Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Anti-forensics

Anti-forensics

Section titled “Anti-forensics”

5 automated security scanners

Malware Self-destruction

Section titled “Malware Self-destruction”

Purpose: The Malware Self-Destruction Scanner is designed to detect and identify self-deleting malware code and trigger-based removal mechanisms that are commonly used by malicious actors to hinder forensic analysis and evidence collection. This tool helps in identifying potential threats and enhances the security posture against sophisticated cyber threats.

What It Detects:

  • Self-Deletion Commands: The scanner identifies patterns such as rm -f, del /q, and unlink which are indicative of malware attempting to delete its executable files or critical components.
  • Trigger-Based Removal: It detects code that removes itself based on specific triggers like system events, time intervals, or external signals, including constructs like if (trigger) { deleteSelf(); } and System.exit(0);.
  • Anti-Forensic Techniques: The scanner looks for techniques used to obscure the presence of malware, such as clearing logs (clearLogs()) and modifying file timestamps (SetFileTime).
  • Code Obfuscation: It identifies obfuscated code that may contain self-destruction mechanisms, including patterns like eval(base64_decode( and exec(.
  • Persistence Mechanism Removal: The scanner detects attempts to remove persistence mechanisms after the malware has executed, such as using functions like UnregisterService() and DeleteValue(HKEY_CURRENT_USER.

Inputs Required:

  • Domain (string): This is the primary domain that the user needs to provide in order for the scanner to analyze potential malware repositories or code sharing platforms linked to this domain.

Business Impact: Identifying self-deleting malware and trigger-based removal mechanisms is crucial as it helps organizations to prevent forensic analysis of their systems, thereby complicating digital investigations and potentially allowing malicious activities to persist undetected. This can significantly impact an organization’s security posture by making it harder to detect and respond to potential threats effectively.

Risk Levels:

  • Critical: Malware with self-deletion commands or trigger-based removal mechanisms that are actively deleting themselves shortly after execution poses a critical risk as they could evade immediate detection and analysis.
  • High: Code obfuscation techniques can be highly risky if they hide the true intent of the malware, potentially allowing it to persist in systems for longer periods before being detected.
  • Medium: Anti-forensic techniques that modify system logs or timestamps are a medium risk as they could make it difficult to trace back the origin or actions of the malware.
  • Low: Informational findings such as basic obfuscation methods might pose only a low risk, unless associated with other indicators suggesting more advanced and dangerous capabilities.
  • Info: These include minimal code snippets that do not necessarily indicate significant risk but could be indicative of potential malicious activity.

If specific conditions for each risk level are not detailed in the README, they have been inferred based on common malware characteristics and their impact on system security.

Example Findings: The scanner might flag a piece of code that attempts to delete its executable file shortly after execution or detects obfuscated patterns suggesting potential self-destruction.

Memory Artifact Removal

Section titled “Memory Artifact Removal”

Purpose: The Memory Artifact Removal Scanner is designed to identify and detect memory cleaning and anti-forensic techniques employed by organizations to obscure evidence of security incidents. These techniques can include the removal of logs, temporary files, or other artifacts from system memory, thereby complicating forensic investigations.

What It Detects:

  • Memory Cleaning Tools Detection: Identifies known memory cleaning tools and utilities that are commonly used in anti-forensic activities, such as ccleaner, bleachbit, and eraser.
  • Command Execution Indicators: Detects commands or scripts executed to clean memory, which may be found in logs or command history, including patterns like erase memory, clear logs, and delete temp files.
  • Scheduled Task Manipulation: Identifies scheduled tasks that are set up to perform memory cleaning operations at regular intervals, such as those managed by schtasks or manually scheduled tasks.
  • Registry Key Modifications: Detects changes to system registry keys that could be used to disable or modify logging and monitoring tools, including entries related to event logs and policy settings.
  • Anti-Forensic Software Installation: Identifies the installation of anti-forensic software designed to hide or remove evidence from system memory, such as install anti-forensic, setup memory hider, and deploy evidence eraser.

Inputs Required:

  • domain (string): The primary domain to analyze, which serves as the target for network operations and data collection.

