Following were the guidelines given to Malware authors at CIA, how to deal with Disk I/O and steps taken to save data on to disk or deleting saved date from disk.
DO explicitly document the "disk forensic footprint" that could be potentially created by various features of a binary/tool on a remote target.
|Enables better operational risk assessments with knowledge of potential file system forensic artefacts.|
|DO NOT read, write and/or cache data to disk unnecessarily. Be cognizant of 3rd party code that may implicitly write/cache data to disk.||Lowers potential for forensic artefacts and potential signatures.|
|DO NOT write plain-text collection data to disk.||Raises difficulty of incident response and forensic analysis.|
|DO encrypt all data written to disk.||Disguises intent of file (collection, sensitive code, etc) and raises difficulty of forensic analysis and incident response.|
DO utilize a secure erase when removing a file from disk that wipes at a minimum the file's filename, datetime stamps (create, modify and access) and its content.
(Note: The definition of "secure erase" varies from filesystem to filesystem, but at least a single pass of zeros of the data should be performed. The emphasis here is on removing all filesystem artefacts that could be useful during forensic analysis)
|Raises difficulty of incident response and forensic analysis.|
DO NOT perform Disk I/O operations that will cause the system to become unresponsive to the user or alerting to a System Administrator.
|Avoids unwanted attention from the user or system administrator to tool's existence and behavior.|
|DO NOT use a "magic header/footer" for encrypted files written to disk. All encrypted files should be completely opaque data files.||Avoids signature of custom file format's magic values.|
|DO NOT use hard-coded filenames or filepaths when writing files to disk. This must be configurable at deployment time by the operator.||Allows operator to choose the proper filename that fits with in the operational target.|
|DO have a configurable maximum size limit and/or output file count for writing encrypted output files.|
Avoids situations where a collection task can get out of control and fills the target's disk; which will draw unwanted attention to the tool and/or the operation.