Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Anti-Forensics: Real world identification, analysis and prevention
1. Digital Anti-Forensics
Real World Identification, Analysis & Prevention
M ic h a e l L e g a r y
IR -1 0
N ovember 7, 2007
Copyright 2005 Seccuris Inc
2. Introduction
Michael Legary
Founder, Seccuris Inc.
CISSP, CISA, CISM, CCSA, GCIH, SCF
CNE, MCSE, CCNA
Copyright 2005 Seccuris Inc
3. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
4. Organization A - Agrieng Inc
• Small Agri-Business
• Sales +/- 2M & 25 Employees
• Designs tractors, bailers, etc
• Heavy use of electronic drafting
& engineering software
• Bids on contract work for major
manufacturers
Copyright 2005 Seccuris Inc
5. Organization A - Agrieng Inc
• Outbid & Outsold by
foreign competitor
• One particular
competitor’s designs look
eerily similar
Copyright 2005 Seccuris Inc
6. Organization B – ServPro GmbH
• Large Service Provision company
• Sales +/- 200M & 2500 Employees
• Provides Information Management
Solutions to world wide organizations
• Specialized database and information
mining technology separate ServPro
from competitive organizations
• Currently handles personal
information of over 50 million
individuals
Copyright 2005 Seccuris Inc
7. Organization B – ServPro GmbH
• A few clients are reporting
an increase in identity theft
reports by their constituents.
• There seems to be a pattern
in the types of information
being reported as stolen.
Copyright 2005 Seccuris Inc
8. Organization C – Government Department
• Federal organization
providing legal related
services
• Handles specialty
investigations from
multiple provinces
• Conducting investigation in
high tech criminal activity
Copyright 2005 Seccuris Inc
9. Organization C – Government Department
• Suspects are continually
evading capture
• Individuals caught seem
to have been prepared for
questioning
• Little to no evidence
identified when caught
Copyright 2005 Seccuris Inc
10. Forensic Investigation
• What is going on?
• Who is behind the activity?
• Why are they doing it?
• When did the start / stop?
• Where are they located?
• How is the activity
occurring?
• Has a crime taken place?
Copyright 2005 Seccuris Inc
11. Forensic Investigation
• Often in cases involving
information systems
standardized forensic
investigation does not
occur until it is known that
suspicious activity is
happening
• Where do we look for this
activity?
Copyright 2005 Seccuris Inc
12. Digital Evidence & Forensics
• Digital evidence exists all
around us
• Tools and techniques available
to investigators has greatly
increased in recent time
• Reliance on digital evidence is
becoming a reality
• Where is evidence on a
system?
Copyright 2005 Seccuris Inc
13. User Console
User Level
Kernel
Interface
Memory
Kernel Level
File System
Hardware
Level
Copyright 2005 Seccuris Inc
14. Evidence exists in:
Memory
• System Memory
• System Cache Program
Temp Log Temp File
File System
• File System
• File System Cache Program
Config File Target File Log File
Temp Log Temp File
Copyright 2005 Seccuris Inc
15. Evidence exists in:
User Level Service
• Running Programs Kernel
Interface
• Running Services
Kernel Level
• Active Processes
Hardware
Level
Copyright 2005 Seccuris Inc
16. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Target File Log File
Config File Program
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
17. Standardized process for digital
evidence
Standard processes being created
for:
• Attack Identification
• Forensic Investigation
• Image Capture
• Image Analysis
• Evidence identification
Copyright 2005 Seccuris Inc
18. Standardized process for digital
evidence
Forensic investigations are
initiated from
evidence collected
during the
attack identification process.
If an investigator can not identify
an attack,
forensic investigation will not be
conducted;
Allowing attackers to go
unnoticed.
Copyright 2005 Seccuris Inc
19. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
20. User Console
Forensic
Investigation
User Level Service
Kernel
SYSTEM STATE IMAGE
Interface
Memory
MEMORY IMAGE
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
HARD DRIVE IMAGE
Temp Log Temp File
Hardware
Level
Copyright 2005 Seccuris Inc
21. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
22. Anti-Forensics
What is it?
• Practices and processes to
prevent, counter-act or
neutralize an investigators
ability to identify or recover
evidence for use in an
investigation.
