Anti-forensic techniques

From ForensicsWiki
Revision as of 17:33, 9 April 2006 by Nit (Talk | contribs)

Jump to: navigation, search

Anti-forensic techniques try to frustrate forensic investigators and their techniques.

This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.

Secure Data Deletion

Securely deleting data, so that it cannot be restored with forensic methods.
Be aware that software 'data destroyers' may not necessaruly do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.

Hiding Data

Hiding data where a forensic investigator would not usually look, e.g. using steganography or other means.

Encrypted Data

Encrypting data, in order to prevent access to it.

Preventing Data Creation

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

Detecting Forensic Analysis

There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

See also