Understanding Counter-Forensics to Ensure a

Understanding Counter-Forensics to Ensure a
Understanding Counter-Forensics to Ensure a Successful Investigation
Corey Thuen
Univeristy of Idaho
[email protected]
Computer forensics and digital evidence is becoming
more pertinent to law enforcement investigations as
society and crime becomes increasingly reliant on
technology. Like traditional forensics, digital evidence
acquisition can be a difficult process of wading
through information in an attempt to discover activities
that, in many cases, the perpetrators have taken steps
to hide. The methods, models, and policies of digital
forensics are in the early stages of exploration and
definition. This survey explores the forensic side of
computer security specifically focusing on the methods
and ramifications of counter-forensic techniques.
1. Introduction
As criminals become increasingly aware of computer
forensic techniques and capabilities, they are making
use of counter-forensics to destroy or hide
incriminating data and impede forensic investigations.
An investigator’s job is difficult enough when the
subject has not taken any steps toward making that
process even harder. Regardless of which steps have
been taken to impede and investigation, evidence must
be gathered and examined and the useful must be
separated from the irrelevant.
Organized criminals may use physical devices to
destroy information at the push of a button and online
child pornographers encrypt their communications and
the files they exchange [13]. An investigator who is
unfamiliar with the facets of counter-forensics risks
compromising the entire operation. In a worst case
scenario, an investigator may unknowingly trigger a
device or program that permanently and completely
destroys a majority of evidence that could be important
to the investigation. Alternatively, the best an
investigator unfamiliar with counter-forensics can hope
for is that he or she is unable to find or simply
overlooks information rather than inadvertently
destroying it.
The counter-forensics side of computer security and
computer forensics is one that has yet to receive much
attention. As technology continues to push forward and
more crimes are committed involving computers the
need for a greater understanding of digital forensics
and counter-forensics will increase. We need to better
define, understand techniques used, and determine
mitigation strategies in order to address this growing
2. Crime scene investigation
The crime scene itself is generally where a digital
forensic examination begins. This is where quick and
crucial decisions are made by first responders.
Planning and preparation should be done beforehand
but the actual forensic work usually begins at the crime
scene. Incidentally this is also the place where the most
can go wrong in an investigation and where counterforensics can be the most successful. The steps
involved in retrieving the information for actual
analysis are securing the scene, preserving the data and
information (volatile information particularly),
harvesting of data, and the equivocal analysis of the
2.1 Securing the scene
There are multiple tasks that must be done
immediately upon actual physical entry onto the scene
of an investigation. The first responder should take
steps to ensure the safety of all persons at the scene and
to protect the integrity of all evidence, both traditional
and electronic. Agency policy for securing the crime
scene should be followed. This includes ensuring that
all persons are removed and restrained from entering
the area where evidence is to be collected. If the
suspect is present he or she must be prevented from
touching the computer or any electronic devices. At
this juncture devices should not be turned on or off,
save for obvious cases left up to the discretion of the
investigator (if destruction of evidence is apparent,
such as a disk wiper running, immediately
disconnecting the power from the wall may be
appropriate). [8]
Once the scene is secured, detailed photographs,
logs, and diagrams should be taken or created to fully
document the scene. Positioning of the computer,
objects in the room, and other such evidence should be
detailed for potential use at a later point in the
investigation. After the scene has been documented
seizure of equipment and devices may be done.
Investigators can only seize equipment
connected with the case; knowing the role of the
computer will indicate what should be taken. For
instance, if it is thought that the computer was used to
store evidence then all storage media should also be
seized for the computer forensic inspection. If the
computer was running programs to collect and analyze
information, any relevant books found at the scene
should be seized to help computer forensic experts
understand the programs. [12]
Counter-forensics is possibly the most
destructive and hindering at this point in the
investigation, requiring fast response time. The suspect
computer may require a specific shutdown sequence or
a specific key combination pressed within a given time
interval. If these traps are triggered the system may
begin wiping disk data or possibly triggering an
incendiary or otherwise physically destructive device
placed to destroy the disk beyond repair. Pulling the
plug out of the wall will prevent any programs from
wiping incriminating information that might be
configured to run during normal shutdown. The
investigator can later test the shutdown sequence to see
if it includes any destructive programs.
