Skip to content
This repository has been archived by the owner on Mar 28, 2023. It is now read-only.

Implement detection of filesystem anti-forensics #34

Closed
mike-myers-tob opened this issue Feb 26, 2020 · 0 comments
Closed

Implement detection of filesystem anti-forensics #34

mike-myers-tob opened this issue Feb 26, 2020 · 0 comments
Labels
detections Related to sensors and/or detection capabilities enhancement New feature or request icebox question Further information is requested
Projects
Santa Replacement

Comments

@mike-myers-tob
Copy link
Contributor

mike-myers-tob commented Feb 26, 2020
edited
Loading

Although macOS uses APFS now, not HFS+, there may be methods of filesystem anti-forensics similar to the use of Alternate Data Streams on NTFS volumes, by which an attacker might hide their presence on the filesystem.

Research and further detail is needed here, to determine what exactly should be getting detected. It might build upon issue #23

The feasibility challenge is that any kind of whole-filesystem activity monitoring is performance prohibitive.
@mike-myers-tob mike-myers-tob added enhancement New feature or request question Further information is requested detections Related to sensors and/or detection capabilities labels Feb 26, 2020
@mike-myers-tob mike-myers-tob added this to On Hold in Santa Replacement Feb 26, 2020
@mike-myers-tob mike-myers-tob mentioned this issue Aug 12, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
detections Related to sensors and/or detection capabilities enhancement New feature or request icebox question Further information is requested
Projects
Santa Replacement
Ideas
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alessandrogario @mike-myers-tob