Business Impact: This scanner is crucial for organizations aiming to maintain a transparent record of their security activities and prevent the manipulation or deletion of critical evidence that could be used in forensic investigations. Detecting and mitigating these techniques can significantly enhance an organization’s ability to respond effectively to security incidents by ensuring that all relevant information is preserved and available for analysis.

Risk Levels:

  • Critical: Conditions that directly lead to severe impacts on the system, such as critical registry modifications or immediate deletion of essential logs without backup.
  • High: Conditions that could significantly hinder forensic investigations, including unauthorized memory cleaning tasks affecting key system components.
  • Medium: Conditions that may require further investigation and potentially remediation, involving potential exposure of sensitive information through command executions or scheduled tasks.
  • Low: Informal findings that do not pose immediate risk but should be monitored for trends or future impact on security posture.
  • Info: General informational findings about the presence of known memory cleaning tools without direct implications for critical systems.

Example Findings:

  1. Detection of ccleaner in service banners, indicating potential use of a well-known memory cleaning tool.
  2. Identification of scheduled tasks using schtasks to clear logs, which could be indicative of ongoing attempts to obfuscate system activity prior to an incident.

Timeline Manipulation

Section titled “Timeline Manipulation”

Purpose: The Timeline Manipulation Scanner is designed to detect historical data tampering and audit log manipulation by analyzing potential inconsistencies in timeline records. This tool aims to identify attempts to cover up security incidents or alter evidence through anomalous date ranges, inconsistent event sequencing, suspicious log deletions, altered timestamps, and unexplained event descriptions.

What It Detects:

  • Anomalous Date Ranges: Detects unusually large gaps between recorded events and identifies overlapping timestamps that suggest data insertion or removal.
  • Inconsistent Event Sequencing: Checks for out-of-order events that do not logically follow each other in time, as well as repeated events with identical timestamps but different descriptions.
  • Suspicious Log Deletions: Identifies missing log entries and detects patterns of log truncation or sudden changes in logging behavior, which could indicate attempts to delete evidence.
  • Altered Timestamps: Looks for timestamps that do not match expected system time zones or formats, as well as events with timestamps that are too precise or rounded to suggest manipulation.
  • Unexplained Event Descriptions: Analyzes event descriptions for vague or generic language that could indicate tampering and detects repetitive or templated entries lacking specific details about the event.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for fetching log data from the specified domain’s logs.

Business Impact: Detecting historical data tampering and audit log manipulation is crucial as it can directly impact security posture by potentially obfuscating evidence of security incidents, making investigations difficult and compromising trust in the system’s integrity and reliability.

Risk Levels:

  • Critical: Conditions that could lead to significant disruption or severe loss include large gaps between events that span more than a day, out-of-order event sequencing, and alterations in timestamps that are not aligned with expected formats.
  • High: Conditions that could lead to substantial disruption or notable loss include suspicious log deletions and vague or unexplained event descriptions that lack specific details about the incident.
  • Medium: Conditions that could lead to moderate disruption or some loss include overlapping timestamps within a day, repeated events with identical timestamps but different descriptions, and timestamps that are not aligned with system time zones.
  • Low: Conditions that may indicate minor issues without significant impact include slight rounding in timestamps and slightly vague event descriptions that do not clearly indicate an incident.
  • Info: Conditions that provide informational insights but generally have minimal impact include correctly formatted timestamps and detailed, specific event descriptions.

Example Findings:

  1. A large gap of more than a day was detected between two events in the timeline, which could suggest potential data tampering or deletion.
  2. An out-of-order sequence of events indicated that some entries were inserted or removed from the timeline without logical progression based on their timestamps.

Disk Artifact Removal

Section titled “Disk Artifact Removal”

Purpose: The Disk Artifact Removal Scanner is designed to detect secure deletion and evidence cleansing activities on disks by analyzing threat intelligence feeds to identify patterns indicative of data sanitization efforts. This helps in identifying potential attempts to cover up security incidents or remove forensic traces, thereby enhancing the overall security posture against potential malicious activities.

