Digital Forensics experts face many difficult technical challenges in extracting evidence from computers, mobile devices, networks, digital storage media and social media sources especially when the information they are seeking has been compromised by damage, encryption, corruption or deletion. Adding to these difficulties, intentional anti-forensic measures are increasingly being employed by both criminals and everyday users that cause additional costs in time and money to be incurred by investigations. [1]

What is Anti-Forensics?

Anti-Forensics, also known as Counter Forensics, is a set of techniques that attackers or perpetrators used in order to avert or sidetrack the forensic investigation process or try to make it much harder. These techniques negatively impact the quantity and quality of evidence from a crime scene, thereby making the forensic investigation process difficult. Therefore, the investigator might have to conduct a few more additional steps in order to fetch the data, thereby causing delay in investigation process. [2]

Depending on the anti-forensic techniques used, we can identify the following classification:

  1. Destruction of Evidence: This method aims to eliminate evidence and make its recovery impossible.

Two strategies can be carried out in order to do this:

 

  1. Evidence Hiding: This method does not aim to manipulate or destroy evidence but make it as inaccessible as possible. To do so, various techniques can be used such as covert channels or steganography, which enables the concealment and masking of certain information inside another. To detect these kinds of practices, steganalysis tools must be used that search hidden information via complex statistic mechanisms or through searching anomalies in relation to standard formats.

 

  1. Elimination of the sources of evidence: This technique could be considered as the most basic as it simply consists in not leaving traces to conceal a trail and thus avoid being detected. For instance, a simple way to prevent writing to disk may be deactivating the system’s logs.

 

  1. Evidence tampering: This method consists in creating false evidence, in order to frustrate the investigator’s work. Some of the most typical examples of evidence falsification are:
  • Launching attacks from compromised systems, such as Botnets.
  • The use of compromised networks.
  • The use of compromised user accounts.
  • The modification of metadata via utilities such as ExifTool.
  • Spoofing Messages sent through instant messaging software, such as Whatsapp, or identity theft via SIM card cloning. [3]

Various Types Anti-Forensic Techniques:

  1. Data/File Deletion
  2. Password Protection
  3. Steganography
  4. Data Hiding in File System Structures
  5. Trail Obfuscation
  6. Artifact Wiping
  7. Overwriting Data/Metadata
  8. Encryption
  9. Rootkits
  10. Exploiting Forensics Tool Bugs, etc. [2]

 

Anti-Forensics Detection:

Commercial products available to businesses attempt to decoy attackers with imitations of the business’ digital assets. Malicious activity can be detected on the fake assets, which generate alerts to IT staff and initiate an automated incident response. Experienced digital forensics engineers from reputable companies are, of course, trained to seek clues as to whether or not a system or device under investigation may hold anti-forensic measures. Obvious clues include the presence of cryptographic tools, rootkits, an encrypted VM, incorrect hash values, anomalies in event logs and so on. In all cases, when digital forensics experts attempt to discover and extract data from a suspected system they use only their own trusted programs rather than rely on programs in what could be a compromised, anti-forensics loaded device. [1]

Countermeasures of Anti-Forensics Techniques:

Investigators can overcome the anti-forensic techniques through improved monitoring of systems or by fixing bugs in the current generation of computer forensic tools.

  1. Train and educate the forensic investigators about anti-forensics.
  2. Validate the results of examination using multiple tools.
  3. Impose strict laws against illegal use of anti-forensic tools.
  4. Understand the anti-forensic techniques and their weaknesses.
  5. Use latest and updated CFTs, and test them for vulnerabilities.
  6. Save data where attacker can’t get at it, such as log hosts, CD-ROMs, etc.
  7. Use intelligent decompression libraries to defend against compression bombs.
  8. Replace weak files heuristics with stronger ones.

 

Anti-Forensics Tools:

  1. Privacy Eraser
  2. Quick Crypto
  3. Azazel Rootkit
  4. Steganography Studio
  5. Data Stash
  6. Universal Shield
  7. Masker
  8. Secure IT
  9. BatchPurifier
  10. Exiv2, etc. [2]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        References:

  1. ‘Challenges to Forensics from Anti-Forensics’ [Online] (https://www.securedatarecovery.com/blog/challenges-forensics-anti-forensics) Accessed on 9/08/2018.
  2. CHFI Module 5, ‘Defeating Anti-Forensic Techniques’.
  3. Martinez, A. (2014) ‘Anti-Forensic Techniques’ [Online] (https://www.certsi.es/en/blog/anti-forensic-techniques) Accessed on 9/08/2018.