Difference between revisions of "Anti-forensic techniques"

From Forensics Wiki
Jump to: navigation, search
m
m
Line 9: Line 9:
 
== Hiding Data ==
 
== Hiding Data ==
  
Hiding data where a forensic [[investigator]] would not usually look, e.g. using [[Steganography]] or other means.
+
Hiding data where a forensic [[investigator]] would not usually look, e.g. using [[steganography]] or other means.
  
 
== Encrypted Data ==
 
== Encrypted Data ==
  
[[Encryption|Encrypting]] data, in order to prevent access to it.
+
[[Encryption|Encrypting data]], in order to prevent access to it.
  
 
== Preventing Data Creation ==
 
== Preventing Data Creation ==

Revision as of 13:52, 30 March 2006

Anti-forensic techniques try to frustrate forensic investigators and their techniques.

This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.

Contents

Secure Data Deletion

Securely deleting data, so that it cannot be restored with forensic methods.

Hiding Data

Hiding data where a forensic investigator would not usually look, e.g. using steganography or other means.

Encrypted Data

Encrypting data, in order to prevent access to it.

Preventing Data Creation

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

Detecting Forensic Analysis

There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

See also