What It Detects:

  • Secure Deletion Tools Detection: Identifies mentions of disk wiping tools such as DBAN, Eraser, CCleaner, and other secure deletion utilities.
  • Evidence Cleansing Activities: Detects references to activities aimed at removing forensic evidence, such as clearing logs or deleting files.
  • Known Exploited Vulnerabilities (KEV): Checks for mentions of known exploited vulnerabilities that could be used in secure deletion or evidence cleansing.
  • Malware and Ransomware Indicators: Identifies references to malware or ransomware that could be used for data destruction or evidence removal.
  • Data Exposure Indicators: Detects mentions of data exposure, leaks, or breaches that could be related to evidence cleansing efforts.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations aiming to maintain high standards of digital security and privacy. By detecting attempts at secure deletion and evidence removal, it helps in preventing potential data breaches and ensuring that all digital activities adhere to strict compliance requirements.

Risk Levels:

  • Critical: Findings indicating the use of undocumented or unknown secure deletion tools without proper authorization.
  • High: References to known secure deletion tools without clear business justification or evidence of legitimate need for sanitization.
  • Medium: Mentions of specific secure deletion commands or activities that might indicate routine maintenance but lack detailed documentation or approval.
  • Low: General references to data removal in logs, which could be part of standard operating procedures but require further investigation for clarity and context.
  • Info: Informational findings about potential exposure indicators without concrete evidence of malicious intent or unauthorized access.

Example Findings:

  • A system log entry mentioning the use of Eraser for secure data deletion, which requires a detailed review to confirm compliance with security policies.
  • An API call flagged as ransomware activity that demands immediate attention due to its potential impact on sensitive information and business continuity.

Forensic Tool Evasion

Section titled “Forensic Tool Evasion”

Purpose: The Forensic Tool Evasion Scanner is designed to detect mechanisms and indicators that organizations use to evade forensic analysis and tool detection. This helps in identifying known vulnerabilities, malware signatures, command and control (C2) server references, phishing attempts, data exposure, unauthorized access incidents, and potential weaknesses on the domain for forensic evasion.

What It Detects:

  • Threat Indicator Detection: Identifies known vulnerabilities (CVE patterns), detects malware, ransomware, or trojan signatures, searches for command and control (C2) server references, and identifies phishing or credential harvesting attempts.
  • Exposure Indicator Detection: Finds mentions of data exposure, leaks, or breaches, identifies unauthorized access incidents, and locates references to data dumps or sensitive information disclosures.
  • Domain Reputation Analysis: Checks the domain’s reputation using VirusTotal API for malicious activities and evaluates IP addresses associated with the domain for known threats using AbuseIPDB.
  • Known Exploited Vulnerabilities (KEV) Lookup: Cross-references identified vulnerabilities against CISA KEV to determine if they are part of known exploited vulnerabilities.
  • Shodan Service Exposure Detection: Scans exposed services and vulnerabilities on the domain using Shodan API, identifying potential entry points or weaknesses that could be exploited for forensic evasion.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations aiming to enhance their security posture by proactively detecting and mitigating mechanisms used to evade forensic tools, which can significantly hinder effective incident response strategies and data protection efforts.

Risk Levels:

  • Critical: Conditions that could lead to critical severity include the discovery of zero-day vulnerabilities in exposed services or unauthorized access incidents resulting in significant data breaches.
  • High: Conditions for high severity involve the detection of well-known exploits or malware signatures that are actively used by threat actors, such as ransomware or trojan horses.
  • Medium: Conditions for medium severity include the exposure of sensitive information through data leaks or unauthorized access attempts, which can lead to significant regulatory fines and reputational damage if not addressed promptly.
  • Low: Informational findings at low risk level might include minor vulnerabilities that are typically used in legitimate penetration testing scenarios but pose no immediate threat to organizational security.
  • Info: This category includes purely informational indicators such as mentions of data exposure or unauthorized access, which do not directly impact critical systems but can be indicative of potential risks if left unaddressed.

Example Findings: The scanner might flag a CVE related to a recently discovered vulnerability in an exposed service (Critical), malware signatures within system logs (High), or traces of attempted unauthorized data access (Medium).