Anti-Forensics: Real world identification, analysis and prevention

2,221 views

Published on

Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total views
2,221
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
69
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

Anti-Forensics: Real world identification, analysis and prevention

  1. 1. Digital Anti-Forensics Real World Identification, Analysis & Prevention M ic h a e l L e g a r y IR -1 0 N ovember 7, 2007 Copyright 2005 Seccuris Inc
  2. 2. Introduction Michael Legary Founder, Seccuris Inc. CISSP, CISA, CISM, CCSA, GCIH, SCF CNE, MCSE, CCNA Copyright 2005 Seccuris Inc
  3. 3. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  4. 4. Organization A - Agrieng Inc • Small Agri-Business • Sales +/- 2M & 25 Employees • Designs tractors, bailers, etc • Heavy use of electronic drafting & engineering software • Bids on contract work for major manufacturers Copyright 2005 Seccuris Inc
  5. 5. Organization A - Agrieng Inc • Outbid & Outsold by foreign competitor • One particular competitor’s designs look eerily similar Copyright 2005 Seccuris Inc
  6. 6. Organization B – ServPro GmbH • Large Service Provision company • Sales +/- 200M & 2500 Employees • Provides Information Management Solutions to world wide organizations • Specialized database and information mining technology separate ServPro from competitive organizations • Currently handles personal information of over 50 million individuals Copyright 2005 Seccuris Inc
  7. 7. Organization B – ServPro GmbH • A few clients are reporting an increase in identity theft reports by their constituents. • There seems to be a pattern in the types of information being reported as stolen. Copyright 2005 Seccuris Inc
  8. 8. Organization C – Government Department • Federal organization providing legal related services • Handles specialty investigations from multiple provinces • Conducting investigation in high tech criminal activity Copyright 2005 Seccuris Inc
  9. 9. Organization C – Government Department • Suspects are continually evading capture • Individuals caught seem to have been prepared for questioning • Little to no evidence identified when caught Copyright 2005 Seccuris Inc
  10. 10. Forensic Investigation • What is going on? • Who is behind the activity? • Why are they doing it? • When did the start / stop? • Where are they located? • How is the activity occurring? • Has a crime taken place? Copyright 2005 Seccuris Inc
  11. 11. Forensic Investigation • Often in cases involving information systems standardized forensic investigation does not occur until it is known that suspicious activity is happening • Where do we look for this activity? Copyright 2005 Seccuris Inc
  12. 12. Digital Evidence & Forensics • Digital evidence exists all around us • Tools and techniques available to investigators has greatly increased in recent time • Reliance on digital evidence is becoming a reality • Where is evidence on a system? Copyright 2005 Seccuris Inc
  13. 13. User Console User Level Kernel Interface Memory Kernel Level File System Hardware Level Copyright 2005 Seccuris Inc
  14. 14. Evidence exists in: Memory • System Memory • System Cache Program Temp Log Temp File File System • File System • File System Cache Program Config File Target File Log File Temp Log Temp File Copyright 2005 Seccuris Inc
  15. 15. Evidence exists in: User Level Service • Running Programs Kernel Interface • Running Services Kernel Level • Active Processes Hardware Level Copyright 2005 Seccuris Inc
  16. 16. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Target File Log File Config File Program Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
  17. 17. Standardized process for digital evidence Standard processes being created for: • Attack Identification • Forensic Investigation • Image Capture • Image Analysis • Evidence identification Copyright 2005 Seccuris Inc
  18. 18. Standardized process for digital evidence Forensic investigations are initiated from evidence collected during the attack identification process. If an investigator can not identify an attack, forensic investigation will not be conducted; Allowing attackers to go unnoticed. Copyright 2005 Seccuris Inc
  19. 19. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
  20. 20. User Console Forensic Investigation User Level Service Kernel SYSTEM STATE IMAGE Interface Memory MEMORY IMAGE Temp Log Temp File Kernel Level File System Config File Program Target File Log File HARD DRIVE IMAGE Temp Log Temp File Hardware Level Copyright 2005 Seccuris Inc
  21. 21. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  22. 22. Anti-Forensics What is it? • Practices and processes to prevent, counter-act or neutralize an investigators ability to identify or recover evidence for use in an investigation. Copyright 2005 Seccuris Inc
  23. 23. Anti-Forensics The common purpose: • Prevent detection of the attacker • Prevent an investigator from gaining usable knowledge • Destroy, hide, prevent creation of, or transform data Copyright 2005 Seccuris Inc
  24. 24. Anti-Forensics The common purpose: • Even if an attacker is detected, evidence regarding their means, methods and motives will be altered preventing accurate investigation or prosecution. Copyright 2005 Seccuris Inc
  25. 25. The origins of Anti-forensics • Traditional techniques • Physical • Financial • Criminal • Good Examples • On Television Copyright 2005 Seccuris Inc
  26. 26. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  27. 27. Anti-forensics – Methods Overview • In order to maintain covert activities of any sort there is a requirement to Destroy, Hide, Prevent Creation of, or transform data to remain hidden. Copyright 2005 Seccuris Inc
  28. 28. Anti-forensics – Methods Overview Destruction of data • Goal • Significantly Damage the Integrity of Evidence • Physical Destruction of Data • Magnetic Techniques (Degaussing) • Brute Force • Logical Destruction of Data • Reinitialize Media • Significantly change composition of data on media Copyright 2005 Seccuris Inc
  29. 29. Anti-forensics – Methods Overview Hiding of data • Goal • Limit identification and collection of evidence • Obfuscation • Information Manipulation • Steganography • Encryption • Data Encryption • Media Encryption Copyright 2005 Seccuris Inc
  30. 30. Anti-forensics – Methods Overview Data creation prevention • Goal • Prevent creation of evidence • Direct Prevention • Root Kits • Modification of System Binaries • Indirect Prevention • Limit system functionality – DoS – to prevent creation of data Copyright 2005 Seccuris Inc
  31. 31. Anti-forensics – Methods Overview Transformation Techniques • Goal • Maintain or Re-establish investigator trust in falsified data as evidence. • Conventional Techniques • Root Kits • Advanced Techniques • Shared Library Hijacking Copyright 2005 Seccuris Inc
  32. 32. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  33. 33. Anti-forensics – Methods Overview Transformation Techniques • One of the most complex technical attacks being performed today • Understanding and appreciation for methods used will allow us to reform our investigation techniques Copyright 2005 Seccuris Inc
  34. 34. Anti-forensics – Methods Overview Transformation Techniques • WHY? • Detailed forensic investigation may not start if there is no suggestion of system tampering • These techniques can make very ugly systems look like good ones… Copyright 2005 Seccuris Inc
  35. 35. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  36. 36. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
  37. 37. Anti-Forensics – Traditional Techniques Conventional transformation methods • Initial System Compromise • Deception of Security Personal Copyright 2005 Seccuris Inc
  38. 38. Conventional transformation methods • Initial System Compromise • Breach of system due to known vulnerability • Attacker gains access to system, attempts to by-pass detection Copyright 2005 Seccuris Inc
  39. 39. Conventional transformation methods • Deception of Security Personal • Deleting Files • Hiding files / logs / activities • Root Kits • Tools used to identify suspicious activity (In BSD) • Disk Tools: df, ls ,du • Process Tools: ps, top, crontab • Network Tools: netstat, sockstat, fstat, tcpdump • Be suspicious of your compiler Copyright 2005 Seccuris Inc
  40. 40. Traditional Techniques – AgriEng Inc • Attacker identifies vulnerability • Breaks into system • Removes logs • Installs rootkit • Downloads engineering files • Configures backdoor into system Copyright 2005 Seccuris Inc
  41. 41. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  42. 42. User Console Identification User Level Service Kernel Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  43. 43. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
  44. 44. Anti-Forensics – Traditional Techniques Advanced Transformation Methods • Kernel Modules and hijacking systems calls • Kernel level root kit • Provides undetected and almost unlimited access to a compromised system • Allows attackers to perform a variety of functions such as: • Hide processes • Hide files and registry keys • Log Keystrokes • Redirect Executable Files • Issue Commands • Generates own hidden TCP/IP Stack • Remote administration Copyright 2005 Seccuris Inc
  45. 45. Traditional Techniques – ServPro GmbH • Attacker identifies vulnerability • Breaks into system • Removes logs • Installs kernel level rootkit • Installs System Sniffer • Created automated system to send out client information Copyright 2005 Seccuris Inc
  46. 46. User Console User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Attacker Temp Log Temp File Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  47. 47. User Console Identification User Level Service Kernel Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  48. 48. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
  49. 49. Anti-Forensics - Traditional Techniques Traditional Transformation Detection Methods • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching Copyright 2005 Seccuris Inc
  50. 50. Transformation Detection Methods • Cryptographic hashing for data integrity • Using fingerprints investigators can ensure files come from trusted sources, or weed out known attack tools • MD5 / SHA / RIPE-MD • HIDS – Use of Cryptographic Hashing • Tripwire, Axent, Cybersafe, ISS Copyright 2005 Seccuris Inc
  51. 51. Cryptographic hashing for data integrity Trusted Command Executable % md5 ps.trusted MD5 (p s .tru s te d ) = 9 50 1e f2 86 e f3a b 86 87 b 7 9 20 c a 4 fe e 2 9 f Un-trusted Command Executable % md5 /bin/ps MD5 (/ in / ) = b ps 02b2f8087896314bafd4e9f3e00b35fb Copyright 2005 Seccuris Inc
  52. 52. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface NOT SAME Memory ATTACKGood Known DETECTED! Attacker Program Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  53. 53. Transformation Detection Methods • Process Analysis • Processes contain content such as: • Open files • Memory Maps • Ownership Labels • Resource Consumption Statistics • Analysis of these characteristics allow an investigator to identify discrepancies in common system activity • Utilities such as: • PS  –AUX • top • proc fs Copyright 2005 Seccuris Inc
  54. 54. User Console Identification Target File Config File Program User Level Known Good Service Service Att NOT SAME Attacker Attacker File Program Kernel ATTACK Interface Memory DETECTED! Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  55. 55. Transformation Detection Methods • Network Monitoring • NIDS • Firewall Monitoring • Bandwidth Trending • Output can identify use of known attacks, or privileged accounts Copyright 2005 Seccuris Inc
  56. 56. Transformation Detection Methods • Network Monitoring No v 10 2 1:59 :06 <4.1> 1 72 .1 6.1 .2 0 s no rt: [1:4 6 6:1 ] SHELLCODE x86 stealth NOOP [P rio rity: 2]: {P R OTO0 01 } 1 0.0.1 .1 25 -> 10 .5 .1.3 • Example Snort® log which has detected the op- codes or machine instructions for a “stealth NOOP”. Copyright 2005 Seccuris Inc
  57. 57. Transformation Detection Methods • Network Monitoring % tcpdump -nett -i pflog0 lis te n in g on pflo g 0, link-type P F LOG (Ope nB S D p flog file ), c a pture s iz e 96 b yte s 1 1 0 0 2 2 1 1 36.6 7744 1 rule 1/0(match): b loc k in o n s is 0: IP 10 .0.0.35.4646 > 20 5.1 1 .1 1 .1 1 .4 4 5 : S 5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK> 1 1 0 0 2 2 1 1 38.3 7042 3 rule 1 / a tc h ): b loc k in on s is 0 : IP 10 .0.0.35.4646 > 205.11 .1 1 .1 1 .4 4 5 : S 0(m 5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK> • Example use of tcpdump on the OpenBSD® PF Firewall Copyright 2005 Seccuris Inc
  58. 58. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface Memory ATTACK DETECTED! Attacker Program Temp Log Temp File Kernel Level File System Network Config File Program Target File Intrusion Detection System Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  59. 59. Transformation Detection Methods • Signature / Pattern Matching • Database of known patterns and signatures • Binary Sequence Matching • Used in NIDS / HIDS / Investigative Tools Copyright 2005 Seccuris Inc
  60. 60. Transformation Detection Methods • Signature / Pattern Matching % file libtransform.so.1 lib tra n s form .s o .1 : E LF 32 -b it LSB shared object, In te l 8 03 8 6, ve rs ion 1 (F re e B S D), s trip p e d • Output of the “file” utility on a shared object. • The “file” utility attempts to figure the file type for a specified file. Copyright 2005 Seccuris Inc
  61. 61. User Console Identification Target File Config File Program User Level Service Att Attacker Attacker File Program Kernel Interface Memory 1. File Size 2. Header Information Attacker Program 3. File Content 4. Unknown Pattern Temp Log Temp File Kernel Level File System ATTACK DETECTED! Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  62. 62. Investigating – AgriEng Inc • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching Copyright 2005 Seccuris Inc
