TL;DR
This guide shows you how to make it harder for someone trying to investigate your computer after they’ve gained access (live forensics). We’ll cover techniques to detect and disrupt common forensic tools, focusing on practical steps you can take. It won’t stop a determined attacker with physical access, but will significantly raise the bar.
Detecting & Disrupting Forensic Tools
Understand the Threat: Common Tools
Memory Forensics: Tools like DumpIt, Belarc Advisor, and FTK Imager are used to grab a snapshot of your computer’s RAM.
Disk Imaging: Programs such as FTK Imager, EnCase, and dd create copies of your hard drives.
Log Analysis: Event Viewer (built-in Windows tool), Sysmon, and other log collectors gather system activity.
Network Monitoring: Wireshark captures network traffic.
Detecting Running Forensic Programs
Look for unusual processes. Task Manager (Windows) or top/htop (Linux) are a starting point, but attackers will often hide these.
Process Explorer: A more powerful Windows tool than Task Manager. It shows parent-child process relationships which can reveal hidden activity.
procmon /accepteula
Sysinternals Suite: Download from Microsoft and scan for unusual files or processes.
Autoruns: Shows programs that start automatically. Look for anything unexpected.
autoruns -accepteula
Anti-Debugging Techniques
Forensic tools often use debuggers to analyse software. These techniques make debugging harder.
Detect Debugger Presence: Code can check if a debugger is attached.
IsDebuggerPresent()
(This is a Windows API function, requires programming knowledge).
Timing Checks: Debuggers slow down execution. Measure the time taken for specific operations and flag anomalies.
Tampering with Logs
Attackers might try to clear logs, but this is often detectable. You can proactively make log analysis harder.
Log Rotation: Configure logs to rotate frequently (e.g., daily or even hourly). This limits the amount of historical data available.
logrotate /etc/rsyslog.conf
(Linux example, configuration varies by system).
Log Encryption: Encrypt logs to prevent easy reading if they are copied.
Overwrite Logs: Periodically overwrite older log entries with random data (use with caution as it can hinder legitimate investigations).
Disk Space Management
Make disk imaging more difficult.
Full Disk Encryption: Use BitLocker (Windows), FileVault (macOS) or LUKS (Linux). This makes the entire drive unreadable without the key.
Sparse Files: Create large, mostly empty files to fill up disk space. This increases imaging time and complexity.
fallocate -l 10G sparsefile
(Linux example).
Memory Protection
Protecting RAM from easy access.
Anti-Volatility: Tools exist to detect and disrupt memory forensics tools. These are often complex to set up.
Page File Encryption: Encrypt the page file (where Windows swaps memory data). This makes it harder to recover deleted or swapped information.
Network Obfuscation
Make network traffic analysis more difficult.
VPN/Proxy: Use a VPN or proxy server to hide your IP address and encrypt network communication.
Tor Network: Provides anonymity by routing traffic through multiple relays (slow).
Important Note: These techniques are not foolproof. A skilled attacker with sufficient resources can often bypass them. The goal is to increase the effort and time required for a successful investigation, potentially deterring less sophisticated attackers.
The post Stopping Forensic Tools appeared first on Blog | G5 Cyber Security.
No Responses