Burn Before Reading: A stealthy framework for combating live forensics examinations

Malicious Software/programs (malware) have grown to be quite sophisticated in their design causing significant levels of damage and for prolonged periods of time. Their capabilities encompass a wide range of activities; from simple monitoring/spying programs to more complex, highly destructive tools. Moreover, they typically aim to hide their own existence through a large number of techniques. To that end, this paper demonstrates that the full malicious potentials of malware have not been realized yet. In particular, we present a novel framework - which we term Burn Before Reading (BBR) - that actively aims to detect potential live forensics investigations and adapts the behavior of the malware online. In a nutshell, the BBR framework registers for a set of triggers that typically occur in live forensics investigations. Once a trigger fires, BBR executes actions as dictated by the malware to destroy any evidence. To remain stealthy during the execution of those actions, BBR utilizes control-theoretic actuators that dynamically adjust the timing information for the executing modules, at a very fine time scale (in the order of micro seconds). We study the stability regions for those actuators under different parameters. We believe that this framework can be used by malware to destroy incriminating evidence, their own signatures and their own existence and thus its capabilities should be brought to the attention of the forensics and security communities. We also discuss potential defense mechanisms against BBR.