Anti-Forensics: An Overview of Evasion Tactics

Introduction

In the world of cybercrime, a decent hacker can find their way into a security system and exploit it. However, a good hacker is not only focused on breaching security systems but also covering their tracks to avoid detection and prosecution. This is where anti-forensics comes into play, the yin to digital forensics’ yang. Where digital forensics’ goal is to gather as much data within digital systems as possible to recreate the crime scene, anti-forensics is the practice of various tactics, techniques, and procedures (TTPs) in an effort to hide their tracks or evade detection [2]. By investing their efforts into anti-forensics, hackers remain undetected prior to, during, and after their attack. This article will explore some of the common evasion techniques and tips to mitigate in the digital forensics landscape.

Common Evasion Techniques

One of the most common evasion tactics is time manipulation, in particular, timestomping. Timestomping is a tactic where the adversary changes the date and time of a malicious file created to disguise their actions. This occurs in the master file table (MFT) of a system, which is the database of every single system file [3]. Meta-data that can be gathered from the MFT includes file location, name, creation date, and access. A disruption to a file’s metadata makes it harder for investigators to piece together the timeline of the incident.

Lurking somewhere in the dark web lies cybercrime-as-a-service. Cybercrime consists of any crime in cyberspace. Through the internet, individuals with ill intentions combined with a willingness to pay can purchase tools needed for any cybercrime-as-a-service (ie. phishing-as-a-service, which provides customers access to tools and real emails to mass produce phishing attempts) [5]. One of said services is crypting as a service, the contradiction to encryption-as-a-service, where customers add a layer of security by concealing sensitive information. Cypting-as-a-service offers code obfuscation that reconfigures known malware with a different signature set. Malware is usually thwarted by traditional anti-virus services by detecting their digital signature. However, crypting will bypass anti-virus due to subtle changes in the code that reconfigures the signature set. Also available on the dark web is device spoofing software [5]. Threat actors use this to bypass security systems that verifies a device’s ID attempting to access a particular system.

With a large portion of organizations utilizing the cloud, attackers have found a way to leverage the cloud to their advantage. By hiding their activity in the cloud, it makes it a challenge for investigators to use network security tools to track their malicious traffic. For example, an analysis on network traffic that traces through google cloud or other trusted services is likely to slip under the radar, leaving digital forensic experts spending more time and effort in a volatile data environment [6]. A similar challenge to this is the use of virtual private networks (VPN), where investigators struggle to find the legitimacy of attackers location and identity [3].

Another impactful evasion technique is disk or data wiping. This is when hackers wipe the entire drive of a system by deleting or overwriting in an effort to erase their trace. Adversaries carry out this technique multiple times, in hopes to ensure the data that was once stored is now irrecoverable [1]. Although possible to restore, this process requires high skill and  time, which puts a pause in cyber investigations. A countermeasure to this technique would be to conduct timely secure backups, making certain that data or evidence can never be truly deleted.

Newer techniques abuse the power of artificial intelligence (AI) to hide adversaries’ traces. Given the proper prompt, AI is able to integrate code obfuscation with high sophistication to slip by advanced security tools like endpoint detection and response (EDR). Furthermore, large language models (LLMs) like Chat-GPT and Google Gemini, can be leveraged to develop methods that blend malware traffic into normal traffic, hindering anomaly detection for investigators [5].

Mitigation and Detection

To diminish threat actor evasion, organizations would have to implement several security measures and practices to alleviate evasion tactics. The name of the game is quick and efficient incident response. The sooner an attack/incident is detected the less risk involved for the organization and a quick evidence acquisition can be conducted. First, it is imperative that organizations reduce the attack surface by practicing essential and fundamental cybersecurity enhancements [3]. This includes implementing zero-trust, isolating critical assets, enforcing network segmentation, practicing data loss prevention, conducting patches, active systems monitoring, etc [5]. By minimizing the likelihood of attacks, it drastically lowers the amount of endeavor to recover digital evidence while also overall strengthening cybersecurity posture.

A specific technique that can be adopted is threat hunting. This is a proactive approach to detecting previously unknown or ongoing non-remediated threats within an organization’s network [4]. To carry this out, security teams should proactively search for threats across users, networks, endpoints, and cloud services. Furthermore, setting up multiple choke points for attackers to get stumped by can ensure an easy to follow timeline and quick incident response [7]. Combining several tools/tactics with threat hunting like security information and event management (SIEM), endpoint detection and response (EDR), and security operations centers (SOC) is necessary to monitor and provide incident response in a timely manner.

Another tactic to improve overall cybersecurity is awareness training. This entails educating the users to identify, block, and report social engineering attempts, i.e. phishing. Understanding what an attack is at any level is highly beneficial to an organization. One financial institution saw a 95% reduction in malware and viruses [8]. By enhancing employee ability to identify phishing ploys, organizations can mitigate the initial stage of multi-staged attacks.

Conclusion

The landscape of cybersecurity is like a never ending game of chess, where attackers and defenders are engaged in an ongoing battle of wits. Threat actors’ strategies continue to evolve, always looking for new innovative ways to conduct an attack and hide their tracks. To combat this, so too must the strategies investigators use to identify, recover, and protect digital evidence continue to evolve. This leaves cyberdefense experts constantly analyzing and deconstructing methods to better anticipate attack maneuvers in hopes to thwart them. Adopting best practices in cyber security will lead to a swift response to anti-forensic threats.

References

[1] GeeksforGeeks. (2023, January 27). Anti forensics. https://www.geeksforgeeks.org/anti-forensics/

[2] Holmes, K. (n.d.). Understanding the Impact of Anti-Forensics Techniques. FTI Technology. https://www.ftitechnology.com/resources/blog/understanding-the-impact-of-anti-forensics-techniques

[3] Horton, V. (2024, May 30). Anti-forensics: What it is, Examples and How to Defend Against it. IT Governance Blog En. https://www.itgovernance.eu/blog/en/anti-forensics-what-it-is-examples-and-how-to-defend-against-it

[4] IBM. (2024, September 11). What is Threat Hunting? https://www.ibm.com/topics/threat-hunting

[5] Maor, E. (2024, September 12). Evasion tactics used by Cybercriminals to fly under the Radar. SecurityWeek. https://www.securityweek.com/evasion-tactics-used-by-cybercriminals-to-fly-under-the-radar/

[6] Threat Hunter Team Symantec. (2024, August 7). Cloud Cover: How Malicious Actors are Leveraging Cloud Services. Symantec Enterprise Blogs. https://www.security.com/threat-intelligence/cloud-espionage-attacks

[7] Unlocking efficiency in cyber risk reduction. Adarma. (2023, August 1). https://adarma.com/unlocking-efficiency-in-cyber-risk-reduction/

[8] What is Security Awareness Training? Tools, FAQs, & More. Proofpoint. (2024, June 4). https://www.proofpoint.com/us/threat-reference/security-awareness-training