Could you provide a description of what is meant by the term "offensive forensics"? What forensics tools are used...
in such attacks, and what can enterprises do to stop them?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Offensive forensics, simply put, is a method of attack obfuscation in which an attacker takes specific steps to make investigating an incident more difficult for a forensic examiner.
Similar to anti-forensics, attackers' first rudimentary attempts at offensive forensics were simply to disable logging and delete log files. Then they moved on to deleting entire entries out of Windows event logs using tools like WinZapper, time stomping and many other techniques that make forensics investigations more difficult and resource-consuming.
Offensive forensics can be mitigated by using a third-party host for storing log or system data, recording the activities of the compromised host on the network and performing file integrity checking. When the local system generates a log and sends it to the external host, the local system log is not necessary for investigating the logs, so if a third-party host is used to collect the log data, that host would need to be compromised to change the logs. The system could even be set to write the data to write-once media (e.g., a CD-ROM). Recording all activities could be performed through local logging, where process-level logging can be enabled, or command-line logging could be sent to the external host for later investigation. File integrity checking tools typically exclude log files from monitoring because log files are continually changing, but a system could be designed to record when a log file is modified by something other than an approved program. Ultimately, the most important step to deter attack obfuscation is preventing a host from being compromised in the first place.
Dig Deeper on Emerging Information Security Threats
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.