The use of anti-forensic techniques in and on IT systems is common practice for advanced and persistent actors, particularly in the contexts of targeted attacks or efforts by organised criminals to erase digital traces. This might include tampering with log files, using wiping or ‘cleaning’ tools, deploying rootkits, using hidden data storage areas, or even deploying traps to be activated in the course of a later investigation. Therefore it is necessary to describe the state of the art in anti-forensic techniques in order to identify and elaborate on potential detection or mitigation techniques for practitioners in the field.
This paper is primarily intended to be read by forensic specialists and information security professionals. It describes in detail how modern anti-forensic tools work and how to mitigate them. We focus mainly on Windows operating systems, but some of the tools described can be used on Linux as well.
The first and the second sections of this report detail the proposed classification, with the description of each technique. The third section describes several anti-forensic techniques and tries to find possible mitigation scenarios. It focuses on techniques such as timestamp manipulation, memory pollution or data hiding, which allow attackers to remain undetected and hide their malicious activity for as long as possible. Some methods can break disk or memory acquisition tools, and this unequivocally indicates a use of anti-forensic techniques.
In our research, we have shown how powerful anti-forensic tools can be in the hands of skilled criminals. There are numerous resources that teach readers how to exploit or break the forensic process, but we lack guidance in how to protect against them. Scenario analysis for this study demonstrates that live acquisition and memory analysis are areas of common ground in which to remain one step ahead. It is particularly beneficial to use strings, especially against memory images or volatility plugins like cmdscan or consoles.
Some malicious activities do not touch the hard drive and will only become visible in the memory. However, memory analysis is not fully reliable without double-checking the output and the final result that is the memory image, as several tools might tamper with the evidence before analysis. Therefore, there is a strong need for custom imaging tools and specific procedures to avoid the situation where we are left with evidence that is of no use to the case we are working on. There are some hints in this paper on how to prepare for such moments.
This study is based on a Request for Support to the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) dated 25 March 2014. This request was submitted through the NATO CCD COE Steering Committee and was approved for implementation.