This point in the investigation is crucial to
ensuring there is even a disk left to analyze. The
downside to simply disconnecting the power to a
running system is destructive in itself, unfortunately.
Valuable and incriminating information may be kept in
volatile memory which is lost when the system loses
power which brings us to the next section,
2.2 Preservation
Investigators must make sure that potentially volatile
information remains unchanged in confiscated or
seized components. The integrity preservation (both
physical and digital) of potential evidence is of the
utmost importance. This step involves preserving
information by copying and cataloging the original
Here we revisit the suspect computer. The
disadvantage, as mentioned, to disconnecting the
power to a system is the loss of volatile information
stored in the system. If possible it is very beneficial to
obtain a dump of the memory on the system. This
allows the investigator to preserve the current state of
the system including all running processes, open files,
memory objects, perhaps an unsent e-mail, and other
potentially incriminating evidence. Further, if a suspect
has taken other counter-forensic measures, such as
using an encrypted file system, the files must be
decrypted when loaded into memory for use. Obtaining
a memory dump may give the investigator partial or
even whole files that would otherwise be very difficult,
or impossible, to access.
All information to be analyzed should be directly
copied in a bit for bit transfer to a storage device
specifically prepared by a forensic analyst. This storage
device should be wiped clean and fully zeroed out (and
this process documented prior to use) to prevent
contamination of evidence retrieved. The suspect
information is copied in a bit for bit manner, rather
than by a simple copy command, to gather non-logical
evidence. The investigator will want to examine drive
free space, slack space, and other locations for
potential evidence pertaining to the case. This
information is not copied when using a logical copy
tool, but is only acquired with a direct transfer of the
data. The evidence should then be verified, which may
be done using a one-way hash algorithm to show the
copy matches the original.
The original material is then cataloged and stored in
a proper environmentally controlled location and in a
completely unmodified state. The entire chain of
custody of the evidence needs to be fully documented
to assure its integrity and to remove doubt of the
planting of evidence. All analysis is done on the copies
made and the original data is kept untouched. This is
important to strengthen the validity of evidence in
court and to combat counter-forensic techniques.
Counter-forensics in this area strives to create a
volatile scene that is difficult to preserve. Live CD’s,
VMWare, and bootable USB tokens are used by
perpetrators to commit crimes while containing the
propagation of incriminating evidence on the system
used. Live CDs and USB tokens may be booted by any
system, configured with necessary tools and with
virtual memory disabled, and used to make attacks.
The attacker can then simply turn off the system and
walk away leaving no trace of the attack on the system.
3. Harvesting
During the harvesting phase of the investigation all
potential digital evidence associated with a case is
extracted and made available for investigation. This
phase is where most counter-forensics work is done.
As data encryption is becoming more frequent amongst
the general populace, investigators are increasingly
likely to run into encryption when evaluating a case.
Data encryption, along with other data hiding, evidence
elimination, and counterfeiting evidence, makes the job
of extracting potential digital evidence from a disk a
daunting task. Perpetrators attempt to obfuscate
potentially incriminating data with data hiding, data
manipulation, and data encryption.
3.1 Data hiding
Data hiding of evidence is the oldest and most
common form of counter-forensics. There are a
multitude of privacy software tools (and many are
shipped with various operating systems) that are fast
and easy to use to securely wipe data from a drive. The
goal of hiding data could be to make the information
less likely to be found or to destroy it entirely. In the
physical world hiding data might be akin to disposing
of a gun in a river. Data hiding can be very successful
but it often relies on the lack of knowledge of the
investigator and forensic tools used.
On a basic level, a suspect may be under
investigation for child pornography charges. In such a
case investigators would be searching for JPEG files or
perhaps video/audio files. A simple counter-forensic
method would be to rename all incriminating files
something other than media files, such as an exe or dat
file. This is easily defeated by searching via the file
header information rather than relying on an accurate
Data can also be hidden in unallocated, unused, or
otherwise unreachable locations on the disk that are
invisible to standard file browsers and ignored by many
forensic tools. Slack space or file slack is the area
between the end of a file and the end of the last cluster
or sector used by that file. This area is simply wasted
storage potential, so file systems that use smaller
clusters utilize the disk space more effectively. This
unused or “wasted” space is an ideal place to hide data
due to its inaccessibility by normal means. Metasploit’s
tool “Slacker” will hide data within the slack space of
FAT or NTFS file systems. The same can be done with
the free space on a disk. [9]
Disks may also contain small unused sections that
are never used. For example, in the MS-DOS
partitioning scheme used by the Windows OS family
and a number of x86 UNIX implementations, the
sectors immediately following a boot sector in the 1st
track, until the start of the first disk partition in the 2nd
track, offers 62 sectors or 31KB. [3]
The usability of the unused sectors for an attacker
varies. If the case involves a suspect hiding pictures on
his/her own system they able to resize the partitions
and know which files will get modified and which ones
will remain static. Thus, the suspect could create a
small text file and fill the slack space of that file with a
picture. The suspect knows that the picture would not
be overwritten because the text file will never change
in size.
