Forensics and Nation State Hackers

In a recent article, John McAfee described computer forensic as a fallacy, and it’s true… here is why…

Computer forensics is a big lie, actually it’s a building based on sand dunes, as John McAfee says: “all the things  that you call “proof” works for a 15 years old boy”,  certainly, a boy who is using LOIC or Poison Ivy RAT…

Common misconceptions:

  1. IP address can be used to track someone: IP Address alone does not mean anything, today, nearly all the people uses WiFi access points, and most of them are opened to hackers (not only using wep, but also WPA can be cracked). Moreover, any “smart” device connected to the “victim” network can act as a proxy for the hacker, a proxy that will not grab any reliable log.
  2. Application and OS Logs are very useful to track the attacker: Trust your logs ONLY IF ALL YOUR LOG SOURCES are secured in an isolated and append-only medium (like a: dvd, bluray or printed). If this is not the case, you only have garbage prone to counterintelligence (the enemy can introduce false registers to taint the investigation), so mark them as compromised too and threat that as a garbage.
  3. User agents for applications are nearly unique: Well, if the hacker is a 15 years old yes, but he haves some minimum experience: no!. You should know that the user agent can be forged, so it’s not a proof alone, maybe if the website logs the time zone of the web client, and the screen resolution, language preferences, and so, but again, it’s not a strong proof…
  4. Code analysis (similar codes, language used) can be used to profile the hacker: False again. Some hackers are opportunistic, but some others have goals. If a hacker have to assemble a ransomware or an specified RAT to bypass certain defenses, most probably he is going to take pieces of existing code. And if this is a large scale operation and the existing code does not help, he is willing to hire people to produce new functionalities. Then… If the contractor is from Russia, you most probably are going to blame Russians for he whole operation, because it’s your only one finding.
  5. Operating system of the attacker will tell you much about him: simply not true. Nearly from 2007, computers can do a very transparent virtualization (Using VMX extensions),  Common hackers will prefer to have a Windows or Linux desktop and a running virtual machine with KALI. This will not only simplify the life of the hacker, but also will prevent authorities to profile him.
  6. It’s very complex to insert a new forged register on the log: First, it can be done remotely, and second: if the computer is compromised, can be done just inserting a new line.
  7. File modification dates will tell you if the log was tampered: not really, file modifications dates can be tampered too.

Most criminal investigation agencies around the world are basing their investigations in Intelligence operations, and then, combining them with weak proofs, they can obtain a warrant and finally raid the hacker and try to obtain the left.

With wild cyber-criminals, this is working pretty good because most of them are not really experts, just amateurs needing some easy-cash. They want money and they don’t care about risks.

However, with nation state hackers, you HAVE to threat all weak proofs as a counter intelligence garbage. All the weak proofs can be introduced and/or tampered to divert the investigation.

Only if you caught the hacker in the act, and/or have really strong proofs, you may succeed.

This hacking events will be the common denominator for politics in the future, the politicians began destroying the privacy to enforce the law, and then, the same tools used to enforce the laws are violating the privacy of the rulers.

In my personal opinion: With the current policies, there won’t be any option to avoid this thing from happen. There won’t be any chance to catch or punish the intruder until it will be too late.

Leave a Reply