IT PRO: Blogs: Simon Bisson & Mary Branscombe: RSA 2008

Home

Simon Bisson & Mary Branscombe's Blog

RSA 2008 - Computer Anti Forensics

By Simon Bisson & Mary Branscombe in Editorial

Posted in Server, Security on April 17, 2008 at 7:30 am

How do you know you’ve been hacked? You may have a suspicion that someone’s inside your network, but if your log files don’t show anything, don’t assume that your systems are secure. The bad guys know all about standard compouter forensic techniques and have toolkits full of techniques and programs to cover up their traces. The computer security team at Verizon are finding that anti-forensics are used in more than 2/3 of intrusions.

One of the most common techniques is data wiping, used to reduce the evidence available to security analysts. Used in only 18% of cases in 1998, things are very different today, with data wiping used in 80% of cases. The popularity of data wiping can be seen by the sheer number of tools available on black file sites - with more available than all the other types of anti-forensic tools combined.

Luckily for us data wiping is not perfect, and even the best tools leave some files behind - especially when files have been locked or are still in use. It’s a good idea to think outside the box - often literally. Perhaps a backup has traces of the bad guy at work, or there may be traces of his tools and actions on a clustered storage array somewhere else in your data centre. And of course there’s the old forensic stand-by: running memory. A memory dump can show traces of running programs in old page files.

The next most popular technique is data corruption, closely followed by data injection. The aim here is to hide from your logging tools - or even make your log files unreliable. One technique is very simple, with intruders resetting system clocks to create a whole new log that can be deleted when they leave. If there unexpected holes in log files, there’s a distinct possibility that someone is changing your system clock. More complex techniques use tools to corrupt log files to cover up attacks, or to edit out an attackers actions.

One case Verizon worked on was a retail customer that was seeing unexpected charges on its credit card system. Nothing was found in the logs, but the Verizon forensic team was sure that something was happening, so they began to monitor the system.

A few days later a tripwire was triggered, and they were able to watch (and screen capture) someone from the credit processing vendor coming in to the network on a trusted connection. The attacker first changed the system clock to hide their actions, and then using the debug mode in the credit card software to steal transaction data. The security team watched the attacker tidy up after themselves, deleting the debug files. Finally the attacker reset the system clock and edited the system logs to replace their external IP address with an internal one. They’d only made one mistake, which was how the security forensics team was convinced that there was an attacker.

What was it?

The internal IP address they were using wasn’t actually assigned to anything.

It’s clues like that that you need to look out for when assessing a system to see if it’s been compromised. You know what makes your network tick, what addresses are in use, and what your system logs should look like. Vigilance is the only way you’re going to be secure.

In the immortal words of Hill Street Blues: Be careful out there.

– Simon

Rated: 80% (1 votes)

Loading ...

Previous Post | Next Post

Comments

This article has no comments yet.

Make a comment

Tag cloud

vulnerabilities IT automation CPU MIX08 optical interconnects .NET LiveID hold music media bbc iplayer merger camera terabytes yahoo hp microsoft research information cards information Ask.com regulations bandwidth Trend Micro todo list spam Adobe Trampoline accelerator Google Spreadsheets bombe Volume Shadow Copy management wifi HTML 5 Dopplr fingerprint mscape TouchSmart open source AMD migration IDF isp Verbatim macbook onboarding Wyse toshiba Moonlight mobile working Hugh Thompson turing server Salesforce enterprise architecture lawsuit RBL virtualisation HR automation mythbusters history Loki Tripit transcoding credit crunch Fire Eagle exchange advertising streaming media blog HP Dell Previous Versions wubi TechEd 2008 security MRDA ubuntu whitelist phone management Greasemoneky biometrics TSA OEM Microsoft O2 fire privacy Bill Gates SBS email isps Facebook natural interface productivity Tablet Kiosk RSA 2008 mobile Linux 64-bit software CERN utilities desktop. PC TNT Palladium thin client greenplum co-processor payroll ADFS 2.0 visualisation National Insurance ucsd Windows Server 2008 identity theft case iPhone SSVAGENT.EXE geek tourism enterprise bletchley park SMB 2 html social networking timezones geneva Tablet PC Mercury AuthenTec beta geocaching Internet Explorer 8 deperimeterization OpenID Secunia Ruby On Rails WinHEC NAS OQO Google electricity price Frauenhofer christmas high performance computing images 3G HTC NGSCB gaming GPU WPF 24 hours offload processors Silverlight power supply Windows Mobile community hacking Location open moscow codec evernote identity metasystem adfs service oriented enterprise Internet Explorer AskEraser windows 7 Tim Berners-Lee BBC cables mobility business technology automation network user experience disk space Trolltech CTO green IT hierarchical temporal memory Seagate Embarcadero Ray Ozzie regulation cisco NexT mobile business Xobni numbers licensing legislation IT value winhec2008 disk cloud service google online applications security paradox fault fraud Intel EEE NVIDIA conference Credentica distributed computing acquisitions support WWW Netscan Enterprise 2.0 parallel computing Asus education business technology optimisation fibre UMPC battery Girl Geek Dinners BT mash-up politics power anti-virus ProCurve office Firefox national museum of computing Toshiba Portege R500 GPS sun firewall Hp 2710p virtual desktop storage IBM networks security theatre MacWorld 2008 Motorola active digitiser user interface mobile ofcom network dual display LHC data machine learning oracle spam fighting spin patch Tuesday data centre provisioning Vista upgrade calit2 MacBook Air wireless USB interoperability ruggedized Reqall telecoms Tom Hogan power cuts SapphireSteel Gartner DisplayLink etech CardSpace analytics eu CES cosmic rays pgp xT9 mysql Barracuda Large Hadron Collider business continuity troubleshooting mobile data tariffs benchmark CIO browser amherst Corsair HMT EMC smartphone Beacon Lenovo forensics RIA digital signature Crossfader Gears voice recognition IT transformation conferences fingerprint scanner hardware bea OFCOM pen computing traffic Internet MING CUDA Visual Studio robot control panel Express Gate business intelligence SP1 quiz Google Sets Jeff Jones performance griffin. microsoft research Linux i-mate flash developer SSD Google IO Palm automation Mono Jeff Hawkins Opsware Live Mesh cracking exabytes HSDPA T9 ballmerbot Numenta video identitity O'Reilly RAZR nvision08 IIW2008b green printing Windows Live Delphi geotagging patent laptop Xen colossus Ruby Web 2.0 Apple Nuance installer Mozilla QWERTY wildfire Bill Cheswick accessories DSL VSSAdmin Nokia

Highest Rated Blog Posts

Nobody knows what Web 2.0 really is (100%)
Songs of distant satellites (100%)
Log in and lock in (100%)
Mommy, why is there a home server in the office? (100%)
Employees are our most valuable asset (snigger) (100%)
Locking down IT or blocking creativity (100%)
Video opera? What would you do with huge bandwidth and millions of pixels? (100%)
Consumer BlackBerrys are good for business (100%)
HD Trek (100%)
Top tips for speeding up Vista (100%)

RSA 2008 - Computer Anti Forensics

Tag cloud

Archives

Most commented posts

Highest Rated Blog Posts

Advertisement