Rise of anti-forensics techniques “requires diligent response from digital investigators”

The industry is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware

The industry is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware

The security sector is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware and other anti-forensics measures configured to leave little trace on physical disks. 

According to Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team: “Attackers know how forensics investigators work and they’re becoming increasingly more sophisticated at using methods that leave few traces behind. Put simply, we’re in an arms race where the key difference is training.”

In the last year, Torres has witnessed a substantial rise in the presence of fileless malware that exists only in volatile memory and avoids installation on a target’s file system. “Five years ago,” urged Torres, “viewing sophisticated anti-analysis and acquisition techniques in the wild was something akin to the chances of witnessing a unicorn, but that’s no longer the case. As techniques for detecting trace artefacts on a compromised system have improved, it’s very much the case that the more sophisticated attackers have adapted quickly.”

Statistically, Torres estimates that possibly one in every four Digital Forensics and Incident Response (DFIR) professionals has the level of training necessary to successfully analyse the new types of self-defence techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.

“The memory forensics field exploded around 2005 when many of the parsing tools started to become available,” explained Torres, “and its use in forensics has been growing ever since. An incredible advantage this analysis method has is speed. A skilled expert in memory forensics can discover insights a lot quicker and pick up on information that’s missed in traditional disk imaging.”

Although the investigation tools have improved, Torres points out: “Owning a hammer and a saw doesn’t make you a carpenter. A deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific towards the needs of the case at hand.”

SANS FOR526: Memory Forensics In-Depth

Torres is lead author and instructor of the SANS FOR526: Memory Forensics In-Depth course which she will be teaching at the upcoming annual DFIR Summit and training event in Prague. This runs from 5-17 October.

The six-day course provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyse captured memory images.

The course uses the most effective freeware and open-source tools available in the industry today and provides an in-depth understanding of how these tools work in the real world.

Torres will also be presenting on the subject of ‘Baselining Memory for Anomaly Detection’. Indeed, a number of leading speakers are set to cover the most innovative DFIR topics at the DFIR Summit, which is to be held on Sunday 11 October.

*For more information visit: https://www.sans.org/event/dfir-prague-2015/

About the SANS Institute

The SANS Institute was established in 1989 as a co-operative research and education organisation. SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online.

An affiliate of the SANS Institute, GIAC validates employee qualifications via 27 hands-on technical certifications in information security.

The SANS Technology Institute, itself a regionally accredited independent subsidiary, offers Master’s degrees in cyber security. SANS Institute also operates the Internet’s early warning system, designated the Internet Storm Center (www.SANS.org).


About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts