The following indicators may indicate that the user of a computer system is trying to hide their presence, implicate another individual, convey erroneous information, or otherwise attempt to deceive a forensic analysis or tool.
Unfortuantely, many of the deception indicators are also indicators of good security practice.
File System Indicators
- Files having the wrong extension (e.g. file.jpg instead of file.doc).
- Very large files (may indicate use of cryptographic file systems, virtual machines, etc.)
- Virtual Machine Players (VMWare, VirtualBox, Parallels)
- TrueCrypt or RealCrypt
- PGP files or Volumes
- Encrypted email
- Date or time wrong
- Repeating data over the drive
- Truncated history files
Log File Indicators
Log files that are:
- With time gaps
- With one or more incomplete lines, or other lines that start midway (happens if the attacker removes the last 4K of a file without respect to line boundaries)
- Inconsistencies (e.g. email that is forwarded without being received.)
- Presence or use of VPN software.
- Use of anonymity websites, such as:
- Open Proxy Servers (got a list?)
- Setting a proxy server
- Evidence Eliminator
- list of Drive Cleaner tools; searches for drive cleaning software