An attacker who infiltrates someone else’s system,
however, does not have the luxury of complete control
of the system. Many traditional UNIX file systems do
not allow an on-line resize. In this case the attacker has
to unmount, shrink the file system, and remount in
order to create an unused area. This action often results
in a notable log entry that may give the attacker away
to the system administrators. Regular checking of
partition size and IDE disk and host protected area
sizes will reliably detect this attack technique, but
system administrators must remember that the tools on
a compromised machine (such as ls or df) cannot be
trusted to return true results. Another simple but
powerful method of counter-forensics is to mount a file
system onto a non-empty directory. Whenever the
directory is explored it returns the results of the file
system rather than the files that actually reside there.
Eckstein proposed a new data hiding scheme for
journaling file systems. This scheme works by
introducing deliberate file system inconsistencies and
exploiting a lack of consistency checking. Journaling
file systems record all recent file system modifications
in order to reduce the time required for a consistency
check at boot. The check need only examine the
journal to make sure all entries completed correctly
rather than checking the entire disk. Only in cases of
serious failure will a full consistency check be
performed across the entirety of the file system.
An attacker is able to exploit this to hide large
amounts of data. Inconsistencies between categories
are purposefully introduced while consistency in each
individual category is maintained to avoid losing
hidden data because of overwriting. If the attacker
directly modifies data structures on the disk the
journaling mechanism is bypassed. An example is:
“The attacker allocates and uses data units. He
does not create inodes to reference the data units,
thereby deliberately introducing an inconsistency
between the data unit and the metadata category. In
the first step he localizes a set of unallocated data
units. These units are then marked as allocated and
used for the purpose of hidden storage. Because of
the allocation marking, the operating system cannot
accidentally overwrite the hidden data. In this
simple scheme the attacker has to record the
addresses of the data units used for later reference.
While this may sound like an onerous task, many
journaling file systems offer extent-based allocation
schemes where large areas of disk storage can be
addressed contiguously. Thereby only a single
address and length specification would in many
cases be all that needs to be recorded by the
attacker.” [6]
3.2 Steganography
Steganography is another data hiding technique that
deserves its own section and is an independent research
field. Steganography is a hybrid between data hiding
and outright encryption. Steganography can be used to
embed data in a cover file to avoid detection. Tools
exist to embed text in JPEG, MP3, and other files and
Utilities have been written to counter the use of
steganography as a counter-forensic tool by detecting
its presence and even cracking information. Stegdetect
is an automated tool for detecting steganographic
content in images. It is capable of detecting several
different steganographic methods to embed hidden
information in JPEG images. It works against many
popular steganographic methods along with supporting
linear discriminant analysis. Given a set of normal
images and a set of images that contain hidden content
by a new steganographic application, Stegdetect can
automatically determine a linear detection function that
can be applied to unclassified images. [11]
3.3 Encryption
Cryptography can be used on multiple levels as a
counter-forensics tool. Specific files can be enciphered
at the application level, network protocols and network
traffic can be encrypted, and entire file systems can be
made unreadable without knowledge of the key. Using
cryptography has a downside to suspects due to its
incredible ease of detection. The data itself is easily
detectable and often the program or tool used to do the
encryption will leave its own detectable footprint on
the files in question.