Copyright 2005 Seccuris Inc
23. Anti-Forensics
The common purpose:
• Prevent detection of the
attacker
• Prevent an investigator from
gaining usable knowledge
• Destroy, hide, prevent
creation of, or transform data
Copyright 2005 Seccuris Inc
24. Anti-Forensics
The common purpose:
• Even if an attacker is detected,
evidence regarding their means,
methods and motives will be
altered
preventing accurate investigation
or prosecution.
Copyright 2005 Seccuris Inc
25. The origins of Anti-forensics
• Traditional
techniques
• Physical
• Financial
• Criminal
• Good Examples
• On Television
Copyright 2005 Seccuris Inc
26. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
27. Anti-forensics – Methods Overview
• In order to maintain covert activities of any sort
there is a requirement to
Destroy,
Hide,
Prevent Creation of,
or transform data to remain hidden.
Copyright 2005 Seccuris Inc
28. Anti-forensics – Methods Overview
Destruction of data
• Goal
• Significantly Damage the Integrity of Evidence
• Physical Destruction of Data
• Magnetic Techniques (Degaussing)
• Brute Force
• Logical Destruction of Data
• Reinitialize Media
• Significantly change composition of data on media
Copyright 2005 Seccuris Inc
29. Anti-forensics – Methods Overview
Hiding of data
• Goal
• Limit identification and collection of evidence
• Obfuscation
• Information Manipulation
• Steganography
• Encryption
• Data Encryption
• Media Encryption
Copyright 2005 Seccuris Inc
30. Anti-forensics – Methods Overview
Data creation prevention
• Goal
• Prevent creation of evidence
• Direct Prevention
• Root Kits
• Modification of System Binaries
• Indirect Prevention
• Limit system functionality – DoS – to prevent creation of
data
Copyright 2005 Seccuris Inc
31. Anti-forensics – Methods Overview
Transformation Techniques
• Goal
• Maintain or Re-establish investigator trust in
falsified data as evidence.
• Conventional Techniques
• Root Kits
• Advanced Techniques
• Shared Library Hijacking
Copyright 2005 Seccuris Inc
32. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
33. Anti-forensics – Methods Overview
Transformation Techniques
• One of the most complex technical attacks being
performed today
• Understanding and appreciation for methods
used will allow us to reform our investigation
techniques
Copyright 2005 Seccuris Inc
34. Anti-forensics – Methods Overview
Transformation Techniques
• WHY?
• Detailed forensic
investigation may not start if
there is no suggestion of
system tampering
• These techniques can make
very ugly systems look like
good ones… Copyright 2005 Seccuris Inc
35. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
37. Anti-Forensics – Traditional Techniques
Conventional transformation methods
• Initial System Compromise
• Deception of Security Personal
Copyright 2005 Seccuris Inc
38. Conventional transformation methods
• Initial System Compromise
• Breach of system due to known vulnerability
• Attacker gains access to system, attempts to by-pass
detection
Copyright 2005 Seccuris Inc
39. Conventional transformation methods
• Deception of Security Personal
• Deleting Files
• Hiding files / logs / activities
• Root Kits
• Tools used to identify suspicious activity (In BSD)
• Disk Tools: df, ls ,du
• Process Tools: ps, top, crontab
• Network Tools: netstat, sockstat, fstat, tcpdump
• Be suspicious of your compiler
Copyright 2005 Seccuris Inc
40. Traditional Techniques – AgriEng Inc
• Attacker identifies vulnerability
• Breaks into system
• Removes logs
• Installs rootkit
• Downloads engineering files
• Configures backdoor into
system
Copyright 2005 Seccuris Inc
41. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
42. User Console
Identification
User Level Service
Kernel
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
44. Anti-Forensics – Traditional Techniques
Advanced Transformation Methods
• Kernel Modules and
hijacking systems calls
• Kernel level root kit
• Provides undetected and almost
unlimited access to a compromised
system
• Allows attackers to perform a
variety of functions such as:
• Hide processes
• Hide files and registry keys
• Log Keystrokes
• Redirect Executable Files
