resources 9 Primers 9 Anti-Forensics


Techniques bad actors use to hide their tracks.

Businesses involved in fraud, employees involved in misconduct, and criminals engaged in computer-related crime all frequently take steps to destroy, conceal, or confuse digital evidence. Depending on the user’s level of sophistication, these efforts can cause critical evidence to be unrecoverable or inadmissible. There are four primary categories of anti-forensics:

Artifact Wiping

The simplest way to prevent the forensic collection of data is to destroy it. Users may employ a variety of techniques to delete files or drives to prevent detection of their illicit activities. This anti-forensic method can be effective if the right approach is used, but often the malicious user is not thorough and data can be recovered. Wholesale deletion of data is also suspicious and easy to detect in many cases, so it may increase scrutiny of the user even when it’s effective.

Data Hiding

If the user wants to continue accessing the data, they may decide to hide it, instead of destroying it. An unsophisticated user may rely on complex folder structures or misleading file names to fool investigators, not realizing that these methods are easily penetrated by forensic tools.

More sophisticated users may employ encryption. This is an effective technique, and sufficiently advanced encryption can be difficult or impossible to decipher without the encryption key. An exceptionally clever user can make it difficult to prove whether the data is even encrypted at all, further increasing the challenge for investigators.

Trail Obfuscation

Crafty individuals may attempt to hide their tracks by changing metadata, such as timestamps, or otherwise modifying the data in such a way that it becomes difficult to investigate or difficult to use in court. Malicious users may also sidetrack an investigation by leaving false clues, leading an examiner down the wrong track.

Attacks Against Forensic Tools

The most sophisticated offenders have a thorough understanding of the common forensic tools and may attempt to exploit their weaknesses. An examiner must rely on experience, judgement, and application of multiple tools to ensure the results of an investigation are accurate, replicable, and defensible in court.

Related Articles

Accessing Evidence From Windows Prefetch

Accessing Evidence From Windows Prefetch

Windows Prefetch Accessing Prefetch Files for Forensic Analysis. A digital forensic investigation often aims to determine the activities of a user on a computer. Prefetch files are an important type...

read more
Collecting from Office 365

Collecting from Office 365

Collecting from Office 365 Office 365 offers eDiscovery and searching within the platform, for administrators or any authorized users to run searches and review/monitor user activity.Content Search...

read more


Give us a call at (855) 839-9084

Or send us a message and we’ll get back to you right away.