The purpose of forensics is to discover who did something and how. Therefore, an attacker will likely have one or more of the following reasons for disrupting that process:.
In a pen test, anti-forensics is important because it goes beyond just demonstrating to the organization that it has specific weaknesses that can be exploited.
The organization may also be failing its own response operations and personnel, whereas it should be enabling them to perform as effectively as possible. The pen test, through anti-forensics, can assess any such issues. Note: Consider all of the hacking tools and techniques you have learned in this course. What possible digital evidence might they leave behind that you would want to erase to cover your tracks?
The anti-forensics process relies on weaknesses inherent in computer systems, forensic tools, and the human investigators themselves. There are several techniques available to the attacker that can exploit these weaknesses. The following are examples of anti-forensics techniques that disrupt forensic processes or confuse or deceive investigators:.
Forensics Tool Description EnCase Multi-forensic platform that can gather data from different devices and discover evidence. X-Ways Forensics Full-featured platform for forensic investigators. Digital Forensics Framework Popular open source toolkit for both beginners and professionals. Open Computer Forensics Architecture Popular open source forensics framework. You can do this by: Negatively affecting the quality, quantity, or integrity of evidence.
Making forensic analysis more difficult or impossible. Deceiving forensic investigators. Therefore, an attacker will likely have one or more of the following reasons for disrupting that process: To escape notice while they are still inside the perimeter. A well-executed encryption can be a serious blockade in that without the password being revealed in some manner the encrypted data is inaccessible.
Unfortunately for the world of secrets, it turns out that in the face of this sort of challenge there are many, many ways of acquiring the password and gaining access to the data. When responding to a computer incident, many technology professionals feel compelled to shut down the computer in question through a graceful shutdown rather than remove power from the system and risk data corruption or loss of volatile data not committed to permanent storage.
The operating procedure of completing a graceful shutdown has a myriad of vulnerabilities that could be utilized by the system owner or a third party actor to disrupt or destroy evidence and prevent forensic recovery.
Removing the power from the system while running presents a far smaller risk than attempting to gracefully shutdown a system that the incident responder can never fully guarantee is under their control and impervious to sabotage.
Other definitions were given prior to this, but — as Harris points out — they focused on specific segments of anti-forensics.
Cryptography is an interesting field of study and it forms the basis of much of the communication the average person takes for granted as they use computers, networks and the Internet. Encryption is the process of making a message such as a data file or communication stream unreadable to anyone lacking the appropriate decryption key.
Encryption uses mathematical formulas to modify the data in such a way that it would be extremely difficult to put back together without the key. The information is combined along with a different routine of information making it impossible for any user to decrypt unless the key and the routine are available. Appel, Sr. The process of steganography goes back centuries to a time when messages might be hidden on the scalp of messengers or hidden behind wax writing tablets.
Technical steganography uses scientific methods to cover up the message, by use of things like microdots or invisible ink. Linguistic steganography hides the message in the original carrier and can be categorized as an open code.
Understanding how each works would be beyond the scope of this article, but for the CCFE, I recommend you gain a better understanding of each. Spotting a stego-attack can be challenging, but it can be accomplished.
In some instances, looking for repetitive patterns in images can clue you in including small distortions.
Changing timestamps can remove signs that forensic examiners use to determine possible areas of activity in a system if the time of activity is known. However, overwriting metadata prevents this. Checking metadata document authenticity can help mitigate the repercussions of these attacks. Tunneling, which is also called port forwarding, allows private communication to be sent over a public network by a process called encapsulation.
This ensures data packets appear public, enabling them to pass through with little to no judgment. A common way to utilize tunneling is through a VPN Virtual Private Network , which encrypts data to keep away any security measures. Constant monitoring of encrypted connections can help alert organizations to the possibility of this type of attack.
Some, such as CryptoAuditor, can be used to stop these attacks as well. Onion routing is a mode of sending messages encrypted in layers, which correspond to layers in an onion. The data is transmitted through many network nodes onion routers , and a layer of encryption is removed at each.
When the final layer is peeled off, the message heads to the destination. As such, it is anonymous because nobody in the chain knows more than a few links in the chain, the ones before and after their own. This method of routing is used by the highly popular Tor networks. Truly, the only way to defeat onion routing is to break through each successive router in reverse order, beginning with the exit node.
View 1 excerpt, cites background. Digital Forensics vs. Anti-forensic implications of software bugs in digital forensic tools. The digital forensic community relies on a small number of complex tools to analyse digital evidence. These digital forensic tools have greatly improved the accuracy and efficiency of investigations.
Highly Influenced. View 5 excerpts, cites methods and background. View 3 excerpts, cites background. Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability. Digital forensics procedures should be developed to obtain digital evidence with regard to legal requirements such as admissibility, authenticity, completeness, reliability and believability.
On the … Expand. View 1 excerpt.
0コメント