Countering Anti-Forensic Efforts - Part 1

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same time, criminals routinely make attempts to counter forensic efforts by wiping data, deleting files, faking or clearing logs, histories and other traces of performed activities. Anti-forensic efforts are not limited to just that. In this whitepaper, we will have a brief overview of common anti-forensic techniques frequently used by suspects who are not specialists in high-tech, and ways to counter them during the investigation.

What this paper does not discuss is the suspects’ use of advanced tools dedicated to countering forensic efforts. Instead, we will talk about the most common anti-forensic techniques. In this paper, we will move from easy to moderately difficult anti-forensic techniques, explaining who might be using these methods and how to counter them.

What Is Anti-Forensics?

Anti-forensics is a set of precautionary measures a user can perform in order to hide traces of his activity, making investigations on digital media more complicated and time-consuming, and potentially rendering evidence of illegal activities difficult or impossible to obtain. Detecting anti-forensic techniques in use is not always easy and not always possible, as destroying certain types of evidence may leave no traces anywhere in the system. However, since average users have little to average hi-tech knowledge, anti-forensic attempts they perform may be generally ineffective or obviously visible to the expert.

Moving or Renaming Files

Moving or renaming files that may hold evidence against suspects is a form of simple, almost naive anti-forensics. By moving certain files (such as those used by instant messengers for keeping conversation histories), renaming or changing extensions (e.g. renaming an encrypted ZIP archive containing illegal images into something like c:\Windows\System32\drivers\rtvienna32.dat), suspects hope to confuse experts and delay investigations.

Indeed, locating moved or renamed files presents an obstacle to investigators who rely on nothing but their skills and expertise to locate evidence. However, modern computer forensic tools such as Belkasoft Evidence Center automatically analyze media with different techniques, like evidence search or carving.

Please register to access full versions of Belkasoft articles

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research