Difference between revisions of "Anti-forensic techniques"

From ForensicsWiki
Jump to: navigation, search
(Some anti-forensics techniques.)
m
Line 1: Line 1:
'''Anti-forensic techniques''' are engaging in behavior designed to frustrate computer forensic [[techniques]]. This can include refusing to run when [[debugging]] mode is enabled, refusing to run when running inside of a [[virtual machine]], or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any [[Tools|tool]] they can be abused.
+
'''Anti-forensic techniques''' try to frustrate [[forensic investigator]]s and their [[techniques]].
 +
 
 +
This can include refusing to run when [[debugging]] mode is enabled, refusing to run when running inside of a [[virtual machine]], or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any [[Tools|tool]] they can be abused.
  
 
== Secure Data Deletion ==
 
== Secure Data Deletion ==
Line 15: Line 17:
 
== Preventing Data Creation ==
 
== Preventing Data Creation ==
  
Precent the creation of certain data in the first place. Data which was never there, obviously cannot be investigated with forensic methods.
+
Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.
 +
 
 +
== Detecting Forensic Analysis ==
  
 +
There are methods to detect whether an [[investigator]] tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.
  
 
== See also ==
 
== See also ==
  
 
* [[Tools#Anti-forensics_Tools]]
 
* [[Tools#Anti-forensics_Tools]]

Revision as of 14:50, 30 March 2006

Anti-forensic techniques try to frustrate forensic investigators and their techniques.

This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.

Secure Data Deletion

Securely deleting data, so that it cannot be restored with forensic methods.

Hiding Data

Hiding data where a forensic investigator would not usually look, e.g. using Steganography or other means.

Encrypted Data

Encrypting data, in order to prevent access to it.

Preventing Data Creation

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

Detecting Forensic Analysis

There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

See also