Anti-Forensics

Techniques bad actors use to hide their tracks.

Businesses involved in fraud, employees involved in misconduct, and criminals engaged in computer-related crime all frequently take steps to destroy, conceal, or confuse digital evidence. Depending on the user’s level of sophistication, these efforts can cause critical evidence to be unrecoverable or inadmissible. There are four primary categories of anti-forensics:

The simplest way to prevent the forensic collection of data is to destroy it. Users may employ a variety of techniques to delete files or drives to prevent detection of their illicit activities. This anti-forensic method can be effective if the right approach is used, but often the malicious user is not thorough and data can be recovered. Wholesale deletion of data is also suspicious and easy to detect in many cases, so it may increase scrutiny of the user even when it’s effective.

If the user wants to continue accessing the data, they may decide to hide it, instead of destroying it. An unsophisticated user may rely on complex folder structures or misleading file names to fool investigators, not realizing that these methods are easily penetrated by forensic tools.

More sophisticated users may employ encryption. This is an effective technique, and sufficiently advanced encryption can be difficult or impossible to decipher without the encryption key. An exceptionally clever user can make it difficult to prove whether the data is even encrypted at all, further increasing the challenge for investigators.

Crafty individuals may attempt to hide their tracks by changing metadata, such as timestamps, or otherwise modifying the data in such a way that it becomes difficult to investigate or difficult to use in court. Malicious users may also sidetrack an investigation by leaving false clues, leading an examiner down the wrong track.

The most sophisticated offenders have a thorough understanding of the common forensic tools and may attempt to exploit their weaknesses. An examiner must rely on experience, judgement, and application of multiple tools to ensure the results of an investigation are accurate, replicable, and defensible in court.