web and mobile fraud
Forensics under pressure as hackers 'leave no trace'
Hackers are getting more sophisticated in leaving fewer digital footprints to investigate, according to fraud industry experts.
The security sector is facing a shortage of digital forensics practitioners able to investigate attacks that use so-called fileless malware and other anti-forensics measures configured to leave little trace on physical disks.
Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team: “Attackers know how forensics investigators work and they’re becoming increasingly more sophisticated at using methods that leave few traces behind. Put simply, we’re in an arms race where the key difference is training.”
In the last year Torres has witnessed a substantial rise in the presence of ‘fileless’ malware that exists only in volatile memory and avoids installation on a target’s file system.
“Five years ago viewing sophisticated anti-analysis and acquisition techniques in the wild was something akin to the chances of witnessing a unicorn, but that’s no longer the case. As techniques for detecting trace artefacts on a compromised system have improved, it’s very much the case that the more sophisticated attackers have adapted quickly.”
She estimates that possibly one in every four Digital Forensics and Incident Response (DFIR) professionals has the level of training necessary to successfully analyse the new types of self-defence techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.
“The memory forensics field exploded around 2005 when many of the parsing tools started to become available,” explained Torres, “and its use in forensics has been growing ever since. An incredible advantage this analysis method has is speed. A skilled expert in memory forensics can discover insights a lot quicker and pick up on information that’s missed in traditional disk imaging.”
Although the investigation tools have improved, Torres points out: “Owning a hammer and a saw doesn’t make you a carpenter. A deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific towards the needs of the case at hand.”