By Reuben Lagat,
What is digital/Computer forensics?
“Computer Forensics refers to techniques and methodologies used in the collection, analysis and presentation of non refutable “evidences” in a court of law.
What are the general computer forensic steps?
-Acquire, Authenticate, and Analyze
-Followed by Report Writing and Presentation
What is Anti-Forensics?
This can be described as:
-A collection of tools and techniques that frustrate forensic tools,investigations and investigators.
-Data hiding, artifact wiping, trail obfuscation and attacks against the process and tools (Rogers, 2005).
-Destroy, hide,manipulate or prevent the creation of evidence (Peron and Legary, 2005).
What are the goals of anti-forensics?
The major four primary goals of Anti forensics as identified by (Liu and Brown, 2006):
1. Avoiding detection.
2. Disrupting the collection of information.
3. Increasing the time that an examiner needs to spend on a case.
4. Casting doubt on a forensic report or testimony.
Common Anti -forensics methods:
➔ Obfuscation and Data Encryption
➔ Data Deletion and Physical Destruction
➔ Analysis Prevention
➔ Online Anonymity
OBFUSCATION AND ENCRYPTION DATA (Definition of terms)
-Encryption: Encryption is a forensic investigators nightmare Case: Apple vs FBI
-Steganography: hiding information in images or media files JPEG, MP3, WAV
-Steganalysis: detection of steganography
Common anti forensics methods
Data Deletion and Physical Destruction
–Disk degaussing: Wiping out data by applying magnetic field to a digital media. It is a very effective method used to ensure that data has been wiped out completely. Rarely use because of the prohibitive cost.
The V91 Max is the most powerful manual hard drive degausser, designed to fully and securely wipe computer hard drives and DLT tapes.
–Online Anonymity: Tor browsers/Tunneling/Proxy and Private Browsing
Other techniques also include:
-Time Stamp Modification: Every file on removable media has four values called M.A.C.E. Those values are responsible for recording Modification, Access, Creation timestamps of that file. Computer forensics packages reading those values, give indications to examiners about time and date issues of any updates and changes to the contents of a file.
–Account hijacking: “Zombied” computer accounts
–Archive/image bombs: Self-destruct software
–Disabling logs: missing logs, audit software not flagging events that logging was disabled making it impossible to reconstruct missing data.