Interesting article over at CIO about the current state of anti-forensic software. It talks about specific tools like Timestomp, Slacker, Sam Juicer, Data Mule and others whose sole goal in life is to frustrate the forensic analyzer and make it difficult for forensic tools like EnCase and others used by law enforcement. After reading this article you have to wonder if it is just a matter of bad guys (hax0rs) versus good guys (the p0-p0) or is it really just hacking tool versus forensic tool. A subtle but hugely important distinction.
Lets face it, most so called ‘hax0rs’ are nothing more than push button script kiddies running prepackaged tools against known vulnerabilities. Most forensic analysts spend $5,000 or so for a week long ‘ethical hacking’ course that teaches them how to be push button script kiddies running prepackaged tools against the afore mentioned script kiddies. He with the best tools wins. Which makes this really about the push button tools and not the hax0rs or the p0-p0.
The tools will obviously continue to evolve and one-up each other and the ‘hax0rs’ and the ‘experts’ will continue to push buttons. While the real hackers, researchers and analyzers will keep advancing the state of the art. (Personally I am waiting for that file system built inside the swap space.)