One session that caught my eye at this week’s RSA conference in London was a talk by Christopher Novak of Verizon on the growing capability of hackers to disguise their traces. The ease of applying anti-forensics to cover tracks seems to be advancing very rapidly. It demands a step change in our approach to detecting and establishing evidence of criminal activities.
Almost nine out of ten cases are now believed to involve anti-forensics. And the software tools are developing rapidly. Techniques in everyday use involve data wiping; clock manipulation; overwriting or modification of audit logs; laying false trails; using foreign alphabet substitutions to disguise file names; encryption and steganography (data hiding).
Where is this leading? Well, it’s already becoming almost impossible to detect the direct signs of a professional attack. Today’s forensic expert needs to be much more of a Sherlock Holmes: looking for signs indicating a possible attack, rather than traces of the attack itself, spotting things like the dog that didn’t bark in the night. We can also expect to see an escalating arms race between criminals and law enforcement. Future advances in techniques to hide data are likely to be pioneered by hackers, rather than governments or business. It’s a fascinating, but scary, thought.