Rise of anti-forensics techniques requires response from digital investigators
UK – 7th September, 2015 – The industry is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware[i] and other anti-forensics measures that leave little trace on physical disks.
According to Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team (MCIRT), “Attackers know how forensics investigators work and they are becoming increasingly more sophisticated at using methods that leave few traces behind – we are in an arms race where the key difference is training.”
In the last year, Torres has seen a rise in fileless malware that exists only in volatile memory and avoids installation on a target’s file system. “Five years ago, to see sophisticated anti-analysis and acquisition techniques in the wild was like seeing a unicorn but that is no longer the case. As techniques for detecting trace artefacts on a compromised system have improved, the more sophisticated attackers have adapted quickly.”
Torres estimates that possibly 1 in 4 Digital Forensics and Incident Response (DFIR) professionals has the level of training to successfully analyse the new types of self-defence techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.
“The memory forensics field exploded around 2005 when a lot of the parsing tools started to become available and its use in forensics has been growing ever since,” explains Torres, “An incredible advantage this analysis method has is speed – a skilled expert in memory forensics can discover insights a lot quicker and pick up on information that is missed in traditional disk imaging.”
Although the tools have improved, Torres points out that “…owning a hammer and saw doesn’t make you a carpenter – a deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific to the needs of the case at hand.”
Torres is lead author and instructor of the SANS FOR526: Memory Forensics In-Depth course which she will be teaching at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague from the 5th to 17th of October.
The 6 day course provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyse captured memory images. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work.
Torres will also be presenting “Baselining Memory for Anomaly Detection” alongside a number of leading speakers covering the most innovative DFIR topics at the Summit on Sunday 11th of October. For more information on the event, please visit https://www.sans.org/event/dfir-prague-2015/
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 27 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)