Anti-forensics tools and skills to thwart investigators are emerging in the underground hacker scene.
One example is a class of programs called the Loadable Kernel Modules (LKM) which, if used by hackers, can hide data even from forensics experts.
LKMs are files that contain components that can run dynamically. Normally, LKMs are used to load hardware drivers.
Hackers can create LKM rootkits that can access the kernel directly, while hiding processes, connections, directories and files without modifying the binaries of any program. A rootkit is a collection of programs that a hacker uses to mask intrusion and get access to a computer.
While most hackers' rootkits activities can be detected by methods such as doing MD5 checksums, if LKM rootkits are used, any checksum methods become useless as no files would have been modified.
It is not just a case of hidden files but the alteration of kernel processes so that queries on various information to the server would return fake results. For example, when a file search is made, even if the file were there, the search will turn up negative.
By checking ports for unusual activities, it might be possible to detect that the computer system has been compromised or "rooted". Tools such as Kstat can be used to detect rooted systems, but there are limitations.
Computer forensics typically involves two activities, data collection extraction and recovery as well as analysis. Data collection extraction and recovery involve identifying critical information, protecting and preserving the integrity of electronic data during forensic examination from any possible alteration, damage or data corruption.
Analysis includes analysis of data and information that could reveal the contents of hidden files.
For computer forensics, having good quality data is imperative. Just by downgrading the quality of data to make the output suspect would render the data useless in a court of law.
"The idea is not to train IT professionals into lawyers," said Zaid Hamzah, managing director of i-Knowledge Technologies, an electronic legal services company in Singapore. Rather, it is to let IT professionals be sufficiently aware of the laws so that they can operate more effectively within the legal framework.
The problem is that for certain businesses, even if the IT system is technically competent, it would still be a failure if it is not aligned with the business' legal obligations. And when organisations suspect unauthorised or unethical IT activities, security measures and forensics activities could be rendered inadmissible in court because of technicalities.
A striking example given by Zaid is that of log files. Although log files are admissible in some countries, in others they are regarded as hearsay evidence, which is generally not admissible except under certain scenarios.
Hearsay evidence refers to oral statements of a person other than the person testifying, or statements contained in documents offered to prove the truth of its contents. A possible scenario where log files can be admissible is when they are enabled as part of the normal rules of doing business.
Louis Chua writes for Computerworld