Anti-Forensics: What it is, Examples and How to Defend Against it

This blog was written by Vanessa Horton, cyber incident responder at GRCI Law, where she helps clients with their cyber security requirements.

Anti-forensics isn’t a new concept, yet seems to fly under everyone’s radar. So, in this blog, we’ll go over:

  • What anti-forensics is;
  • Why criminals are using it;
  • Examples of anti-forensics techniques; and
  • What organisations can do to help protect themselves.

What is anti-forensics, and why do criminals use it?

In a cyber security and incident response context, anti-forensics involves a range of techniques that threat actors use to try to remain undetected while they’re executing an attack. These techniques also try to mask the attackers’ actions by, for example, concealing or manipulating system data to hinder forensic investigations.

Certain criminal groups, including LockBit and Lazarus, are known to use anti-forensics techniques as part of their attacks.


Examples of anti-forensics techniques

This is nowhere near an exhaustive list, but it should help give you a sense of what anti-forensics might mean in practice.

VPNs

A VPN (virtual private network) anonymises the user when they connect to web-based services – specifically, it conceals the user’s source IP address. Threat actors often use it to mask their identity, making it more challenging to attribute cyber attacks to a specific group or physical location.

You may be familiar with the advice to use a VPN when you’re using public Wi-Fi, which isn’t secure. This helps protect your identity. Threat actors also use VPNs, applying the same principle, but to reduce the risk of prosecution.

Timestomping

Timestomping changes the time and date of when a file or an application was created, accessed, modified and/or executed, disguising a user’s actions.

Specifically, timestomping involves changing the attributes in the MFT (master file table), which is basically the librarian for your computer’s files. It keeps track of everything: where files reside, what they’re named, when they were made and who can access them. You could think of the MFT as the ‘brain’ of your storage drive.

So, if a threat actor executed malware at a certain time and date, but then used timestomping, they could make it appear that the malware was executed earlier or later than it really was. This makes it harder to identify the timeline or sequence of events during a cyber incident.

Disk wiping

Disk wiping is used by threat actors to destroy all data on the hard drive, without the chance of data recovery. To achieve this, the threat actor executes an application that overwrites all data on the disk. The more times the program is set to run over the hard drive, the more scrambled the data becomes.

There are many tools available for this, but one of the most common is KillDisk.

Data encryption

Data encryption helps prevent access to critical evidence for an investigation.

For example, if an organisation has implemented on-site virtual servers, a threat actor may encrypt the entire virtual machine to mask what actions they took within the environment. If the victim can’t obtain that information, this makes it very hard for them to take effective remedial action.

Event logs

Event logs are files that hold a wealth of information about actions that take place within an IT environment, such as user account logons, software applications executed, etc.

Threat actors can delete these logs to make it harder for organisations to analyse exactly what happened. They do this either by writing an application that, once executed, deletes the event logs, or manually if they have remote access to the victim’s infrastructure.


How to defend against anti-forensics

Organisations should take a proactive, multi-layered approach to their defences.

Preventive

It’s important to have measures in place that are designed to mitigate the risk of an attack succeeding in the first place – prevention is always better than cure.

So, take care of the basics first, including but not limited to:

  • Access control
  • Anti-malware software
  • Secure configuration
  • Regular patching
  • Firewalls
  • Staff training and awareness

Detective

Where your prevention fails, detection steps in. Detective systems can prove invaluable, as they allow you to identify any attacks that slip through your preventive barriers early on, before they can do too much damage.

Good detective tools worth looking into include:

  • SIEM (security information and event management);
  • EDR (endpoint detection and response); and
  • SOC (security operations centre).

Responsive

Should you suffer an incident – specifically, one where anti-forensics techniques have been used – it’s generally best to get insight from someone who is familiar with these techniques.

You should also keep an eye out for anti-forensics techniques if you’re unsure whether they were used. This means checking for anomalies that can signify that anti-forensics were used. This requires using the right tools, as well as having the right expertise.

The expertise could come from either someone in-house, or a third party if you lack the internal resource. Either way, your forensic investigator must be suitably qualified and up to date with the latest anti-forensics techniques and digital forensic software.

It’s also important that you have a clear cyber incident response plan that, among other things, states when to escalate a security event and call your expert.


Cyber incident response investigation

If you lack the internal resource, getting third-party help may be a cost-effective way of accessing seasoned experts.

Our Cyber Incident Response Investigation service can provide your organisation or other interested parties, such as insurance providers, with the necessary assurance that the incident is being dealt with quickly and efficiently.

The service will help your organisation answer key questions, such as how the threat actor gained access and what steps are needed to contain, eradicate and recover from the attack.



Why choose GRCI Law?

  • Unlike other organisations, GRCI Law is a specialist legal consultancy that only advises on cyber security, data protection and data privacy.
  • GRCI Law’s team of cyber security specialists, qualified lawyers and DPOs (data protection officers) has decades of experience in privacy and information/cyber security compliance programmes and personal data solutions for high-profile organisations.
  • GRCI Law takes a pragmatic approach to assessing and managing your data privacy and cyber security needs, aligning standards and best practices with your operational and business requirements.
  • GRCI Law’s Emergency Cyber Incident Response Service, for when your organisation is under attack, has been approved as a CREST-accredited service.
  • GRCI Law works 24/7 to ensure that you are covered any time of the day or night.

If you’d like to know more about our cyber incident response services and aren’t currently experiencing a cyber attack, contact us on +44 (0)333 900 5555 to discuss how we can help you.