With the rise of a forensic response to malware intrusion you would think that malware would be smart enough to actually attempt to clean up its tracks by implementing secure deletion methods.  These would include Secure deletion off the disk so as to foil file recovery via forensic means by using tried and true secure deletion tools such as are used to wipe a drive of classified materials.  Microsoft SysInternals sdelete.exe and a zillion other tools are freely available for for whatever reason have not been incorporated into attack methods.  I have been wondering this absence for awhile now in malware.  It will only be a matter of time.  While Metasploit has pioneered a number of anti-forensics methods not one has delved into the secure erasure of malware footprints so as to render forensic response by products such as Guidance Software Encase moot. 

Additionally advanced methods to obfuscate in memory and secure deletion or overwriting of critical data in memory would be needed to foil the growing rise of live memory forensics which many organizations still cant seem to wrap their heads around to use operationally.  HBGary is an awesome tool for live memory forensics as well as Mandiant and the Volitility Framework.

Be the first to like this post.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>