10/19/2017 Anti-Digital Forensics, The Next Challenge

Anti-Digital Forensics, The

Next Challenge
Tue, 08/21/2012 - 1:00am by John J. Barbara

Computer hard drives are often analyzed for the presence of

child pornography. When an examiner finds potentially
incriminating .jpgs, a timeline can usually be established
regarding when they were created. Their respective
timestamps form the basis for the timeline. On an NTFS file
system, timestamps are stored in the Master File Table (MFT)
and are comprised of a Last Modified Time (M), a Last
Accessed Time (A), a File Created Time (C), and the Entry
Modified Time (E). Although originally intended to be used for
accounting purposes by the operating system, timestamps are
relied upon by examiners and investigators to establish
timelines of criminal activity. For instance, since the C-
timestamp is updated when a file is created, this is probative
information that someone had access to the computer.
Potentially, this may be sufficient presumptive evidence to
incriminate a subject if he/she can be placed within the
timeline.

There is a general consensus in the digital forensic community

that commonly used forensic imaging and analysis tools
provide accurate, reliable data. In some instances, the tools do
not find any probative data in either active or unallocated
space. The judicial system tends to accept these results as
proof of guilt and/or innocence. Vendor specific training
courses focus primarily upon teaching examiners how to use
their tool(s). Most tools utilize point-and-click technology
which automatically initiates the built-in functionalities.
Generally, an in-depth knowledge of Digital Forensics is not
necessary for an examiner to use these tools. However, this

https://www.forensicmag.com/article/2012/08/anti-digital-forensics-next-challenge 1/5
10/19/2017 Anti-Digital Forensics, The Next Challenge

can lead to a false sense of reliability upon the tools to always

provide accurate, probative data.

WHAT IS ANTI-DIGITAL FORENSICS?

In the last several years, the term Anti-Forensics (AF) has

entered the vernacular in the Digital Forensics discipline.
Currently, there is no agreed-upon definition. To clearly
articulate its relationship to the discipline and differentiate it
from forensics in general, the term Anti-Digital Forensics (ADF)
is proposed as a better moniker. Conceptually, ADF concerns
an approach to manipulate, erase, or obfuscate digital data or
to make its examination difficult, time consuming, or virtually
impossible. This concept is not new. Indeed, many hackers
have been using Root Kits for years to compromise computer
systems. Once a system becomes compromised, the intruder
can cause all sorts of malicious damage, such as stealing
proprietary data, deleting files, initiating denial of service
attacks, and so forth. Likewise, with some readily available
tools, a user can easily modify the MACE timestamps to make
it appear that files were created when the user was not
present. So much for the reliability and accuracy of
timestamps!

Some readers of this column may question the discussion of

this topic in such an open forum. They may object to
potentially providing information to a suspect that can aid him
or her to make analysis difficult or impossible. However, the
overriding concern is to make examiners in the community
aware of ADF. There are many tools, methods, and techniques
readily available that can affect the digital information,
potentially causing it to be inaccurate and unreliable. One of
the pioneers in this field equates it to whistle blowing:

Is it responsible to make these tools available? Thats a valid

question But forensic people dont know how good or bad
their tools are, and theyre going to court based on evidence
gathered with those tools. You should test the validity of the
tools youre using before you go to court. Thats what weve
done, and guess what? These tools can be fooled. Weve
proven that. [for any case that relies on digital forensic
evidence] It would be a cakewalk to come in and blow the case
up. I can take any machine and make it look guilty, or not
guilty. Whatever I want.(1)

https://www.forensicmag.com/article/2012/08/anti-digital-forensics-next-challenge 2/5
10/19/2017 Anti-Digital Forensics, The Next Challenge

GENERAL CATEGORIES OF ANTI-DIGITAL FORENSICS

ADF techniques can be categorized based upon their intended

actions or the effect they have: overwriting data and metadata
(wiping); hiding data (steganography, cryptography, and
lowtech methods); obfuscation of data; and exploitation of
bugs in forensic tools. Each category will be discussed in
general terms. No specific ADF tools will be identified.

Overwriting data and metadata: The intent is to destroy

any potentially incriminating data (evidence). Many tools are
available that can readily wipe files, directories, partitions, and
hard drives. Examiners use some of these same tools to
sterilize forensic hard drives before using them for the
acquisition and analysis of data. Most tools overwrite the data
with a selected character, such as a 0 or use random
numbers. Tool options usually allow for overwriting the date
once for a quick wipe or any number of times for a more
secure wipe. Multiple overwrites can make data recovery a
virtually impossible task. During analysis, it is not uncommon
to find thousands of sectors on a suspects hard drive all
containing zeros. This is probably a good indication that
something has been wiped from the hard drive. There are
several high-tech, esoteric methods that can be used to try to
recover data that has been wiped, however the methodology,
equipment, tools, and costs are far beyond the reach of most
examiners.

Hiding data (steganography, cryptography, and lowtech

methods): Although steganography (hidden writing) has been
around for thousands of years, today it pertains to the
concealment of digital information within a computer file
(termed the carrier file). Steganography tools, available since
the 1990s, function by hiding digital data (text or pictures) in
a manner such that only the sender and the recipient know
that it is there. Often digital pictures are used as carrier files.
The steganography tools can change the least significant bits
(the right most bit in a binary integer) in a picture and replace
them with the corresponding bits from the data being hidden.
For instance, to hide a text message, the sender might adjust
the color of every 50th pixel in a .jpg to correspond to a letter
in the text to be hidden. Once this is done, the .jpg will not be
visually different in its appearance even though its pixels have

https://www.forensicmag.com/article/2012/08/anti-digital-forensics-next-challenge 3/5
10/19/2017 Anti-Digital Forensics, The Next Challenge

been changed. The only way to know if the .jpg was altered is
to check its size in bytes or its hash value against its pre-
unaltered values. Obviously, those pre-unaltered values would
have to be known and documented somewhere. Examiners
need to look for the presence of steganography tools on the
suspects computer. If no tools are discovered, possibly their
artifacts can be found in the registery. To aid in this process,
there are some commercially available tools that can detect
the presence of steganography applications and their artifacts.

1. The Rise of Anti-Forensics. Scott Berinato, CSO, June 08,

2007 (www.csoonline.com).

John J. Barbara is a Crime Laboratory Analyst Supervisor

with the Florida Department of Law Enforcement (FDLE) in
Tampa, FL. An ASCLD/LAB inspector since 1993, John has
conducted inspections in several forensic disciplines including
Digital Evidence. John is the General Editor for the Handbook
of Digital & Multimedia Evidence published by Humana Press.

RELATED READS

File Deletion and

File Wiping Basics

Jailed Over Locked

Computer, Ex-Cop
Loses Again in
Court

Houston CSU:
Citys Forensic
Science Center
and Police at Odds
Over Scene Response

https://www.forensicmag.com/article/2012/08/anti-digital-forensics-next-challenge 4/5
10/19/2017 Anti-Digital Forensics, The Next Challenge

Crime Scene
Diagramming:
Changing Ways to
Capture, Present
Your Scenes

0 Comments Forensic Magazine

1 Login

Sort by Best
Recommend Share

Start the discussion

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Be the first to comment.

Subscribe d Add Disqus to your siteAdd DisqusAdd Privacy

https://www.forensicmag.com/article/2012/08/anti-digital-forensics-next-challenge 5/5