This article in CIO tells a great story about the current state of forensics and anti-forensics. It really exposes the bleak state of affairs when it comes to relying on digital evidence in criminal investigations. Several anti-forensic tools are mentioned, including Slacker (hides data in slack space), Timestomp (arbitrarily sets timestamps on files), and MosDef (used for loading rootkits into memory). Many of these cutting edge tools were created by security professionals or white hat hackers, for the primary purpose of proving that forensic evidence cannot be blindly trusted.
Some of the other tools listed really are dual-purposes, useful for both criminals and security engineers. Technology such as encryption, VPNs, virtualization, and disk wiping are constantly being improved for legitimate purposes. Of course, the guy attacking your network can make good use of them, too.
The bottom line, according to the experts quoted in the article, is that our justice system’s reliance on digital forensic evidence cannot continue. We can no longer assume that this evidence is reliable or trustworthy, even when it is collected by trained professionals following the best practices of the industry. Current forensic tools are simply not good enough to deal with the proliferation of anti-forensic tools being employed by all serious online criminals.
That’s assuming the criminal is ever even brought to trial. In the vast majority of cases, investigators never figure out who the attacker is, or why a system was breached. The longer it takes to unravel the facts of the compromise, the less appealing it becomes from a business standpoint. Thanks to the principle of diminishing returns, it just doesn’t pay for a corporation to spend tens of thousands of dollars to bring some hacker to justice. They generally just stop trying when it starts to cost too much, or when they feel like enough information (accurate or not) has been gathered. Due diligence is usually both the minimum and maximum.
So it seems pretty hopeless that we’ll ever be able to rely on digitally collected forensic evidence. What that leaves us with are the traditional investigative techniques, like interviewing suspects, tapping phone lines, checking bank records, etc.
From the article: “Every successful forensics case I’ve worked on turned into a physical security investigation,” says Bill Pennington, a researcher at White Hat Security and veteran technical forensics investigator.
source: CIO – How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab
