What Is Anti-Forensics?
Strictly speaking, digital anti-forensics are any means used to compromise or prevent availability of information on a computer, mobile device, storage medium, etc. The use of anti-forensic measures should not lead to assumptions that they are hiding criminal activity however. After all, everyone is entitled to some degree of personal privacy and measures such as communications encryption are not illegal if the intent is not to hide criminal activity.
However, the use of anti-forensics by those with ill intent certainly makes digital forensics investigations more time-consuming and expensive as most famously exhibited in the 2015 struggle between Apple and the FBI over applying forensics to a locked iPhone that was owned by one of the San Bernardino attackers who killed and injured a total of 36 people.
Categories of Anti-Forensic Techniques
In a broad sense, there are four types of anti-forensic activity:
- Artifact Deletion – Disk or file wiping software, disk degaussing or destruction
- Data Hiding – Encryption, steganography, file renaming, Windows ADS, covert channels, etc.
- Obfuscation – IP address spoofing, onion routing, poisoned DNS, interference with live imaging
- Attacks on Forensic Tools – One or more steps to undermine the perceived reliability of forensics evidence including digital attacks on the forensics investigator
- Faking Evidence – Creation of false evidence on the forensics target to damage the reliability of the investigation
Anti-Forensics Detection
Commercial products available to businesses attempt to decoy attackers with imitations of the business’ digital assets. Malicious activity can be detected on the fake assets, which generates alerts to IT staff and initiates an automated incident response.
Experienced digital forensics engineers from reputable companies are, of course, trained to seek clues as to whether or not a system or device under investigation may hold anti-forensic measures. Obvious clues include the presence of cryptographic tools, rootkits, an encrypted VM, incorrect hash values, anomalies in event logs and so on.
In all cases, when digital forensics experts attempt to discover and extract data from a suspected system they use only their own trusted programs rather than rely on programs in what could be a compromised, anti-forensics loaded device.
Staying One Step Ahead
Digital forensics experts must continually stay one step ahead of data hiding, destruction and obfuscation techniques and any other anti-forensic measures currently in vogue. In their investigations, they must also bear in mind that the use of anti-forensics may have legitimate uses in preserving personal privacy, which may limit their forensic activities.
Business IT departments are also well-advised to stay abreast of anti-forensic developments and join online communities to share current information that would not compromise their security or intellectual property. Maintaining an ongoing education program with digital forensics engineers is also a wise move.
