Anti-computer forensics is a general term for a set of techniques used as countermeasures to forensic analysis.
Definition
Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”
A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” Interestingly, neither author takes into account using anti-forensics methods to ensure the privacy of one's personal data.
Sub-categories
Anti-forensics methods are often broken down into several sub-categories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools.
Purpose and Goals
Within the field of digital forensics there is much debate over the purpose and goals of anti-forensic methods. The common conception is that anti-forensic tools are purely malicious in intent and design. Others believe that these tools should be used to illustrate deficiencies in digital forensic procedures, digital forensic tools, and forensic examiner education. This sentiment was echoed at the 2005 Blackhat Conference by anti-forensic tool authors, James Foster and Vinnie Liu. They stated that by exposing these issues, forensic investigators will have to work harder to prove that collected evidence is both accurate and dependable. They believe that this will result in better tools and education for the forensic examiner.
Data hiding
Data hiding is the process of making data difficult to find while also keeping it accessible for future use. “Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves.”
Some of the more common forms of data hiding include encryption, steganography, and other various forms of hardware/software based data concealment. Each of the different data hiding methods makes digital forensic examinations difficult. When the different data hiding methods are combined, they can make a successful forensic investigation nearly impossible.
Encryption
One of the more commonly used techniques to defeat computer forensics is data encryption. In a presentation he gave on encryption and anti-forensic methodologies the Vice President of Secure Computing, Paul Henry, referred to encryption as a “forensic analyst's nightmare”.
The majority of publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Through the use of modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key.
File level encryption encrypts only the file contents. This leaves important information such as file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from other locations, such as temporary files, swap file and deleted, unencrypted copies.
Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult. Some of these functions include the use of a keyfile, full-volume encryption, and plausible deniability. The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.
Steganography
Steganography is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. “Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph).” Some experts have argued that the use of steganography techniques are not very widespread and therefore shouldn’t be given a lot of thought. Most experts will agree that steganography has the capability of disrupting the forensic process when used correctly.
According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication) outlined the importance of using a steganography program called Secrets of the Mujahedeen. According to Carr, the program was touted as giving the user the capability to avoid detection by current steganalysis programs. It did this through the use of steganography in conjunction with file compression.
Other forms of data hiding
Other forms of data hiding involve the use of tools and techniques to hide data throughout various different locations in a computer system. Some of these places can include “memory, slack space, hidden directories, bad blocks, alternate data streams, hidden partitions.”
One of the more well known tools that is often used for data hiding is called Slacker (part of the Metasploit framework). Slacker breaks up a file and places each piece of that file into the slack space of other files, thereby hiding it from the forensic examination software. Another data hiding technique involves the use of bad sectors. To perform this technique, the user changes a particular sector from good to bad and then data is placed onto that particular cluster. The belief is that forensic examination tools will see these clusters as bad and continue on without any examination of their contents.
Artifact wiping
The methods used in artifact wiping are tasked with permanently eliminating particular files or entire file systems. This can be accomplished through the use of a variety of methods that include disk cleaning utilities, file wiping utilities and disk degaussing/destruction techniques.
Disk cleaning utilities
Disk cleaning utilities use a variety of methods to overwrite the existing data on disks (see data remanence). The effectiveness of disk cleaning utilities as anti-forensic tools is often challenged as some believe they are not completely effective. Experts who don’t believe that disk cleaning utilities are acceptable for disk sanitization base their opinions off current DOD policy, which states that the only acceptable form of sanitization is degaussing. (See National Industrial Security Program.) Disk cleaning utilities are also criticized because they leave signatures that the file system was wiped, which in some cases is unacceptable. Some of the widely used disk cleaning utilities include DBAN, srm, KillDisk, PC Inspector and CyberScrubs cyberCide. Another option which is approved by the NIST and the NSA is CMRR Secure Erase, which uses the Secure Erase command built into the ATA specification.
File wiping utilities
File wiping utilities are used to delete individual files from an operating system. The advantage of file wiping utilities is that they can accomplish their task in a relatively short amount of time as opposed to disk cleaning utilities which take much longer. Another advantage of file wiping utilities is that they generally leave a much smaller signature than disk cleaning utilities. There are two primary disadvantages of file wiping utilities, first they require user involvement in the process and second some experts believe that file wiping programs don’t always correctly and completely wipe file information. Some of the widely used file wiping utilities include R-Wipe & Clean, Eraser, Aevita Wipe & Delete and CyberScrubs PrivacySuite.
Disk degaussing / Destruction techniques
Disk degaussing is a process by which a magnetic field is applied to a digital media device. The result is a device that is entirely clean of any previously stored data. Degaussing is rarely used as an anti-forensic method despite the fact that it is an effective means to ensure data has been wiped. This is attributed to the high cost of degaussing machines, which are difficult for the average consumer to afford.
A more commonly used technique to ensure data wiping is the physical destruction of the device. The NIST recommends that “physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding and melting.”
Trail obfuscation
The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools that include “log cleaners, spoofing, misinformation, backbone hopping, zombied accounts, trojan commands.”
One of the more widely known trail obfuscation tools is Timestomp (part of the Metasploit framework). Timestomp gives the user the ability to modify file metadata pertaining to access, creation and modification times/dates. By using
Jeffrey Carr
Born: Studied: One-person Exhibitions: Group Exhibitions: Permanent Collections: 1952 1973 1974/5 1979 1995 1992 1990 1989 1988 1987 1986 1984 1983 1982 1980 1994
Jeffrey Carr
Jeffrey Carr is a cyber intelligence expert, columnist for Symantec's Security Focus, and author who specializes in the investigation of cyber attacks against governments and ...
GreyLogic
Jeffrey Carr ... Mr. Carr regularly consults with agencies of the U.S. Intelligence Community on ...
Jeffrey Carr (jeffreycarr) on Twitter
Founder and Principal, GreyLogic http://greylogic.us ... Hey there! jeffreycarr is using Twitter. Twitter is a free service that lets you keep in touch with people through the ...
Jeffrey S. Carr - TheInterMountain.com | News, Sports, Jobs, WV ...
News, sports, community and jobs information from The Inter-Mountain and Intermountain.com. Serving Elkins and the people of Randolph County, West Virginia, with the most up-to ...
Legal Rebels - Jeffrey Carr: Business Unusual
Carr and his legal team are now in discussions with the eight law firms they’ve invited to work with FMC Technologies Inc., where Carr says he pays outside counsel 107 percent of ...
JEFFREY CARR, General Counsel, FMC Technologies, Houston
DEREK BENTON Director of International Operations, Lexis-Nexis Martindale-Hubbell, London Lawyers Network Differently as the World Grows Flatter
Jeffrey Carr
Self-portrait in the Studio with Jerri and Charlotte, 1995 oil on linen, 60 x 46"
Jeffrey Carr Professional Profile at Toolbox for IT
Jeffrey F. Carr Founder and Managing Partner of Ultra Corporation. I have 40 years experience and knowledge in the information technology industry, specifically focused on ...
Jeffrey Carr - Curtain Manufacturers
Jeffrey Carr are manufacturers and contractors of curtains and soft furnishings for commercial and public clients including hotels, schools, pubs, restaurants and nursing homes.