Sophisticated Anti-Forensic Tactics and How To Spot Them
Investigative research into anti-forensics tactics Kroll experts have observed in ongoing incident response investigations.
Based on Kroll’s experience through thousands of incident response engagements, our experts have observed an uptick in the usage of anti-forensics tactics, techniques and procedures (TTPs) to circumvent internal security teams and their detection solutions. Anti-forensics are often used by adversaries to hide their activity either by the concealment, manipulation or deletion of their movement within a victim’s system or network infrastructure. These techniques can be difficult to spot for cybersecurity analysts without proper training and experience in detection, as anti-forensic TTPs tend to require more vigilance to spot them during an incident response investigation.
This series focuses on the many variants of anti-forensic tradecraft commonly used by threat actors including detecting timestomping, clearing event logs, alternate data streams (ADS) and disabling antivirus. Our experts dive into what each of the anti-forensics TTPs mean and explain the level of impact each can cause for a cybersecurity analyst during an investigation.
Stay Ahead with Kroll
Cyber and Data Resilience
Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident response, regulatory compliance, financial crime and due diligence engagements to make our clients more cyber resilient.
Kroll Artifact Parser And Extractor (KAPE)
Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes. Get more information on KAPE, access training materials or book a live session with a Kroll expert here.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Data Collection and Preservation
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.
Incident Remediation and Recovery Services
Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.