Anti-forensics techniques used by Threat Actors in the Wild
12-09, 14:50–15:35 (Europe/London), Clappy Monkey Track

Threat Actors employ anti-forensics techniques that obscure some of their activity and make it more difficult to determine what actions their have performed on compromised systems. Investigators need to be aware of these techniques, and be equipped with solutions (or detection ideas) to defeat the anti-forensics measures they take.

In this talk I will present the topic of anti-forensic techniques used by threat actors in the wild. I will first set the stage and introduce the audience to the basics of incident response and the reasons that this topic is important. I will then go into the technical details of common anti-forensics techniques, listing the forensic artefacts that would prove these techniques have been used.
The techniques described will include:
- Log and file deletion
- Log collection tampering
- Bring Your Own VM
- Forensic artefact deletion

I will conclude the talk by stating the key takeaway which is that Threat Actors are sophisticated and can try and evade forensic analysis and detection via various methods, however this presents an opportunity to defenders: each method they use gives us additional artefacts to look for, and that looking for evidence of anti-forensics is a detection opportunity in itself.

Hela Lucas is an Incident Response Consultant at CrowdStrike. She spends her time helping customers investigate and recover from cybersecurity incidents.