Could you provide a description of what is meant by the term "offensive forensics"? What forensics tools are used...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
in such attacks, and what can enterprises do to stop them?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Offensive forensics, simply put, is a method of attack obfuscation in which an attacker takes specific steps to make investigating an incident more difficult for a forensic examiner.
Similar to anti-forensics, attackers' first rudimentary attempts at offensive forensics were simply to disable logging and delete log files. Then they moved on to deleting entire entries out of Windows event logs using tools like WinZapper, time stomping and many other techniques that make forensics investigations more difficult and resource-consuming.
Offensive forensics can be mitigated by using a third-party host for storing log or system data, recording the activities of the compromised host on the network and performing file integrity checking. When the local system generates a log and sends it to the external host, the local system log is not necessary for investigating the logs, so if a third-party host is used to collect the log data, that host would need to be compromised to change the logs. The system could even be set to write the data to write-once media (e.g., a CD-ROM). Recording all activities could be performed through local logging, where process-level logging can be enabled, or command-line logging could be sent to the external host for later investigation. File integrity checking tools typically exclude log files from monitoring because log files are continually changing, but a system could be designed to record when a log file is modified by something other than an approved program. Ultimately, the most important step to deter attack obfuscation is preventing a host from being compromised in the first place.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.