During Shmoocon 2014, Jake along with co-presenter Alissa Torres, a digital-forensics investigator with Sibertor Forensics, described a concept tool that will force forensic scientists to rethink how they analyze memory used in computing equipment.
"At Shmoocon, we introduced a proof-of-concept tool I specifically created to show how easily artifacts can be faked in a particular discipline of computer forensics."
Jake then explained the significance of his discovery:
"Digital forensic scientists can no longer trust their automated tools when they are investigating artifacts by means of memory dumps. Forensic scientists and digital-crime investigators will have to spend more time manually validating results than before."
Kassner: Jake, you keep mentioning "memory dump" and "artifact," what are they, and why do they interest forensic investigators?
Williams: A memory dump is a snapshot of everything running on a computer. A forensic analyst will use tools to parse through a memory dump looking for evidence or artifacts of a crime, compromise, employee misconduct, etc. Forensic analysts like memory dumps for the same reason Target's malware authors do: data encrypted on the hard drive is unencrypted for processing in memory. Memory also offers an analyst a much smaller search space. If you think about your average computer today, it might have a 1TB hard drive, but only 4GB of RAM. An analyst would look for artifacts like the following:
- Evidence of private browsing sessions that are never written to disk
- Malware that only operates in memory without ever touching the disk
- Unsaved files
- Passwords typed into forms and applications
- Encryption keys for mounted encrypted drives
Kassner: Next, I asked Jake if he would share an example of where memory forensics played a major role in solving a case.
Williams: In a case I worked recently; a company told a computer-savvy employee his services were no longer needed, but they didn't actually terminate him for weeks. During that time, the employee attempted to remove traces of his illicit activity from the computer. He then challenged the termination, claiming there was no evidence for what the company alleged. We found evidence, using memory forensics, showing that the employee altered the computer in an incriminating fashion after his termination. Needless to say, he didn't move forward with his suit.
Kassner: Now that we know the basics, I asked Jake to walk us through his concept tool: Attention Deficit Disorder (ADD). From what I understand, Jake has found a way to obfuscate the contents of a memory dump.
Williams: The tool creates fake artifacts in memory before a memory dump is taken. I named the tool ADD because its use would distract forensics analysts from examining the legitimate artifacts while they chase down forgeries. It seemed appropriate.
Kassner: You mentioned what you discovered will impact forensic scientists searching for evidence in a criminal investigation, could you explain?
Williams: ADD allows an attacker to preposition fake files, network connections, and processes in memory. If the computer is confiscated, and a memory dump obtained by a forensic analyst: the fake artifacts could send the analyst on a wild goose chase searching for files that do not exist. A much scarier proposition is that an attacker might insert fake artifacts that attribute the attack to another cybercrime group or nation state. The mere existence of anti-forensics tools like ADD is an alert that analysts need to validate their findings. Some researchers commented about the possibility of forging artifacts in memory at BlackHat in 2007. But as far as I know, nobody has built a publicly available tool capable of doing so until now.
Kassner: Do you think this technology is already in use, and if so, how would forensic scientists know?
Williams: It's hard to say whether the bad guys are currently using tools like ADD. But if I had to guess, I'd say advanced adversaries (cybercrime groups and nation-states, for example) are already using similar techniques. As for knowing, we won't see the fake artifacts, unless we specifically look for them. That's the real contribution of ADD—to expose the possibility of forging artifacts in a demonstrable way.