Could you provide a description of what is meant by the term "offensive forensics"? What forensics tools are used...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
in such attacks, and what can enterprises do to stop them?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Offensive forensics, simply put, is a method of attack obfuscation in which an attacker takes specific steps to make investigating an incident more difficult for a forensic examiner.
Similar to anti-forensics, attackers' first rudimentary attempts at offensive forensics were simply to disable logging and delete log files. Then they moved on to deleting entire entries out of Windows event logs using tools like WinZapper, time stomping and many other techniques that make forensics investigations more difficult and resource-consuming.
Offensive forensics can be mitigated by using a third-party host for storing log or system data, recording the activities of the compromised host on the network and performing file integrity checking. When the local system generates a log and sends it to the external host, the local system log is not necessary for investigating the logs, so if a third-party host is used to collect the log data, that host would need to be compromised to change the logs. The system could even be set to write the data to write-once media (e.g., a CD-ROM). Recording all activities could be performed through local logging, where process-level logging can be enabled, or command-line logging could be sent to the external host for later investigation. File integrity checking tools typically exclude log files from monitoring because log files are continually changing, but a system could be designed to record when a log file is modified by something other than an approved program. Ultimately, the most important step to deter attack obfuscation is preventing a host from being compromised in the first place.
Dig Deeper on Emerging Information Security Threats
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.