Cryptography can be used at the application level to
encrypt specific files that a suspect wishes to hide from
investigation. Microsoft Word, for example, can
encrypt the contents of a document using a 128-bit
encryption that is uncrackable if the user chooses a
secure password. [10]
Cryptographic file systems invisibly encrypt data
when it is written to the disk and then decrypt the data
when it is needed for use and loaded into memory. This
makes data on the disk unreadable (ideally) by an
attacker or forensic investigator that does not have the
correct key. Cryptographic file systems exist for all
major operating systems and the key can be protected
with a password. Alternatively, the key may be stored
on a USB drive. A quick and easy way to make data on
the drive inaccessible is to simply destroy the key thus
eliminating all possibility (except brute force) of
reading the information on the drive. Many
cryptographic file systems are set up to contain a
sanitization command, beyond just losing the key to
effectively self-destruct. Even if the drive does not
have such a feature, cryptography can still be a great
hindrance to forensic analysis of the drive. [5]
Overcoming encryption can be a difficult, but not
impossible task for investigators. Weak encryption is
often used in rootkits to obfuscate network traffic and
rootkit files. A common tactic is to XOR everything
against 255, thereby flipping all of the bits. A rootkit
configuration file, for example, may be encrypted
using this method. Upon first glance, an investigator
may see only a binary file. Looking more closely it
would be apparent that the file contains no values of
less than 127, indicating some sort of character
substitution. [2] Simple substitution ciphers and
weaker encryption can be easily broken and the
evidence retrieved.
An attacker who uses strong encryption systems to
hide entire file systems or specific files presents a
rather daunting challenge to the investigating team. A
straight brute force approach to this type of encryption
is practically infeasible. When a strong encryption
algorithm is used, such as DES or RSA, it is
theoretically possible to try every possible key to
decrypt an encrypted file. However, doing so requires
significant computing power to run through 2^56 (for a
56 bit key) of possible keys and can take an inordinate
amount of time depending on the encryption method
used. In theory, strong encryption could remove brute
force as an option due to the time requirements. Hence,
other approaches are needed.
One approach is the key itself. If an easy to
remember key is used for the encryption the chances of
utilizing brute force increase. Dictionary and word
permutation attacks can be used to brute force a much
smaller search space than the entirety of potential keys.
Another weakness may exist in a plaintext file. If a file
is encrypted and then not deleted, the encryption
accomplishes little. Fragments of plaintext files or even
the entire file itself can often be found on hard drives
in slack or free space on the drive. It may also be
possible to acquire the plaintext directly from memory
after it has been decrypted for use.
To use an encrypted file, the information must also
have existed as plain text at some point. For example,
while a file is being encrypted using EFS a temporary
copy of the plaintext is made in case a problem is
encountered during the encryption process. [2] An
encrypted MS Word file will probably exist in different
parts of the disk as deleted temporary files used by the
program. The pagefile may contain information about
files in their unencrypted state.
Confirming that the information retrieved from
unencrypted versions of a file is identical to the
encrypted version may not be possible in the case of
strong encryption systems. Such confirmation may not
be required to gain incriminating value from the
evidence. Databases containing attributes of known
illegal material can be used to compare evidence
fragments for filenames and file size as was seen in the
case of US vs Hersh:
“… encrypted files found on a high-capacity Zip
disk. The images on the Zip disk had been encrypted
by software known as F-Secure, which was found
on Hersh's computer. When agents could not break
the encryption code, they obtained a partial source
code from the manufacturer that allowed them to
interpret information on the file print outs. The Zip
disk contained 1,090 computer files, each identified
in the directory by a unique file name, such as
"sfuckmo2," "naked31," "boydoggy," "dvsex01,
dvsex02, dvsex03," etc., that was consistent with
names of child pornography files. The list of
encrypted files was compared with a government
database of child pornography. Agents compared
the 1,090 files on Hersh's Zip disk with the database
and matched 120 file names. Twenty- two of those
had the same number of pre-encryption computer
bytes as the pre-encrypted version of the files on
Hersh's Zip disk.” [13]
Obvious criticisms exist but matching twentytwo files rather than a handful helps to solidify the
argument but it is still unverifiable without decrypting
the original files. File fragments and information may
also be found in system memory. When a program
loads data to use or perform encryption the plaintext is
held in memory and may be dumped using memory
dump utilities.
Encryption creates a significant hurdle for
investigations, but that hurdle is not insurmountable. If
an investigator can provide attorneys with plaintext
fragments or file information it may be enough
leverage in a case to obtain a conviction. A forensic
examiner may also be able to obtain, crack, or guess
encryption passwords to decrypt all hidden evidence.
As encryption methods become more sophisticated so
must forensic investigators and the tools they use.