• Issue Commands
• Generates own hidden TCP/IP Stack
• Remote administration
Copyright 2005 Seccuris Inc
45. Traditional Techniques – ServPro GmbH
• Attacker identifies vulnerability
• Breaks into system
• Removes logs
• Installs kernel level rootkit
• Installs System Sniffer
• Created automated system to
send out client information
Copyright 2005 Seccuris Inc
46. User Console
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Attacker
Temp Log Temp File Attacker File
Program
Hardware
Level
Copyright 2005 Seccuris Inc
47. User Console
Identification
User Level Service
Kernel
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
49. Anti-Forensics - Traditional Techniques
Traditional Transformation Detection Methods
• Cryptographic hashing for data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
Copyright 2005 Seccuris Inc
50. Transformation Detection Methods
• Cryptographic hashing for data integrity
• Using fingerprints investigators can ensure files
come from trusted sources, or weed out known
attack tools
• MD5 / SHA / RIPE-MD
• HIDS – Use of Cryptographic Hashing
• Tripwire, Axent, Cybersafe, ISS
Copyright 2005 Seccuris Inc
51. Cryptographic hashing for data integrity
Trusted Command Executable
% md5 ps.trusted
MD5 (p s .tru s te d ) =
9 50 1e f2 86 e f3a b 86 87 b 7 9 20 c a 4 fe e 2 9 f
Un-trusted Command Executable
% md5 /bin/ps
MD5 (/ in / ) =
b ps
02b2f8087896314bafd4e9f3e00b35fb
Copyright 2005 Seccuris Inc
52. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
NOT SAME
Memory
ATTACKGood
Known
DETECTED!
Attacker Program
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
53. Transformation Detection Methods
• Process Analysis
• Processes contain content such as:
• Open files
• Memory Maps
• Ownership Labels
• Resource Consumption Statistics
• Analysis of these characteristics allow an investigator to
identify discrepancies in common system activity
• Utilities such as:
• PS –AUX
• top
• proc fs
Copyright 2005 Seccuris Inc
54. User Console
Identification
Target File
Config File Program
User Level
Known Good Service
Service
Att
NOT SAME
Attacker
Attacker File
Program
Kernel
ATTACK
Interface
Memory
DETECTED!
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
55. Transformation Detection Methods
• Network Monitoring
• NIDS
• Firewall Monitoring
• Bandwidth Trending
• Output can identify use of known attacks, or
privileged accounts
Copyright 2005 Seccuris Inc
56. Transformation Detection Methods
• Network Monitoring
No v 10 2 1:59 :06 <4.1> 1 72 .1 6.1 .2 0 s no rt: [1:4 6 6:1 ] SHELLCODE
x86 stealth NOOP [P rio rity: 2]: {P R OTO0 01 } 1 0.0.1 .1 25 ->
10 .5 .1.3
• Example Snort® log which has detected the op-
codes or machine instructions for a “stealth
NOOP”.
Copyright 2005 Seccuris Inc
57. Transformation Detection Methods
• Network Monitoring
% tcpdump -nett -i pflog0
lis te n in g on pflo g 0, link-type P F LOG (Ope nB S D p flog file ), c a pture s iz e 96 b yte s
1 1 0 0 2 2 1 1 36.6 7744 1 rule 1/0(match): b loc k in o n s is 0: IP 10 .0.0.35.4646 > 20 5.1 1 .1 1 .1 1 .4 4 5 : S
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>
1 1 0 0 2 2 1 1 38.3 7042 3 rule 1 / a tc h ): b loc k in on s is 0 : IP 10 .0.0.35.4646 > 205.11 .1 1 .1 1 .4 4 5 : S
0(m
5 5 2 1 5 9036 :552 1590 36(0 ) win 6 4240 <m s s 1460 ,n op,n op,s a c kOK>
• Example use of tcpdump on the OpenBSD® PF
Firewall
Copyright 2005 Seccuris Inc
58. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
Memory
ATTACK
DETECTED! Attacker
Program
Temp Log Temp File
Kernel Level
File System
Network Config File Program Target File
Intrusion Detection System
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
59. Transformation Detection Methods
• Signature / Pattern Matching
• Database of known patterns and signatures
• Binary Sequence Matching
• Used in NIDS / HIDS / Investigative Tools
Copyright 2005 Seccuris Inc
60. Transformation Detection Methods
• Signature / Pattern Matching
% file libtransform.so.1
lib tra n s form .s o .1 : E LF 32 -b it LSB shared object, In te l 8 03 8 6,
ve rs ion 1 (F re e B S D), s trip p e d
• Output of the “file” utility on a shared object.
• The “file” utility attempts to figure the file type for a
specified file.
Copyright 2005 Seccuris Inc
61. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
Attacker File
Program
Kernel
Interface
Memory
1. File Size
2. Header Information
Attacker
Program
3. File Content
4. Unknown Pattern
Temp Log Temp File
Kernel Level
File System
ATTACK
DETECTED!
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
62. Investigating – AgriEng Inc
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
Copyright 2005 Seccuris Inc
63. User Console
Identification
Target File
Config File Program
User Level Service
Att
Attacker
ATTACK
Attacker File
Program
Kernel
DETECTED!
Interface
Memory
Attacker
Program
Temp Log Temp File
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
65. Anti-Forensics - Traditional Techniques
Advanced Transformation
Detection Methods
• Advanced Transformation
Detection methods
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
66. Advanced Transformation Detection Methods
• Detection of system call hijacking
• System Call hijacking changes the address the
system references from a known module to
their own “attacker” module
• If an investigator can find inconsistencies in
programs making system calls they will be able to
detect an attack
Copyright 2005 Seccuris Inc
67. Advanced Transformation Detection Methods
• Advanced Transformation Detection methods
i f ( s y s e n t [ S YS _o p e n ] . s y _c a l l ! = o p e n )
pa ni c ( “ ope n s ys t e m c a l l ha s be e n hi - j a c ke d” ) ;
i f ( s y s e n t [ S YS _wr i t e ] . s y _c a l l ! = wr i t e )
p a n i c ( “ wr i t e s y s t e m c a l l h a s b e e n h i - j a c k e d ” ) ;
• Code snippet for the FreeBSD® operating system which
when executed in the context of the kernel, could be used
to detect the presence of a hi-jacked system call.
Copyright 2005 Seccuris Inc
68. Investigating – ServPro GmbH
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
69. User Console
Identification
Config File Target File
User Level Service
Program
Kernel
Interface
Memory
Attacker
Program
ATTACK
Temp Log Temp File
DETECTED!
Kernel Level
File System
Config File Program Target File
Att
Attacker
Attacker File Program
Hardware
Level
Copyright 2005 Seccuris Inc
71. Anti-Forensics – Emerging Techniques
Emerging transformation
methods
• Hijacking of user space
library calls
Copyright 2005 Seccuris Inc
72. Dynamically Standard Libraries
Memory
Linked Libraries
• More efficient use of
system resources
• Loads from User Space
Dynamically Linked
• Multiple programs utilize Memory
same code libraries for
similar functions
• Attackers can change
program behavior without
modifying program or
libraries Copyright 2005 Seccuris Inc
75. Emerging transformation methods
• Hijacking of user space library calls
• Information Transformation
• Takes “Ugly / Untrusted” information and
makes it look “Good / Trusted”
• Scenarios
• System Logs
• Audit Logs
• Existing Files
• IDS
• FW
• Dynamic Review
Copyright 2005 Seccuris Inc
76. Emerging Techniques – Government Department
• Attacker identifies
vulnerability
• Breaks into system
• Installs User Space Module
for Shared Library Hi-jacking
• Creates automated system
to send out client information
• Avoids capture through
regular methods from
investigators
Copyright 2005 Seccuris Inc
77. User Console
Att
Attacker File
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Temp Log Temp File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
78. User Console
Identification
User Level Service
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
79. Investigating – Government Department
• Cryptographic hashing for
data integrity
• Process Analysis
• Network Monitoring
• Signature / Pattern Matching
• Detection of system call
hijacking
Copyright 2005 Seccuris Inc
80. User Console
Identification
Temp Log Config File Shared Object File
User Level Service
Temp File Target File
No Attack
Log File
Program
Kernel
Interface
Memory
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
83. Emerging transformation detection methods
• Shared Library Analysis
• Analyze active processes to identify links to “Ugly /
untrusted” shared libraries.