  63. 63. User Console Identification Target File Config File Program User Level Service Att Attacker ATTACK Attacker File Program Kernel DETECTED! Interface Memory Attacker Program Temp Log Temp File Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  64. 64. Overview • Transformation Attacks • Traditional Methods • Conventional • Advanced • Detection • Conventional • Advanced • Emerging Methods Copyright 2005 Seccuris Inc
  65. 65. Anti-Forensics - Traditional Techniques Advanced Transformation Detection Methods • Advanced Transformation Detection methods • Detection of system call hijacking Copyright 2005 Seccuris Inc
  66. 66. Advanced Transformation Detection Methods • Detection of system call hijacking • System Call hijacking changes the address the system references from a known module to their own “attacker” module • If an investigator can find inconsistencies in programs making system calls they will be able to detect an attack Copyright 2005 Seccuris Inc
  67. 67. Advanced Transformation Detection Methods • Advanced Transformation Detection methods i f ( s y s e n t [ S YS _o p e n ] . s y _c a l l ! = o p e n ) pa ni c ( “ ope n s ys t e m c a l l ha s be e n hi - j a c ke d” ) ; i f ( s y s e n t [ S YS _wr i t e ] . s y _c a l l ! = wr i t e ) p a n i c ( “ wr i t e s y s t e m c a l l h a s b e e n h i - j a c k e d ” ) ; • Code snippet for the FreeBSD® operating system which when executed in the context of the kernel, could be used to detect the presence of a hi-jacked system call. Copyright 2005 Seccuris Inc
  68. 68. Investigating – ServPro GmbH • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching • Detection of system call hijacking Copyright 2005 Seccuris Inc
  69. 69. User Console Identification Config File Target File User Level Service Program Kernel Interface Memory Attacker Program ATTACK Temp Log Temp File DETECTED! Kernel Level File System Config File Program Target File Att Attacker Attacker File Program Hardware Level Copyright 2005 Seccuris Inc
  70. 70. Overview • Transformation Attacks • Traditional Methods • Emerging Methods • Emerging Transformation Methods • Emerging Detection Copyright 2005 Seccuris Inc
  71. 71. Anti-Forensics – Emerging Techniques Emerging transformation methods • Hijacking of user space library calls Copyright 2005 Seccuris Inc
  72. 72. Dynamically Standard Libraries Memory Linked Libraries • More efficient use of system resources • Loads from User Space Dynamically Linked • Multiple programs utilize Memory same code libraries for similar functions • Attackers can change program behavior without modifying program or libraries Copyright 2005 Seccuris Inc
  73. 73. Dynamically Linked Libraries Memory Copyright 2005 Seccuris Inc
  74. 74. Dynamically Linked Libraries Memory Copyright 2005 Seccuris Inc
  75. 75. Emerging transformation methods • Hijacking of user space library calls • Information Transformation • Takes “Ugly / Untrusted” information and makes it look “Good / Trusted” • Scenarios • System Logs • Audit Logs • Existing Files • IDS • FW • Dynamic Review Copyright 2005 Seccuris Inc
  76. 76. Emerging Techniques – Government Department • Attacker identifies vulnerability • Breaks into system • Installs User Space Module for Shared Library Hi-jacking • Creates automated system to send out client information • Avoids capture through regular methods from investigators Copyright 2005 Seccuris Inc
  77. 77. User Console Att Attacker File User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Temp Log Temp File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
  78. 78. User Console Identification User Level Service Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
  79. 79. Investigating – Government Department • Cryptographic hashing for data integrity • Process Analysis • Network Monitoring • Signature / Pattern Matching • Detection of system call hijacking Copyright 2005 Seccuris Inc
  80. 80. User Console Identification Temp Log Config File Shared Object File User Level Service Temp File Target File No Attack Log File Program Kernel Interface Memory Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
  81. 81. Overview • Transformation Attacks • Traditional Methods • Emerging Methods • Emerging Transformation Methods • Emerging Detection Copyright 2005 Seccuris Inc
  82. 82. Anti-Forensics – Emerging Techniques Emerging transformation detection methods • Shared Library Analysis Copyright 2005 Seccuris Inc