4. Analysis Tools
The often overlooked or underestimated aspects to
forensic analysis are counter-forensic techniques that
specifically target the tools and methods used to
analyze the evidence of a case. An attacker with
knowledge of forensic tools can craft or manipulate
data to take advantage of shortcomings or bugs within
these tools. An attacker may be capable of crashing the
tools used for analysis and setting back the
investigation. This can be accomplished in tools that
fail to validate data, are vulnerable to denial of service
attacks, and have poor file heuristics.
In this sense, forensic tools that do not validate
input are vulnerable to all the same attacks to standard
software. Buffer overflows, denial of service, and other
exploits are easily targeted with data crafted
specifically for the purpose of not validating input.
Popular forensic tools including Snort, Ethereal, and
CVE contained a vulnerability that allowed an attacker
to run arbitrary code on the system. [5]
Digital Forensic tools and resources that depend on
input data are also potentially vulnerable to denial of
service attacks. Tools that utilize regular expressions to
parse or analyze text may lock up if tricked into
running regular expressions that exist in data created
by an attacker. Another common DoS attack on
forensic tools is compression bombs. These bombs are
small compressed data files that, when uncompressed,
consume enormous amounts of disk space. Some tools
analyze the content of compressed files by default and
unleash the compression bomb. An example of a
compression bomb is the “42.zip” file. It is 43,374
bytes on the disk and contains 16 zipped files. Each of
those files also contains 16 zip files and so on and so
forth. When examined or unzipped the file contains
four terabits of data. [5]
Computer forensic tools also need to determine the
type of file they are looking at. This allows for a more
precise investigation. By providing a way for an
examiner to save time, such as by omitting executable
files from the search of a system suspected of
containing child pornography, the tool helps reduce the
often very large amounts of data an examiner must sift
through. Unfortunately, many tools are inadequate at
this process and will only look at the file extension and
first few bytes of the file. This potentially leaves the
tools vulnerable to exploitation. For example, EnCase
classifies a windows file as executable if it has the
“.exe” extension and contains “MZ” as the first two
characters of the file. [5] Metasploit has a program,
called “Transmogrify”, that can modify a text file to
look like an executable when analyzed with the EnCase
tool. This causes EnCase to think the file is a binary
and to skip over scanning it. [9]
Counter-forensic tools exist that are less direct in
dealing with forensic examination software. These
tools can change the way software runs if a forensic
investigation is detected. This technique is useful in the
realm of network forensics. Network forensics systems
will often run their network interface in promiscuous
mode and can be detected by the way they respond to
malformed IP packets. [5] Attackers may be able to
detect the presence of a monitoring system by send
packets over the network with a destination address
that is on the subnet but not in use and a source address
of a rarely used node. Monitoring tools may initiate a
reverse DNS request to resolve the hostname of the
rarely used network and if the attacker can spot this
traffic to the DNS server it can be inferred that the
network traffic is being monitored.
Digital forensic tools are not perfect, nor will they
ever be. More bugs will be discovered just as with any
software. The key to combating this method of
counter-forensics is maintaining updates and being
aware of new bugs or exploits to the investigative
software used. Network monitors should be unable to
transmit any data on the network that they are
monitoring. Automated tools are advantageous for their
speed and ease of use but a wise investigator will keep
familiar with more primitive tools used to accomplish
the same tasks in the event of counter-forensics
targeted at the specific tool of choice.
grabbing in itself. A more appealing technique is to
hide tracks or activity by overwriting access times and
log files with supplanted information. For example,
Timestomp will overwrite NTFS “create,” “modify,”
“access,” and “change” timestamps.[9] The Defiler’s
Toolkit can overwrite inode timestamps and deleted
directory entries on many Unix systems. [5]
Timestamps on allocated files can also be modified
using the Unix “touch” command. Errors and losses
can be introduced into log files at various stages.
Temporal uncertainty is created when log files are
conflicting or seem to be at odds with the rest of the
investigation. This problem is predominant in dealing
with network forensics due to the inaccuracy of system
time between multiple systems. [1]
Combating counter-forensics in this area can be
difficult, but can be done by concentrating on what is
there and not what has been deleted. When an attacker
deletes or destroys logs or modifies file metadata the
tools used to do so often create additional evidence.