• Using LSOF to analyze VMCORE
• Identifies if an untrusted object is being used by the
system
• Using objdump to analyze dynamic symbols
• Identifies which functions are being hijacked by the
untrusted object
Copyright 2005 Seccuris Inc
84. Investigating – Government Department
• Using LSOF to analyze
VMCORE
• Using objdump to analyze
dynamic symbols
Copyright 2005 Seccuris Inc
85. User Console
Identification
Temp Log Config File Shared Object File
User Level Service
Temp File Target File
Log File
ATTACK
Program
Kernel
DETECTED!
Interface
Memory
VMCORE File
Temp Log Temp File
Kernel Level
File System
Config File Program Target File Log File
Att
Temp Log Temp File Attacker File Shared Object File
Hardware
Level
Copyright 2005 Seccuris Inc
86. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
87. Current trends to watch
• Direct Kernel Hijack
• Concurrency Exploits
• Dynamic Firmware Attack
• Virtualization Attacks
Copyright 2005 Seccuris Inc
88. Direct Kernel Hijack
• Modifies live kernel instead of system calls
• Injection of malicious kernel code through /d e v /me m
or / d e v / k me m
• This isn’t new, but gaining popularity again…
• Tripwire, Execshied, PaX bypass standard in most kits
• Most script kits do not require root for proper execution on
Ubuntu, general Linux/BSD flavors
• Better detection of NOP sleds allowing for higher chance of
1st time success
Copyright 2005 Seccuris Inc
89. Concurrency Exploits & Race Conditions
• System call wrappers have been touted as the
answer to system call hijack.
• Concurrency exploits remove the effectiveness
of wrappers in multi-process systems
• More information
• http://www.watson.org/~robert/2007woot/20070806-
woot-concurrency.pdf
Copyright 2005 Seccuris Inc
91. Firmware Attack - Covert Channel
• Hijack of interrupts through firmware exploitation
• RAID / SATA drives increasingly vulnerable
• Automated exploit though dynamic firmware
update
• Hide I/O errors, misreport write commands,
reword strings being written to drive
Copyright 2005 Seccuris Inc
92. Virtualization Attacks
• The Blue Pill hype (and anti-hype)
• http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html
• Reported to be 100% undetectable malware
• On-the-fly installation of malware that “Traps & Emulates”
the original OS
• Timing, Memory & Hypervisor checks detect it…
• As hardware moves towards virtualization support this will
become a bigger concern
Copyright 2005 Seccuris Inc
93. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Current trends to watch
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
94. Prevention Methods for the Real World
• Psychological Changes
• Be aware of this type of activity
• Process Changes
• Modify incident handling and forensic investigation
processes to test for this type of activity
• Architecture Changes
• Static Linking (back to the future!)
• Utilize trusted security architectures
• Cryptographic Execution Policy (CheckSums)
• Mandatory Access Control Frameworks
• FreeBSD Trusted Execution Policy
Copyright 2005 Seccuris Inc
95. Prevention Methods for the Real World
• Real world tools for detection available:
• RootKit Hook Analyser
• http://www.resplendence.com/hookanalyzer
• RootkitRevealer (Windows NT4 – 2003+)
• http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
• F-Secure BlackLight
• http://www.f-secure.co.uk/blacklight/blacklight.html
Copyright 2005 Seccuris Inc
96. Prevention Methods for the Real World
• Real world tools for prevention available:
• Tripwire
• http://www.tripwire.com/
• Third Brigage
• http://www.thirdbrigade.com/
• Anti-Rootkit software
• http://www.antirootkit.com/software/index.htm
Copyright 2005 Seccuris Inc
97. Overview
• Current Situation
• What is Anti-forensics
• Anti-forensics Methods
• Transformation Attacks
• Prevention Methods for Real World
• Conclusions
Copyright 2005 Seccuris Inc
99. Conclusions
• Transformation attacks can falsely maintain an
investigator’s trust in a system preventing a
proper investigation from occurring
Copyright 2005 Seccuris Inc
100. Conclusions
• Awareness of anti-forensics and the techniques
required for identification will enhance our ability
to protect our organizations
Copyright 2005 Seccuris Inc
101. Thank-you
Michael Legary
Founder, Seccuris Inc.
(204) 255-4490
Michael.Legary@Seccuris.com
1-866-644-8442
www.seccuris.com
Copyright 2005 Seccuris Inc