Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Rise of Anti-Forensics

New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant

By

Page 2

Researcher Bryan Sartin of Cybertrust says antiforensic tools have gotten so easy to use that recently he’s noticed the hacks themselves are barely disguised. “I can pick up a network diagram and see where the breach occurred in a second,” says Sartin. “That’s the boring part of my job now. They’ll use FTP and they don’t care if it logs the transfer, because they know I have no idea who they are or how they got there.” Veteran forensic investigator Paul Henry, who works for a vendor called Secure Computing, says, “We’ve got ourselves in a bit of a fix. From a purely forensic standpoint, it’s real ugly out there.” Vincent Liu, partner at Stach & Liu, has developed antiforensic tools. But he stopped because “the evidence exists that we can’t rely on forensic tools anymore. It was no longer necessary to drive the point home. There was no point rubbing salt in the wound,” he says.

The investigator in the aquarium case says, “Antiforensics are part of my everyday life now.” As this article is being written, details of the TJX breach—called the biggest data heist in history, with more than 45 million credit card records compromised—strongly suggest that the criminals used antiforensics to maintain undetected access to the systems for months or years and capture data in real time. In fact, the TJX case, from the sparse details made public, sounds remarkably like the aquarium case on a massive scale. Several experts said it would be surprising if antiforensics weren’t used. “Who knows how many databases containing how many millions of identities are out there being compromised?” asks the investigator. “That is the unspoken nightmare.”

Weapons of Antiforensics: The Obfuscator’s Toolkit

If you were making a movie about a computer crime, the bad guys would use antiforensics. And since it’s a movie, it should be exciting, so they’d use the clever and illicit antiforensic tools, the sexy ones with little or no legitimate business purpose. Liu has developed such tools under the Metasploit Framework, a collection of software designed for penetration testing and, in the case of the antiforensic tools, to expose the inherent weaknesses in forensics in hopes that the forensics industry would view it as a call to action to improve its toolset.

One of Liu’s tools is Timestomp. It targets the core of many forensic investigations—the metadata that logs file information including the times and dates of file creation, modification and access. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified. Transmogrify is similarly wise to the standard procedures of forensic investigators. It allows the attacker to change information in the header of a file, a space normally invisible to the user. Typically, if you changed the extension of a file from, say, .jpg to .doc, the header would still call it a .jpg file and header analysis would raise a red flag that someone had messed with the file. Transmogrify alters the header along with the file extension so that the analysis raises no red flags. The forensic tools see something that always was and remains a .doc file.

RESOURCE CENTER