Say hello to anti-forensics...

IT forensics is a relatively new term for quite an old approach to IT security, that of thinking laterally and filling in the gaps in one's knowledge of a given virus, malware or similar attack scenario.

Nonetheless, it seems that a complete IT security sub-culture has grown up around the topic, so it's hardly surprising that the black hat hackers have developed a counter-culture called, appropriately enough, anti-forensics.

The key to IT security forensics is, of course, the use of automated tools to recover data and assess what, exactly, has happened after a hacker or similar malware/virus attack has taken place.

Likewise with anti-forensics - black hat hackers are starting to use automated routines to cover their trails and generally make life difficult for anyone who investigates their attack methodology.

Utilities such as Slacker, Transmogrify and Timestomp are typical of the new generation of anti-forensic applications.

Slacker is named after the slack space at the end of files, breaking down hacker data and spreading it across file slack space. To the untrained eye and even forensic data utilities, this data looks like like random bytes, but in reality, can hold a complete hacker database.

Transmogrify, meanwhile, is best-known for being the first black hat utility to defeat the file signature capabilities of Encase, one of the most popular data forensics applications.

In simplistic terms, Transmogrify allows hackers to encode and decode data and program files but, of course, the software does much more than this.

Last, but not least, Timestomp changes the attributes relating to file date stamps, which causes severe roblems for IT investigators, who then have no idea of the timeline of the data files they are examining.

This, in turn, causes problems when trying to piece together what happened on the system they are investigating.

You probably won't read about anti-forensics in any of the popular IT security magazines just yet, as it's a relatively new science as far as black hat hackers are concerned.

Despite this - as they say - you should watch this space.

Have a good weekend everyone...