ANTI-Forensics – distorting the evidence

Computer forensic investigators rely on high quality evidence to win a case. Logs, authentication information, date and timestamps, file contents and other electronic data all need to be proven to be reliable in court. But what happens when criminals are actively trying to ruin the evidence? ANTI Forensic techniques are now being used to skew evidence and make it impossible for an examiner to use. According to Brian Sartin at ISACA, ANTI forensics is used in two-thirds of all data compromise investigations carried out by his organization. Examiners need to be on the look out for three methods of distorting evidence: Data Obfuscation, Data Hiding and Zero-footprinting Almost every case will use some form of data obfuscation that involves a hacker erasing his tracks. But Data hiding draws on the power of cryptography to mask data rather than delete it The use of steganography is another data hiding approach. Examiners need to actively search for evidence of the use of ANTI-forensic techniques. Computer Forensics (CF), as we know it, is in a volatile state. Newer and more sophisticated investigative challenges, both existing and on the horizon, are forcing CF to evolve as a practice. As such, the processes, the technologies, and the tools of the trade that characterise the conventional CF approach have changed. Simply put, CF today is not what it used to be and there are some very simple reasons why.