Footprints created by these tools can influence the case
merely by their existence and the proof that these tools
were used. Alternate copies of files may still reside on
the disk as well as insecurely deleted copies.
5. Investigative reconstruction
5.2 Relational analysis
Crime is rarely committed in a straightforward or clear
manner. It can be difficult to prove what is suspected to
have occurred based on the evidence left behind.
Crimes can involve an innumerable amount of varying
factors where only the perpetrator knows all the
information. Investigative reconstruction is the piecing
together of evidence and information obtained in an
investigation in an attempt to understand the events
that transpired. Evidence used to reconstruct crime falls
into three categories: temporal (when), relational (who,
what, where), and functional (how).
5.1 Temporal analysis
Temporal analysis involves creating a chronological
list of events to help an investigator gain insight to a
crime. Digital investigations have an advantage not
present in real-world crime scenes: log files. Log files
are an incredibly rich source of temporal information
because many actions are recorded. By piecing
together information from various log files it is often
possible to lay out exactly what a perpetrator did or
was trying to do. Counter-forensics in this area
attempts to destroy the integrity of log files and prevent
the temporal analysis of a system.
Counter-forensics to temporal analysis can range
from clumsy to elegant. An attacker may simply wipe
the contents of a log file entirely. This prevents the
logs use, but may be incriminating or attention-
Relational analysis involves the determining of where
or how an object or person was in relation to other
objects of people. Creating a diagram depicting the
associations between people and computers can help
clarify what has occurred. In a cyberstalking case, for
example, a link analysis might show how the offender
obtained information about the victim. This knowledge
could be used to prevent additional information from
being obtained, to present false information as a trap to
identify the offender, or just to monitor and gather
Counter-forensics in this area attempts to
remove or obscure evidence linking the offender in the
crime. This could include deleting files such as e-mail
messages or document files. An offender may also
intentionally plant misleading information that
attempts to create links that aren’t there in hopes that it
will cause the investigator to miss the real relational
information. As the number of entities and links
increases, it becomes harder to identify important
5.3 Functional analysis
This aspect of analysis considers what conditions were
necessary for certain aspects of the crime to be
possible. For instance, if a suspect is accused of
distributing child pornography from his home by
mailing CDs, it would be important to verify that the
suspect’s computer had the capabilities to produce such
CDs in the first place. Similarly, if a suspect’s
computer does not have the correct codec to open and
view an incriminating .avi file then that file isn’t useful
as incriminating evidence.
However, an investigator should not be immediately
satisfied with this answer as counter-forensics in this
area seek to discredit the evidence. Perhaps the codec
was removed and evidence of its prior existence should
be evaluated. Plausible explanations should be
evaluated and explored as counter-forensics will
attempt to show that the suspect was not capable of the
crimes committed.
6. Counter-forensic tools
Users continue to grow more aware that “deleting” a
file does not mean destroying the information
contained therein. This awareness is driving the market
for counter-forensic software which is marketed as
“privacy” software. There are many such counterforensic tools in existence that are readily available
These commercial tools claim to completely remove
all traces of information concerning a user’s activity on
a system such as websites visited, images viewed,
documents created, and files downloaded. In order to
accomplish this difficult task, these tools must be
aware of the large number of nuances and quirks
unique to the operating system they were designed for.
These tools must locate activity records across the file
system and erase them in such a way as to make them
irrecoverable, all while keeping the operating system
files and processes intact. This is an arduous task due
to the complexity of operating systems which are
designed to preserve data rather than facilitate
Rigorous testing has been done on some of the more
popular counter-forensics tools. The majority of cases
involving counter-forensic tools used commercial
utilities rather than specialized tools such as rootkits.
Testing was done against commercialized tools as they
are more likely to be encountered when seeking digital
evidence in investigations of crimes that are not solely
computer related.
The tests were designed to determine a tools’
success in removing activity records and other data that
would occur in real-world computer use. Although
performance between tools varied, all contain design or
implementation problems that allowed the collection of
data that may be used as evidence. Some examples
include missing the recent documents registry entry,
restore point data, failure to wipe unallocated and/or
slack space, or leaving wiped file name data in the file
system journal. In addition, the use of these tools left
distinctive fingerprints on the disk from their usage. [4]
Fingerprints left by counter-forensic tools can be
checked against a compilation database and the
specific tool used can be determined. Once an
investigator has knowledge of which tool was used it is
then possible to exploit known weaknesses or
shortcomings of that tool to narrow down a search for
useful information. Aperio is a forensic utility written
to perform this service. Aperio scans filesystems for
known fingerprints and produces a detailed report, thus
automating the process. [4]
Concerning legal precedence, criminal and civil
cases have shown that in some situations the use of
counter-forensic tools is an indication of consciousness
of guilt or can be used as intent to destroy evidence. If
the use of a counter-forensic tool follows an order to
preserve digital evidence courts have ruled that their
use can be tried under the destruction of evidence. [4]
“In June 2005, Robert M. Johnson, a former
publisher of Newsday and New York state education
official, was charged with destruction of evidence
for using counter-forensic software after learning
he might be the target of a child pornography
investigation (U.S. v Robert Johnson). … In other
cases, poorly used or improperly functioning datawiping tools permitted the recovery of critical
digital evidence (US v. H. Marc Watzman, 2003).
And UK prosecutors have sought stiffer penalties
for the use of a counter-forensic tool in recognition
that evidence relevant to the severity of the crime
was destroyed (O’Neill 2004).” [4]
Despite the weaknesses inherent to counter-forensic
tools they can still be a severe impediment to an
investigation. Most of the tools succeeded in
eliminating the majority of data that they had targeted.
Knowledge of counter-forensic tools can help an
investigator indicate their use in situations where such
activity has legal significance, as well as optimizing
the analysis of a file system that has been subjected to
these tools.
7. Conclusion
Familiarity with the counter-forensic techniques at the
various stages in a digital forensic investigation is an
invaluable asset to any investigator. Counter-forensics
exists to make the investigators job as difficult as
possible. Maintaining updated tools, knowledge of
primitive utilities, secure hardware systems, and
awareness of these counter-forensic techniques will
prevent the successful inhibition or outright destruction
of an investigation and its evidence.
The privacy movement accomplishes the goal of
granting privacy to individuals while also making the
investigative process more difficult. As software is
written to protect the privacy of everyday citizens it
also becomes useful to attackers to conceal
incriminating evidence and thwart the efforts of digital
investigators. It will become even more important that
investigators familiarize themselves with counterforensics to ensure a successful investigation.
8. References
[1] Casey, Eoghan. “Error, Uncertainty, and Loss in Digital
Evidence”, International Journal of Digital Evidence
Summer 2002, Volume 1, Issue 2
[2] Casey, Eoghan. “Practical Approaches to Recovering
Encrypted Digital Evidence”, International Journal of
Digital Evidence Fall 2002, Volume 1, Issue 3
[3] Eckstein, K. & Jahnke, M., “Data Hiding in Journaling
File Systems”, 2005 Digital Forensic Research Workshop
(DFRWS) New Orleans, LA
[4] Geiger, Matthew, “Evaluating Commercial CounterForensic Tools”, 2005 Digital Forensic Research Workshop
(DFRWS) New Orleans, LA
[5] Garfinkel, S., “Anti-Forensics: Techniques, Detection and
Countermeasures”, The 2nd International Conference on iWarfare and Security (ICIW), Naval Postgraduate School,
Monterey, CA
[6] Garret, Jim. “Overcoming Reasonable Doubt in Computer
Forensic Analysis”, SANS GIAC Gold Technical Paper, July
[7] Harris, Ryan, “Arriving at an anti-forensics consensus:
Examining how to define and control the anti-forensics
problem”, 2006 Digital Forensic Research Workshop
(DFRWS) Lafayette, IN
[8] Lin, Lan, Wu. “Establishment of the Standard Operating
Procedure (SOP) for Gathering Digital Evidence” Systematic
Approaches to Digital Forensic Engineering, 2005
[9] Metasploit (2007), “Timestomp” “Slacker”
“Transmogrify” [online] Available:
[10] Microsoft (2007) “Important Aspects of Password and
Encryption Protection” [online]
[11] Outguess (2007), “Stegdetect” [online] Available:
[12] United States Department of Justice (2001) “Electronic
Crime Scene Investigation: A Guide for First Responders”,
National Institute of Justice, NCJ 187736 (Available online at
[13] United States v. Marvin Hersh, (11th Cir. 2002) [online].
Available: http://laws.findlaw.com/11th/0014592opn.html
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF