This article is based on Footprint and their Anti-Forensics Techniques like Memory injection and Syscall Proxying, Userland Execve Technique, Syscall proxying, Exploiting Forensics Tools Bugs,Detecting Forensic Tool Activities
Memory injection and Syscall Proxying
In the buffer over–flow exploit attack, the attackers use buffer overflows as entry to a remote system in order to inject and run code in the address space of a running program, thereby successfully altering the victim program’s behavior. Then, the attacker uploads tools and saves them to the target system.
Related Product : Computer Hacking Forensic Investigator | CHFI
Userland Execve Technique
The “Userland Execve” technique lets programs on the victim computer to load, run without using the Unix execve() kernel call, thereby letting the attacker to overcome kernel-based security systems that might deny access to execve().
Syscall proxying
Rather than uploading the entire exploit program, the attacker can upload a system call proxy to accept the remote procedure calls from the attacker’s machine. The victim’s machine executes the requested system call and sends the result back to the attacker. By doing so, the attacker need not upload the tools to the compromised machine. However, this increases the amount of network traffic between the compromised machine and the attacker, thereby creating latency. This technique helps in capitalizing the code injection vulnerabilities on a system.
Anti-Forensics Techniques that Minimize Footprint (Cont’d)
Attackers can use a Live CD or Bootable USB Token or virtual machines installed on a different storage media to perform attack on a PC or on a series of computers, unplug the device used, and then turn off the computer. This process will leave no trace of the attack on the source computer for later investigation or analysis. Using the Virtualization software, attackers can perpetrate the attack without even rebooting the host computer. These devices allow intruders to run a variety of applications while considerably reducing the sources of evidence footprint.
After the attack, the attacker can securely erase the files associated with the virtual machine or use the virtual machines directly on the victim’s machine as a kind of super-rootkit. The forensic tool will not be able to view the virtual machines running as the super-rootkit because it is running outside the machine.
Anti-Forensics Techniques that Minimize Footprint (Cont’d)
Anonymous identities and storage
Intruders/attackers create fake accounts via Gmail, Yahoo, Dropbox, etc. to safeguard their identity in case of successful forensic investigation. Using the storage space of their account, the attackers upload the attack tools and the captured information from the victim instead of storing them in their systems. Following these practices reduces the source of evidence for forensic investigation process.
Anti-Forensics Techniques: Exploiting Forensics Tools Bugs
Attackers having knowledge over the forensic tool’s functionality can do a counter forensic attack against the tool and see that the tool does not capture any evidence.
The forensic investigators greatly depend on tools to evaluate the digital evidence. These tools help the investigators to acquire the required data efficiently. However, depending on the tools may be a weakness that attackers can exploit to prevent or interrupt investigations.
Anti-Forensics Techniques: Detecting Forensic Tool Activities
Attackers are fully aware of the computer forensic tools that investigators use to find and analyze evidence from a victim’s computer or network. Therefore, they try to incorporate forensic tools and process identification programs into the system or malware they are using. These programs act intelligently and change behavior on detecting the CFT. For example, a worm may stop propagation and even destroy the evidence when it is under surveillance.
Almost all the current hard drives have built-in self-Monitoring, Analysis and Reporting Technology (SMART). It reports the following:
- The total number of power cycles (Power_Cycle_Count)
- The total time that a hard drive has been in use(Power On Hours or Power_On_ Minutes)
- A log of high temperatures that the drive has reached
- Other manufacturer-determined attributes
- various malicious programs can read these attributes, which users cannot reset
Also Read : Anti-Forensics Techniques: Rootkits
The attackers use these details and modify their behavior with the anti-forensic tools to avert the process of investigation.
Questions related to this topic
- What is anti forensics in cyber security?
- What is a forensic countermeasure?
- What is data hiding in cyber forensics?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
