"Offensive forensics is an attack technique hackers use to capture non-static data that can be useful in performing further attacks," says Joe Sremack, Principal, Berkeley Research Group, LLC, a computer forensics and e-discovery firm.
In an offensive forensics procedure, the hacker captures non-static, in-memory data in order to acquire the passwords, encryption keys, or active network session data living there, which can aid them in gaining unrestrained access to precious data.
To illustrate, a simple example of an offensive forensics attack is one that captures the Windows clipboard, a place where less-than-savvy users often copy and paste their secure passwords. Hackers typically mount this type of attack through vulnerabilities in Flash.
"There are exploits that read through Flash plug-ins in browsers in combination with weak or misconfigured settings to read the full browser content, including in-memory passwords," says Sremack.
Awareness is the first step in defeating offensive forensic tricks and techniques; action is the second step.
Purpose and Methods
Hackers use offensive forensics to gain credentials such as user names and passwords that allow them to access sensitive data while concealing their identity, delaying attack discovery, and covering their tracks.
"They also want to prolong the time that they have access to a system and the time that any stolen data remains undetected, which increases its value," says Scott Hazdra, Principal Security Consultant, Neohapsis, a security and risk management firm.
Hackers look for this kind of dynamic / non-static data in some semi-permanent form in-memory such as in RAM memory or a swap file.
"A Windows temp file, a Windows or Mac clipboard, unencrypted login data from a Telnet or FTP application, and web browser caches are all non-static data targets," says Sremack.
Once the hacker gains user IDs and passwords, which may be stored temporarily in clear text, they can get to the next level of access, reaching resources such as internal intranet sites, document management systems, and SharePoint sites, Sremack explains.
"This is basically a method for hackers to get what they otherwise would retrieve using a keylogger, but without the keylogger," says Sremack.
This is important to hackers because anti-virus and anti-malware tools can detect and remove keyloggers. Instead, they run tools that look through the clipboard, the registry, or wherever the computer would store this data in clear text.
These tools, which enable hackers to do these things in real-time are free and readily available on the Internet. While there are tools available to do this on Linux, the people who typically make the kinds of mistakes (storing passwords in clear text on the clipboard) that make offensive forensics possible are end-users working on workstations, which most often run operating systems such as Windows and Mac.