Anti-Forensics: What it is, Examples and How to Defend Against it

This blog was written by Vanessa Horton, our cyber incident responder.

Anti-forensics isn’t a new concept, yet seems to fly under everyone’s radar. So, in this blog, we’ll go over:

  • What anti-forensics is;
  • Why criminals are using it;
  • Examples of anti-forensics techniques; and
  • What organisations can do to help protect themselves.

What is anti-forensics, and why do criminals use it?

In a cyber security and incident response context, anti-forensics involves a range of techniques that threat actors use to try to remain undetected while they’re executing an attack.

These techniques also try to mask the attackers’ actions by, for example, concealing or manipulating system data to hinder forensic investigations.

Certain criminal groups, including LockBit and Lazarus, are known to use anti-forensics techniques as part of their attacks.


5 examples of anti-forensics techniques

This is nowhere near an exhaustive list, but it should help give you a sense of what anti-forensics might mean in practice.

1. VPNs

A VPN (virtual private network) anonymises the user when they connect to web-based services – specifically, it conceals the user’s source IP address. Threat actors often use it to mask their identity, making it more challenging to attribute cyber attacks to a specific group or physical location.

You may be familiar with the advice to use a VPN when you’re using public Wi-Fi, which isn’t secure. This helps protect your identity. Threat actors also use VPNs, applying the same principle, but to reduce the risk of prosecution.

2. Timestomping

Timestomping changes the time and date of when a file or an application was created, accessed, modified and/or executed, disguising a user’s actions.

Specifically, timestomping involves changing the attributes in the MFT (master file table), which is basically the librarian for your computer’s files. It keeps track of everything:

  • Where files reside
  • What they’re named
  • When they were made
  • Who can access the files

You could think of the MFT as the ‘brain’ of your storage drive.

So, if a threat actor executed malware at a certain time and date, but then used timestomping, they could make it appear that the malware was executed earlier or later than it really was. This makes it harder to identify the timeline or sequence of events during a cyber incident.

3. Disk wiping

Disk wiping is used by threat actors to destroy all data on the hard drive, without the chance of data recovery.

To achieve this, the threat actor executes an application that overwrites all data on the disk. The more times the program is set to run over the hard drive, the more scrambled the data becomes.

There are many tools available for this, but one of the most common is KillDisk.

4. Data encryption

Data encryption helps prevent access to critical evidence for an investigation.

For example, if an organisation has implemented on-site virtual servers, a threat actor may encrypt the entire virtual machine to mask what actions they took within the environment. If the victim can’t obtain that information, this makes it very hard for them to take effective remedial action.

5. Event logs

Event logs are files that hold a wealth of information about actions that take place within an IT environment, such as user account logons, software applications executed, etc.

Threat actors can delete these logs to make it harder for organisations to analyse exactly what happened. They do this either by writing an application that, once executed, deletes the event logs, or manually if they have remote access to the victim’s infrastructure.


Want to get notified of more blogs like this? Subscribe to our free weekly newsletter: the Security Spotlight.


How to defend against anti-forensics

Organisations should take a proactive, multilayered approach to their defences.

Preventive

It’s important to have measures in place that are designed to mitigate the risk of an attack succeeding in the first place – prevention is always better than cure.

So, take care of the basics first, including but not limited to:

Detective

Where your prevention fails, detection steps in. Detective systems can prove invaluable, as they allow you to identify any attacks that slip through your preventive barriers early on, before they can do too much damage.

Good detective tools worth looking into include:

  • SIEM (security information and event management);
  • EDR (endpoint detection and response); and
  • SOC (security operations centre).

Responsive

Should you suffer an incident – specifically, one where anti-forensics techniques have been used – it’s generally best to get insight from someone who is familiar with these techniques.

You should also keep an eye out for anti-forensics techniques if you’re unsure whether they were used. This means checking for anomalies that can signify that anti-forensics were used. This requires using the right tools, as well as having the right expertise.

The expertise could come from either someone in-house, or a third party if you lack the internal resource. Either way, your forensic investigator must be suitably qualified and up to date with the latest anti-forensics techniques and digital forensic software.

It’s also important that you have a clear cyber incident response plan that, among other things, states when to escalate a security event and call your expert.


Got more anti-forensics questions? Or looking for more cyber security guidance in general?

With more than 20 years’ experience in cyber security, we understand risk management.

Our experts have implemented cyber security programmes for hundreds of organisations across a multitude of industries in both the private and public sectors.

New to the world of cyber security and need advice on how to get started? Or updating an existing cyber security programme?

We’re here to help.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.