Reducing the Footprint

Tags

security

Tries to hide or minimise the visible [see page 23, disruption] to a system leading up to an attack, such as to make it harder to follow where it came from or who was responsible.

Approaches

[see page 24, Memory Injection]

Code is directly injected into the memory and there's no trace in the file-system. This can happen by exploiting a buffer-overflow.

Another approach to this is Userland Exec where you start a program and then overwrite the instructions of the program by writing another program in-its place. The process name doesn't change, but you manage to bypass access control and kick-start your own process.

[see page 25, Live CDs] / USB sticks / Virtual Machines

Loads the operating system / attack script from a live USB drive, which rarely persist any changes to the boot media when logging off.

Live CDs don't mount the storage device or leave behind any evidence. VMs can be easily securely deleted, purging all evidence from the disk.

[see page 26, Anonymous Identities] & Storage

• Webmail accounts require no identifying authorisation.
• Cloud services can be setup with just a credit card
  • Especially useful with stolen or prepaid cards
• Amazon EC2 instances can form botnets and carry out malicious attacks
• Amazon S3 can store data and can be beyond the reach of an investigation
• If combined with live CDs/Proxies for the setup these services could be untraceable.

[see page 27, Attacking the Investigator]

Software and data can be crafted to disrupt the tools used in the investigative process.

• Files that crash EnCase/Autopsy
• Disrupt/crash snort, tcpdump, wireshark
• Privilege escalation from evidence to investigators machines
• Erasure of collective evidence
• Leak/obtain information about the analyst or investigator

An effective approach with encrypted drives is having a wipe-limit. If you enter the password incorrectly enough times the drive is wiped.