Sophisticated Anti-Forensic Tactics and How To Spot Them

Investigative research into anti-forensics tactics Kroll experts have observed in ongoing incident response investigations.

Based on Kroll’s experience through thousands of incident response engagements, our experts have observed an uptick in the usage of anti-forensics tactics, techniques and procedures (TTPs) to circumvent internal security teams and their detection solutions. Anti-forensics are often used by adversaries to hide their activity either by the concealment, manipulation or deletion of their movement within a victim’s system or network infrastructure. These techniques can be difficult to spot for cybersecurity analysts without proper training and experience in detection, as anti-forensic TTPs tend to require more vigilance to spot them during an incident response investigation.

This series focuses on the many variants of anti-forensic tradecraft commonly used by threat actors including detecting timestomping, clearing event logs, alternate data streams (ADS) and disabling antivirus. Our experts dive into what each of the anti-forensics TTPs mean and explain the level of impact each can cause for a cybersecurity analyst during an investigation.

Timestomping

Cyber


Anti-Forensics: Timestomping Overview

Jun 13, 2022

by Andrew Rathbun

Cyber


Timestomping a File with NewFileTime

Jun 13, 2022

by Andrew Rathbun

Cyber


Detecting and Analyzing Timestomping Using KAPE and Timeline Explorer – $MFT

Jun 13, 2022

by Andrew Rathbun

Cyber


Identifying Indicators of Timestomping with .LNK Files

Jun 13, 2022

by Andrew Rathbun

Connect with Us

Jason N Smolanoff
Jason N. Smolanoff
President, Cyber Risk
Cyber Risk
Los Angeles
Phone
Benedetto Demonte
Benedetto Demonte
Chief Operating Officer, Cyber Risk
Cyber Risk
New York
Phone
Paul Jackson
Paul Jackson
Regional Managing Director, Asia-Pacific
Cyber Risk
Hong Kong
Phone
Ioan Peters is an Associate Managing Director
Ioan Peters
Managing Director and Co-Leader EMEA Cyber Risk
Cyber Risk
London
Phone
William Rimington
William Rimington
Managing Director and Co-Leader EMEA Cyber Risk
Cyber Risk
London
Phone
Devon Ackerman
Devon Ackerman
Regional Managing Director, North America
Cyber Risk
New York
Phone
Gregory Michaels
Greg Michaels
Managing Director and Global Head of Proactive Services
Cyber Risk
Secaucus
Phone

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Events

Webcast


Threat Landscape Virtual Briefing: Ransomware Returns, Healthcare Hit

Online Event Aug 10 - Aug 11, 2022 | Online Event

Webcast


Incident Response Forum Europe 2022

Webinar Sep 22, 2022 | Webinar