Rise of anti-forensics techniques requires a response

Rise of anti-forensics techniques requires a response

The industry is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware and other anti-forensics measures that leave little trace on physical disks.

According to Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team (MCIRT),

“Attackers know how forensics investigators work and they are becoming increasingly more sophisticated at using methods that leave few traces behind – we are in an arms race where the key difference is training.”

In the last year, Torres has seen a rise in fileless malware that exists only in volatile memory and avoids installation on a target’s file system.

“Five years ago, to see sophisticated anti-analysis and acquisition techniques in the wild was like seeing a unicorn but that is no longer the case. As techniques for detecting trace artefacts on a compromised system have improved, the more sophisticated attackers have adapted quickly.”

Torres estimates that possibly 1 in 4 Digital Forensics and Incident Response (DFIR) professionals has the level of training to successfully analyse the new types of self-defence techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.

“The memory forensics field exploded around 2005 when a lot of the parsing tools started to become available and its use in forensics has been growing ever since,” explains Torres, “An incredible advantage this analysis method has is speed – a skilled expert in memory forensics can discover insights a lot quicker and pick up on information that is missed in traditional disk imaging.”

Although the tools have improved, Torres points out that “…owning a hammer and saw doesn’t make you a carpenter – a deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific to the needs of the case at hand.”

Torres is lead author and instructor of the SANS FOR526: Memory Forensics In-Depth course which she will be teaching at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague from the 5th to 17th of October.

The 6 day course provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyse captured memory images. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work.

Torres will also be presenting “Baselining Memory for Anomaly Detection” alongside a number of leading speakers covering the most innovative DFIR topics at the Summit on Sunday 11th of October.

[su_button url=”https://www.sans.org/” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]Click here to find out more about SANS[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

OneLink

Product Spotlight – Gallagher’s OneLink

Gallagher Security presents, OneLink – the product that is elevating remote security through the power of the cloud 
Pinaccle systems

Pinnacle Systems further supports Installers and System Integrators

Pinnacle Systems has launched the Pinnacle Partner Programme, a new initiative designed to provide enhanced support for installers…
Stephen Tickle

Comelit-PAC Appoints Stephen Tickle as Regional Sales Manager

Comelit-PAC has appointed Stephen Tickle as its new Regional Sales Manager.  Stephen will focus on supporting PAC’s access control…
Intersec Saudi

Intersec Saudi Arabia returns with record exhibition space

Intersec Saudi Arabia, the premier industry platform for security, safety and fire protection, will return to the Riyadh…
Abloy UK

Abloy Academy breaks attendance records

Abloy UK has achieved record breaking attendance at its Academy, with more professionals than ever attending its…
Hikvision

Hikvision Introduces X-ray Baggage Inspection System

Hikvision India has recently introduced X-ray Baggage Inspection System with AI- enabled Intelligent Recognition Capabilities…
GBV

IFPO Column: The Quiet Signals of Danger

Yoyo Hamblen of IFPO and Gary Simpson, Nonverbal and Behavioural specialist discuss the important topic of Gender-Based Violence..
Doorbird Carousel

Product Spotlight – Door Communication for the “Neue Wallufer”

 A customised solution case study for a residential complex is presented by DoorBird and CompuNet Systems GmbH 
suprema

Suprema Achieves EN 60839 Certification

Suprema, a global provider of AI-powered access control and security solutions, has achieved EN 60839-11-1:2013 Grade 3 certification
ASSA ABLOY

Electric locks are a vital component in digital access

To protect the important openings in their buildings, organizations need locks they can trust. This means more than just strength…
Scroll to Top