Some of the specific tools hackers use include script tools available for the Metasploit framework.
"There is also a wide assortment of other tools for these purposes, both free and premium, like FTK Imager, RedLine, Volatility, CAINE, and HELIX3," says Hazdra.
"Offensive forensics is difficult to counter because the files in the compromised machine may be secure, but intruders have access to the machine and can grab memory—even though traditional standards would declare that system secure," says Sremack.
Approaches to foiling offensive forensics include running security utilities that mask and protect in-memory data. Examples of these kinds of applications include KeePass and KeeScrambler. KeePass is an encrypted clipboard utility that automatically clears the clipboard history. KeeScrambler encrypts browsing history.
"Every time a user types a letter into the browser, it encrypts it to prevent hackers from reading data resident in memory," explains Sremack. There is a free version of KeeScrambler available; the paid version also defeats keyloggers.
Best practices dictate that an enterprise also log systems activities on a separate machine on the network, making it harder for hackers to reach in and erase their tracks. In addition, the enterprise should use file system features that mark files as "append" only (no deleting or overwriting existing data) so that not even the systems administrator of that machine can erase what is written unless the machine enters an offline maintenance mode, explains TK Keanini, CTO, Lancope.
In the larger picture, the enterprise must have a certain amount of readiness in order to field effective incident responses to offensive forensics attacks. There are three levels at which an enterprise should be ready to aid incident response, says Keanini, with each level adding a dimension that compliments the others.
"Even if the attackers can evade one of these levels, they are going to show up on the others," says Keanini.
The first level is end-point telemetry. Each endpoint should have some system level process accounting for all actions on the device.
"While you can never be 100-percent accurate with this, zero-percent is not acceptable," says Keanini.
The second level is gateway and access point telemetry. At the ingress and egress of the network(s), some technology should be recording inbound and outbound connections. This will provide for internetworking evidence for detection and network forensics.
The third level is infrastructure telemetry.
"All networking infrastructure should exhibit unsampled Netflow/IPFIX," says Keanini. IT / security collects this data set using a tool that tracks all network traffic at the meta data level.
"This data set acts as the network's general ledger and offers the most complete picture of activity on your network," says Keanini.
When an enterprise arms itself with all three levels of telemetry, there is nowhere that an attack or attacker can hide.