Anti Forensics Reached A New Level: Can Cyber Forensics Product Vendors Match It?

Anti Forensics Reached A New Level Can Cyber Forensics Product Vendors Match ItCyber crime investigation is a specialised and delicate task. It is primarily supported by a sound and legally sustainable cyber forensics procedure. A forensics analysis of the suspected or victim computer can provide valuable evidence and leads that can help in reaching to the offender.

The starting point for any cyber forensics investigation is to ascertain the internet protocol address that was used to commit the cyber crime. However, an IP address is just the beginning point and it should never be considered to be sole criteria for arrest and conviction. The next step is to find the traces of the system compromise and the cyber crime methodology used by the cyber criminal.

This is a simple task in an ideal situation with no use of anti forensics methods to hide the tracks and traces of the cyber attack. However, in the present times, such an ideal situation does not exist. Sophisticated malware like Stuxnet, Duqu, Flame, etc are well beyond the reach of various anti virus products.

If this is not enough, cyber criminals are using anti forensics techniques to defeat cyber forensics investigations. The expertise and methods used by these cyber criminals while using anti forensics is much more than the cyber forensics product manufacturers. This makes the task of cyber forensics professionals next to impossible.

Researchers at Microsoft have found a malware that deletes its own components so that researchers and forensics investigators cannot analyse or identify it. The so-called Win32/Nemim.gen!A Trojan is also unusual in that unlike most Trojan downloaders that are put in place to deliver the real payload, this Trojan is also the payload. Researchers at Microsoft were lucky that some of pieces of the malware still remained during the analysis.

Microsoft found two components of the Trojan that it downloads and runs, including a file infector and a password-stealer. The file infector, which Microsoft identified as Virus:Win32/Nemim.gen!A, tries to infect executable files in removable drives. The password-stealer, PWS:Win32/Nemim.A, targets user credentials in email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop, and Google Talk. The Trojan sometimes appears as part of a display graphics driver in order to camouflage itself, typically as a file called igfxext.exe, according to Microsoft.

The  cyber forensics product industry must be more innovative and updated while tackling the contemporary malware as these malware are defeating the cyber forensics products and making them almost redundant.