Following were the guidelines given to Malware authors at CIA, how to deal with Disk I/O and steps taken to save data on to disk or deleting saved date from disk.
Directive | Rationale |
---|---|
DO explicitly document the "disk forensic footprint" that could be potentially created by various features of a binary/tool on a remote target.
| Enables better operational risk assessments with knowledge of potential file system forensic artefacts. |
DO NOT read, write and/or cache data to disk unnecessarily. Be cognizant of 3rd party code that may implicitly write/cache data to disk. | Lowers potential for forensic artefacts and potential signatures. |
DO NOT write plain-text collection data to disk. | Raises difficulty of incident response and forensic analysis. |
DO encrypt all data written to disk. | Disguises intent of file (collection, sensitive code, etc) and raises difficulty of forensic analysis and incident response. |
DO utilize a secure erase when removing a file from disk that wipes at a minimum the file's filename, datetime stamps (create, modify and access) and its content.
(Note: The definition of "secure erase" varies from filesystem to filesystem, but at least a single pass of zeros of the data should be performed. The emphasis here is on removing all filesystem artefacts that could be useful during forensic analysis)
| Raises difficulty of incident response and forensic analysis. |
DO NOT perform Disk I/O operations that will cause the system to become unresponsive to the user or alerting to a System Administrator.
| Avoids unwanted attention from the user or system administrator to tool's existence and behavior. |
DO NOT use a "magic header/footer" for encrypted files written to disk. All encrypted files should be completely opaque data files. | Avoids signature of custom file format's magic values. |
DO NOT use hard-coded filenames or filepaths when writing files to disk. This must be configurable at deployment time by the operator. | Allows operator to choose the proper filename that fits with in the operational target. |
DO have a configurable maximum size limit and/or output file count for writing encrypted output files. |
Avoids situations where a collection task can get out of control and fills the target's disk; which will draw unwanted attention to the tool and/or the operation.
|