. In a sense, that goes for the good guys too. They’ve got root now. How are they going to behave? What are they going to do with it? “We’ve got smarter good guys than bad guys right now,” says Savid Technologies’ Davis. “But I’m not sure how long that will be the case. If we don’t start dealing with this, we’re not even going to realize when we get hit. If we’re this quiet community, not wanting to talk about it, we’re going to get slammed.”