  83. 83. Emerging transformation detection methods • Shared Library Analysis • Analyze active processes to identify links to “Ugly / untrusted” shared libraries. • Using LSOF to analyze VMCORE • Identifies if an untrusted object is being used by the system • Using objdump to analyze dynamic symbols • Identifies which functions are being hijacked by the untrusted object Copyright 2005 Seccuris Inc
  84. 84. Investigating – Government Department • Using LSOF to analyze VMCORE • Using objdump to analyze dynamic symbols Copyright 2005 Seccuris Inc
  85. 85. User Console Identification Temp Log Config File Shared Object File User Level Service Temp File Target File Log File ATTACK Program Kernel DETECTED! Interface Memory VMCORE File Temp Log Temp File Kernel Level File System Config File Program Target File Log File Att Temp Log Temp File Attacker File Shared Object File Hardware Level Copyright 2005 Seccuris Inc
  86. 86. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  87. 87. Current trends to watch • Direct Kernel Hijack • Concurrency Exploits • Dynamic Firmware Attack • Virtualization Attacks Copyright 2005 Seccuris Inc
  88. 88. Direct Kernel Hijack • Modifies live kernel instead of system calls • Injection of malicious kernel code through /d e v /me m or / d e v / k me m • This isn’t new, but gaining popularity again… • Tripwire, Execshied, PaX bypass standard in most kits • Most script kits do not require root for proper execution on Ubuntu, general Linux/BSD flavors • Better detection of NOP sleds allowing for higher chance of 1st time success Copyright 2005 Seccuris Inc
  89. 89. Concurrency Exploits & Race Conditions • System call wrappers have been touted as the answer to system call hijack. • Concurrency exploits remove the effectiveness of wrappers in multi-process systems • More information • http://www.watson.org/~robert/2007woot/20070806- woot-concurrency.pdf Copyright 2005 Seccuris Inc
  90. 90. Concurrency Exploits – Race Conditions Copyright 2005 Seccuris Inc
  91. 91. Firmware Attack - Covert Channel • Hijack of interrupts through firmware exploitation • RAID / SATA drives increasingly vulnerable • Automated exploit though dynamic firmware update • Hide I/O errors, misreport write commands, reword strings being written to drive Copyright 2005 Seccuris Inc
  92. 92. Virtualization Attacks • The Blue Pill hype (and anti-hype) • http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html • Reported to be 100% undetectable malware • On-the-fly installation of malware that “Traps & Emulates” the original OS • Timing, Memory & Hypervisor checks detect it… • As hardware moves towards virtualization support this will become a bigger concern Copyright 2005 Seccuris Inc
  93. 93. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Current trends to watch • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  94. 94. Prevention Methods for the Real World • Psychological Changes • Be aware of this type of activity • Process Changes • Modify incident handling and forensic investigation processes to test for this type of activity • Architecture Changes • Static Linking (back to the future!) • Utilize trusted security architectures • Cryptographic Execution Policy (CheckSums) • Mandatory Access Control Frameworks • FreeBSD Trusted Execution Policy Copyright 2005 Seccuris Inc
  95. 95. Prevention Methods for the Real World • Real world tools for detection available: • RootKit Hook Analyser • http://www.resplendence.com/hookanalyzer • RootkitRevealer (Windows NT4 – 2003+) • http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx • F-Secure BlackLight • http://www.f-secure.co.uk/blacklight/blacklight.html Copyright 2005 Seccuris Inc
  96. 96. Prevention Methods for the Real World • Real world tools for prevention available: • Tripwire • http://www.tripwire.com/ • Third Brigage • http://www.thirdbrigade.com/ • Anti-Rootkit software • http://www.antirootkit.com/software/index.htm Copyright 2005 Seccuris Inc
  97. 97. Overview • Current Situation • What is Anti-forensics • Anti-forensics Methods • Transformation Attacks • Prevention Methods for Real World • Conclusions Copyright 2005 Seccuris Inc
  98. 98. Conclusions • Anti-forensic techniques in the digital realm are becoming more complex and harder to detect Copyright 2005 Seccuris Inc
  99. 99. Conclusions • Transformation attacks can falsely maintain an investigator’s trust in a system preventing a proper investigation from occurring Copyright 2005 Seccuris Inc
  100. 100. Conclusions • Awareness of anti-forensics and the techniques required for identification will enhance our ability to protect our organizations Copyright 2005 Seccuris Inc
  101. 101. Thank-you Michael Legary Founder, Seccuris Inc. (204) 255-4490 Michael.Legary@Seccuris.com 1-866-644-8442 www.seccuris.com Copyright 2005 Seccuris Inc

×