The Prevalence Of Anti-Forensics Tools And The Difficulties They Present To Computer Forensics

4 June 2010

As more and more individuals and businesses choose to conduct their affairs via computers and the internet, so the threat of computer crime increases. From intellectual property theft to the downloading of indecent images, investigations of computer crimes require the assistance of computer forensics specialists.

Computer forensics focuses on extracting legal evidence from computers and other electronic devices. This might include examining internet logs for evidence of websites visited, recovering files after they have been deleted, or detecting the use of a USB storage device even after it has been removed.

Unfortunately, just as computer forensic experts are able to create tools to collect and analyse data, criminals are setting about creating ‘anti-forensics’ tools to frustrate criminal investigations. These tools aim to remove, corrupt or disguise data so as to make it more difficult or impossible to recover.

A common anti-forensics method is ‘overwriting’ which aims to wipe evidence entirely by overwriting data with new data at exactly the same position on the hard drive. In some cases however, the file itself is not the only evidence that wrongdoing has taken place. For example, if a person possessing an indecent image of a child were to use an overwriting tool to remove it, this would not remove traces from the computer’s ‘registry’, which might include a thumbnail of the image.

Similarly, a ‘time stamp’ is typically created in the registry every time a file is created, modified, accessed or changed, and this information is not removed when files are deleted. However, there are tools which will remove this registry data, as well as tools that can prevent it from ever being written.

Another anti-forensics method, known as ‘cryptography’ look to make evidence unreadable by adding password protected encryption to every file. This means that, by default, every file will appear as unintelligible character strings unless the user enters a password. In addition, a method known as ‘stenography’ takes this further by masking all encrypted data with innocent cover text to act as a decoy against detection.

All of these techniques, while not entirely infallible, can make the job of the computer forensic analyst very difficult. In some cases, simply slowing an investigation down can be enough to affect the outcome of a court case or employment tribunal if evidence cannot be extracted in time to be introduced. In response to this, prosecutors in some recent legal cases have attempted to argue that uncovering evidence of the use of anti-forensics tools, such as encrypted files or the conspicuous absence of registry entries, is in itself an indication of wrong doing.

Precedent is yet to be firmly set on this issue, but it can prove a powerful factor in jury led cases, especially since computer forensic experts are often called to give evidence of opinion as well as evidence of fact, and so may be asked to state whether they feel that the lack of evidence implies guilt.

Whatever path the law takes in this matter, there is no doubt that those involved in the world of computer forensics will have to work hard to keep up with an ever increasingly advanced arsenal of tools designed to thwart them.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission