Could you provide a description of what is meant by the term "offensive forensics"? What forensics tools are used in such attacks, and what can enterprises do to stop them?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Offensive forensics, simply put, is a method of attack obfuscation in which an attacker takes specific steps to make investigating an incident more difficult for a forensic examiner.
Similar to anti-forensics, attackers' first rudimentary attempts at offensive forensics were simply to disable logging and delete log files. Then they moved on to deleting entire entries out of Windows event logs using tools like WinZapper, time stomping and many other techniques that make forensics investigations more difficult and resource-consuming.
Offensive forensics can be mitigated by using a third-party host for storing log or system data, recording the activities of the compromised host on the network and performing file integrity checking. When the local system generates a log and sends it to the external host, the local system log is not necessary for investigating the logs, so if a third-party host is used to collect the log data, that host would need to be compromised to change the logs. The system could even be set to write the data to write-once media (e.g., a CD-ROM). Recording all activities could be performed through local logging, where process-level logging can be enabled, or command-line logging could be sent to the external host for later investigation. File integrity checking tools typically exclude log files from monitoring because log files are continually changing, but a system could be designed to record when a log file is modified by something other than an approved program. Ultimately, the most important step to deter attack obfuscation is preventing a host from being compromised in the first place.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.