Spread the love

By Reuben Lagat,

What is digital/Computer forensics?

“Computer Forensics refers to techniques and methodologies used in the collection, analysis and presentation of non refutable “evidences” in a court of law.

What are the general computer forensic steps?

The 3A’s:;

 -Acquire, Authenticate, and Analyze

-Followed by Report Writing and Presentation

What is Anti-Forensics?

This can be described as:

-A collection of tools and techniques that frustrate forensic tools,investigations and investigators.

-Data hiding, artifact wiping, trail obfuscation and attacks against the process and tools (Rogers, 2005).

-Destroy, hide,manipulate or prevent the creation of evidence (Peron and Legary, 2005).

What are the goals of anti-forensics?

The major four primary goals of Anti forensics as identified by (Liu and Brown, 2006):

1. Avoiding detection.

2. Disrupting the collection of information.

3. Increasing the time that an examiner needs to spend on a case.

4. Casting doubt on a forensic report or testimony.

Common Anti -forensics methods:

➔ Obfuscation and Data Encryption

➔ Data Deletion and Physical Destruction

➔ Analysis Prevention

➔ Online Anonymity


-Encryption: Encryption is a forensic investigators nightmare Case: Apple vs FBI

-Steganography: hiding information in images or media files JPEG, MP3, WAV

-Steganalysis: detection of steganography

Common anti forensics methods

Data Deletion and Physical Destruction

Disk degaussing: Wiping out data by applying magnetic field to a digital media. It is a very effective method used to ensure that data has been wiped out completely. Rarely use because of the prohibitive cost.

The V91 Max is the most powerful manual hard drive degausser, designed to fully and securely wipe computer hard drives and DLT tapes.

Online Anonymity: Tor browsers/Tunneling/Proxy and Private Browsing

Other techniques also include:

-Time Stamp Modification: Every file on removable media has four values called M.A.C.E. Those values are responsible for recording Modification, Access, Creation timestamps of that file. Computer forensics packages reading those values, give indications to examiners about time and date issues of any updates and changes to the contents of a file.

Account hijacking: “Zombied” computer accounts

Archive/image bombs: Self-destruct software

Disabling logs: missing logs, audit software not flagging events that logging was disabled making it impossible to reconstruct missing data.

Leave a Reply

Your email address will not be published. Required fields are marked *