Tuesday, September 11, 2007


I've been quiet for a while and mainly that's because I haven't had much to say lately on top of being overwhelmed with work.

However, after reading a recent post on Richard Bejtlich's blog I'm starting to get really annoyed with the notion of "anti-forensics". It's quickly become the buzzword of the year it seems, in no small part due to the blathering journalists at CSO magazine trying hard to keep C level execs in the loop.

Just what is forensics ?
forensics: The application of science to answer legal questions. Or "used or applied in the investigation and establishment of facts or evidence in a court of law".

So, what then is anti-forensics?

According to Stach and Liu(You know..those antiforensics metasploit guys) it's: application of the scientific method to digital media in order to invalidate factual information for judicial review.

Ok, so here we see it's the antithesis of what forensics is. Great, just what we expected! Is this entirely accurate? No - why? Because the application of the scientific method is lacking. So why all of the confusion about what antiforensics actually is? Perhaps because everyone is using an umbrella definition to describe and define what is actually very specific methods and techniques.

Previously I started mapping out the world of forensic science and digital forensic science in an attempt to make sense of the many facets of the industry. Forensic science, while it includes a conglomeration of many fields of study and science relies heavily on human beings and their senses to interpret information and present it as fact. There are 5 major human senses as we all know. These senses translate to the digital world to form the basis of how investigations are conducted and the requisite skills to accurately perform said investigation.

Remember the saying "What the eyes see and the ears hear, the mind believes"? This is not only true of forensic science but of digital forensic science as well. So what is antiforensics really?

Techniques and methods designed and intended to reduce the forensic analysts ability to accurately reconstruct and present data as fact, the accuracy and trustworthiness of the data, and the tools used to conduct forensic examinations.

Ah, now we're getting somewhere. Antiforensics attacks the analyst, the data, and the tools.

It's been demonstrated time and time again that tools and data can be manipulated to the point of appearing to be useless to an analyst, so what should be the real focus? The human dimension. No tool is perfect, they can all be circumvented in some form, and data shouldn't be trusted until verified. Antiforensics can mislead, deceive, and thoroughly stump an investigator or analyst until a decision point is reached and the investigation is stopped in favor of easier wins, it drags on, or an incorrect conclusion is reached. So what must an investigator do to counter antiforensics? Simple, the analyst needs to be better trained, and have a firm understanding of situational awareness.

Situational awareness information can be found here: http://faculty.ncwc.edu/TOConnor/431/431lect03.htm

Situational awareness when it comes to forensics and incident response is vital. The investigator needs to know and understand everything that is going on. You need eyes in the back of your head, and an extra set of hands. You must be able to take in new data constantly, process it, compare and contrast to existing data, put it in to perspective to make the right decision. In many cases, you don't have a lot of time either.

When it comes to training...

There is one component of antiforensics that seems to escape many people. The user of antiforensics must understand forensics in order to use the techniques to maximal effect. If you don't know the techniques used by forensic analysts, don't understand their tools, and don't know how they think, then you can't possibly "anti" or "counter" everything. This has been called the "CSI effect" in the real world and now we're seeing it in the digital realm. Sure, a perp will splash bleach on blood stains in hopes of washing it away, but it takes time and until then all they've done is destroy the pigment. On top of this, Did they manage to plant evidence that it could have been someone else? Did they hide their footprints, fingerprints, destroy bodily fluids and so on? Odds are no, they didn't. In addition, if you've ever spoken with criminals before, many will tell you they got caught because they got greedy, were nervous, or didn't know what they were doing. Like the construction worker that robbed a store with his hardhat on; His name was written on the hardhat.. Or the criminal that went back in to the store one last time to get another load.

The failure to recognize that the people using tools with antiforensics capabilities didn't create them and don't understand what they're actually doing seems to be causing Fear Uncertainty and Doubt or FUD in a lot of practitioners. There are buzzwords abound and everyone seems to be throwing antiforensics around like it's some new threat. Remember if you will that digital forensic science and digital forensics is made up of many specialty areas and attackers or criminals aren't generally experts in defeating all of them. Antiforensics raises one point above the rest - Never make a dogmatic statement based on an isolated observation. Your investigation can not hinge on one source of data, and you can never make an accurate statement based on a single source.

So how do you as an investigator overcome antiforensics?

Use your senses.

Sight - Your eyes can and will deceive you so don't trust them. Use multiple tools each time you investigate. There is no one ring to rule them all and there is no one antiforensics tool or technique that defeats every forensic tool.

Smell - Smell out the rat. There is always evidence to suggest an intrusion and crime. The criminal or attacker will slip up somewhere when attempting to hide their tracks. You must be able to smell out the rat that will give away the perpetrator.

Taste - If you notice something weird, try it out yourself to see how it "tastes". If you have an unknown binary, sandbox it and see what it does. Get a demo copy of software that was used and see how it works in depth.

Sound - Listen to the evidence, not the people involved. The evidence will lead you in the right direction.

Touch - Get your hands on as much information and equipment as possible. This is where exposure increases your ability to outsmart the opponent.