Manage Learn to apply best practices and optimize your operations.

Attack obfuscation: How attackers thwart forensics investigations

Expert Nick Lewis explains how attackers utilize offensive forensics techniques to thwart forensics investigations.

Could you provide a description of what is meant by the term "offensive forensics"? What forensics tools are used in such attacks, and what can enterprises do to stop them?

Ask the expert!

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Offensive forensics, simply put, is a method of attack obfuscation in which an attacker takes specific steps to make investigating an incident more difficult for a forensic examiner.

Similar to anti-forensics, attackers' first rudimentary attempts at offensive forensics were simply to disable logging and delete log files. Then they moved on to deleting entire entries out of Windows event logs using tools like WinZapper, time stomping and many other techniques that make forensics investigations more difficult and resource-consuming.

Offensive forensics can be mitigated by using a third-party host for storing log or system data, recording the activities of the compromised host on the network and performing file integrity checking. When the local system generates a log and sends it to the external host, the local system log is not necessary for investigating the logs, so if a third-party host is used to collect the log data, that host would need to be compromised to change the logs. The system could even be set to write the data to write-once media (e.g., a CD-ROM). Recording all activities could be performed through local logging, where process-level logging can be enabled, or command-line logging could be sent to the external host for later investigation. File integrity checking tools typically exclude log files from monitoring because log files are continually changing, but a system could be designed to record when a log file is modified by something other than an approved program. Ultimately, the most important step to deter attack obfuscation is preventing a host from being compromised in the first place.

This was last published in March 2014

Dig Deeper on Emerging cyberattacks and threats