Sunday, December 2, 2007

Putting the Forensics in Anti-Forensics

There's a lot of noise about Anti-forensics still so while working on some material for a presentation and IR course, I started working on some fancy videos of what an attack looks like, versus what your average live response utility will collect. I started creating this to illustrate a few points.

1) Do you trust your tools?
2) The average tool is not capable of providing enough information when facing modern attacks.
3) An investigation does not begin and end on the disk.


Imagine this scenario:

The IT department at a client of yours calls you up one day and says "Our computers have been acting funny the past few days, and we've checked them but can't find anything out of the ordinary. Can you bring your kit and take a deeper look at the network and systems to see if you can find anything?"


You arrive and as part of your incident investigation methodology, you put an emergency NSM sensor at the perimeter of the network doing a full capture. Almost immediately you start seeing odd things occuring, and you hear a shout from down the hall, calling your name. You grab a CD and walk down the hall. Arriving at the secretaries desk you see her and the IT guy talking and they look elated when they see you.

You pop in your trusty Helix CD and run WFT.


AAron Walters was kind enough to host this data for me. Thanks AAron!
Download the data here. The MD5 is here.


You'll find the video of "whodunnit" in the file above. Watch it beforehand if you want to cheat, but I would hope some would want to analyze before looking at the answer.


So, now refer to my points above.

1) Do you trust your tools?

Trust is mainly about reliability and confidence. How confident are you that your tools are showing you accurate information? How reliable is the data output?

2) The average tool is not capable of providing enough information when facing modern attacks.

As attacks get more complex, the dataset grows, and likewise becomes more complex, and obscure in revealing useful information. The average "forensic" tool of today can't compete. You may be required to throw out the protocol book once in a while in favor of getting the job done.

3) An investigation does not begin and end on the disk.

Like I said attacks are getting more complex. Forensics is not simply about data collection from one source. There are many data points in an investigation, and we can't afford to limit ourselves to just the disk, for there is information elsewhere that may not exist on disk.


Enjoy. If you find interesting bits of data, please post them as a reply on on your own blog/site and provide a link.

2 comments:

H. Carvey said...

1) Do you trust your tools?

Trust is mainly about reliability and confidence. How confident are you that your tools are showing you accurate information? How reliable is the data output?


This question/point harkens back to the issue of static binaries. However, this is something that isn't possible on Windows systems...at least, not yet. At some point, a DLL (a binary) is going to have to be relied upon and trusted to provide information. Some have stated in the past that trust comes from thorough testing...but what's thorough? Does running the tool 10 times, 100 times, or 1000 times incur trust? How does one verify that all of the data is, in fact, being presented by the tool...be it processes, network connections, etc.

One approach to addressing this is to not necessarily rely on prefabricated tools, or instead rely on prefab tools that employ multiple utilities to collect information, each of relies on as disparate as API calls as possible. That is, don't use two tools to collect the active process list that use the same API calls...use one that relies on API calls that are further down the stack.

2) The average tool is not capable of providing enough information when facing modern attacks.

I'm not sure what this statement is referring to. Tools are subject to the GIGO principle...garbage in, garbage out. You get out what you put in.

Also, how is this statement arrived at? Is there some investigation into attack artifacts? Or are machines being successfully compromised and then artifacts aren't being located using current techniques?


As attacks get more complex, the dataset grows, and likewise becomes more complex, and obscure in revealing useful information. The average "forensic" tool of today can't compete. You may be required to throw out the protocol book once in a while in favor of getting the job done.


I would submit that the dataset does not, in fact, grow. The "dataset" remains stagnant...network-based sources, disk-based sources, memory-based sources.

I would agree that there is some increased complexity in attacks or intrusions, but the real challenge comes in getting investigators to recognize that data is available from sources other than simply the file system or disk of a host system.

I'm also not clear on what constitutes an "average forensic tool", but I would say that the tool is just that...a tool. It's not the tool that can't compete...it's the examiner who wields the tool. Any examiner who expects to push a button and get what they need has already been defeated.

3) An investigation does not begin and end on the disk.

Like I said attacks are getting more complex. Forensics is not simply about data collection from one source. There are many data points in an investigation, and we can't afford to limit ourselves to just the disk, for there is information elsewhere that may not exist on disk.


Multiple sources, but also multiple formats. There is little commonality in the log formats of network devices, and host-based applications.

There is not much in the way of a commercial market for forensic specialty tools, such as network log aggregation, etc. Many times, we have to rely on what's currently available, via COTS, and do the best we can.

H. Carvey said...

1) Do you trust your tools?

In combination with knowledge of the system and situation, I trust the tools I use inasmuch as they provide me additional insight into what's going on...

2) The average tool is not capable of providing enough information when facing modern attacks.

What tool does?

3) An investigation does not begin and end on the disk.

Of course.