Wednesday 24 September 11:50 - 12:20, Green room
Santiago Abastante (SolidarityLabs)
Antiforensics refers to a set of techniques, tools, or practices used to hinder, mislead, or obstruct digital forensic investigations. The goal of antiforensics is to make it difficult or impossible for investigators to recover, analyse or attribute digital evidence accurately.
Building on the concept of cloud antiforensics, it's crucial to understand that traditional forensic techniques often fall short when applied to cloud-native environments. Investigators face significant challenges such as lack of physical access, reliance on the cloud provider's logging and retention policies, and the need for cross-jurisdictional cooperation.
This opens opportunities for attackers to intentionally disable or tamper with logs, use short-lived compute resources like AWS Lambda to carry out malicious actions, and store payloads in less-monitored services like object storage or serverless APIs. Effective cloud forensic readiness requires proactive measures such as enabling comprehensive logging (e.g. CloudTrail, VPC Flow Logs), enforcing strict IAM policies, and integrating tamper-evident storage solutions to preserve the integrity of evidence.
In this demo-driven technical presentation I'll begin by introducing the audience to how log collection, security detection and digital forensics are executed in AWS environments, for example what services are needed to ship data to a SIEM, what delays we can take advantage of, how Guardduty works, and how SOC teams are getting non-cloud-specific logs from servers using SSM.
Then I will demonstrate how an attacker can leverage common known blind spots, like the share responsibility model lack of visibility and the internal delays between log generation and log collection, to execute antiforensics techniques with the objective of hindering an investigator's ability to recover, analyse or attribute activity related to cloud-based attacks.
In order to achieve this, I will start with basic techniques like executing API calls to global endpoints in non-monitored regions in order to reduce our fingerprint or the implementation of suppression rules in Guardduty to auto-archive detections.
Then, I will perform a deep dive on how we can compromise the log/event collection pipeline to control and manipulate the telemetry visible to the defender, like tampering with the Cloudtrail S3 Bucket Resource Policy to stop log generation, or working with Cloudwatch rules or Kinesis Firehose Transformations to skip logs related to our IAM entity, source IP, etc.
The final demo will introduce how we can use trusted AWS services that are usually part of a development lifecycle, like Lambda functions, to reduce our fingerprint even more. By taking advantage of the ephemeral context given by the Lambda execution and the previously mentioned share responsibility model blind spot we will deploy an infostealer that will bypass existing security detection implementations.
In conclusion, while often associated with malicious actors seeking to cover their tracks, antiforensic methods can also highlight limitations in forensic methodologies and drive the development of more resilient investigative tools.
 |
Santiago Abastante Santiago is a former police officer from Argentina, now a cloud incident responder and security engineer with over 10 years of IT experience. A digital nomad and an international speaker, Santiago has presented on cloud security and incident response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. He holds a Bachelor's degree in information security and a Master's degree in business administration.
|
Back to VB2025 conference page