Methodology

Are users getting smarter?

First published February 2010

by Darren Ilston of MelBek Technology

www.melbek.co.uk

There is no doubt in my mind that computer users in general think they are becoming smarter when it comes to covering their tracks.The usual suspects of deleting browser history and cache files are normally recoverable in one state or another, but I have witnessed a growing trend in the installation of anti-forensic software, or the remnants of it having been installed at some point, as users become smarter.

As an example; MelBek was recently asked to look for something specific on a company owned laptop. When examining the contents of the laptop further, it quickly became apparent that an anti-forensic application had been used to erase data.

When the user had removed the anti-forensics application a trail was left behind, which we were able to use as evidence. This type of residual evidence can be crucial in an investigation, but this should not be where the investigation stops, as there is always the need to consider user error.

I am sure some of us in the forensic world have seen cases where there appears to have been data erased, only to find that the user forgot a folder; or didn’t allow enough time for the deletion process; or perhaps the software has a context menu and they need to manually right click and carry out a further action, only they forgot.

I see this quite often and have come to the conclusion that anti-forensic software gives false reassurance to the user and they become complacent. They think it is running constantly, forgetting that it may crash, or neglecting to run it entirely.

Anti-forensic software is readily available for download and some of it does a pretty good job of covering the user’s tracks, with a home user there is little you can do to avoid this kind of situation. For organisations this is not the case, it can be avoided by not allowing local administrator access on the workstations or laptops, and by enforcing good security procedures.

I regularly come across PCs with local administrator access being given to the user, normally because of a software requirement, but this kind of network administration can have serious consequences when forensics investigation is needed.

Of course you will not stop the determined user that boots a CD and runs anti-forensic software that way; trying to produce evidence that proves this was the case can be impossible at times, but there are plenty of things that can be done to stay one step ahead.

So are users getting smarter? I think they are; but as long as they remain human they are always vulnerable to making mistakes, and it is the job of the industry to outsmart them.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 955 other followers

%d bloggers like this: