The act of attributing a cyber attack is a long sought after, but rarely attained goal. From a legal perspective, the ability to attribute a cyberattack to an individual or a group is a vital step to lead to its ultimate prosecution in a court of law. In terms of national defense, attributing an attack accurately can be a step towards reprisal or other military responses.
While things such as techniques, IP addresses, and other artifacts can play an important role in attributing an attack, being able to attribute actions to a specific computer that has been obtained can help provide overwhelming proof of an act.
A primary task of a forensic investigator is identifying information that can be used to tie something to a specific individual computer. As we use a computer, it becomes more and more individualized to its user. This occurs through the use and configuration of software, the creation of documents, and the browsing of websites among many other ways. Many of these actions leave artifacts that can uniquely be tied to a single system.
One way to minimize the ability to find artifacts that are unique to a system is to use a freshly installed operating system. This can be done through the use of a live-boot operating system, or just creating a freshly installed system. In theory, there is nothing that differentiates two copies of an operating system if they are installed the same way. In reality, though, there are a small number of artifacts that uniquely identify a system as soon as the operating system is installed.
In this post, I’m publishing a paper that I started working on a few months ago (life gets busy) that provides a forensic analysis of multiple freshly installed Kali systems. My goal over the coming months is to conduct similar experiments on other operating systems. I’ve also provided the raw data that I used to conduct my analysis.