Anti-forensic techniques

From ForensicsWiki
Revision as of 05:06, 9 March 2007 by Simsong (Talk | contribs)

Jump to: navigation, search

Anti-forensic techniques try to frustrate forensic investigators and their techniques.

This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.

Traditional anti-forensics

Overwriting Data and Metdata

Secure Data Deletion

Securely deleting data, so that it cannot be restored with forensic methods.

Overwriting programs typically operate in one of three modes:

  1. The program can overwrite the entire media.
  2. The program can attempt to overwrite individual files. This task is complicated by journaling file systems: the file itself may be overwritten, but portions may be left in the journal.
  3. The program can attempt to overwrite files that were previously “deleted” but left on the drive. Programs typically do this by creating one or more files on the media and then writing to these files until no free space remains, taking special measures to erase small files — for example, files that exist entirely within the Windows Master File Table of an NTFS partition (Garfinkel and Malan, 2005).

Programs employ a variety of techniques to overwrite data. Apple’s Disk Utility allows data to be overwritten with a single pass of NULL bytes, with 7 passes of random data, or with 35 passes of data. Microsoft’s cipher.exe, writes a pass of zeros, a pass of FFs, and a pass of random data, in compliance with DoD standard 5220.22-M. (US DoD, 1995). In 1996 Gutmann asserted that it might be possible to recover overwritten data and proposed a 35-pass approach for assured sanitization (Gutmann 1996). However, a single overwriting pass is now viewed as sufficient for sanitizing data from ATA drives with capacities over 15 GB that were manufactured after 2001 (NIST 2006).

Be aware that software 'data destroyers' may not necessaruly do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.

Overwriting Metadata

If the examiner knows when an attacker had access to a Windows, Mac or Unix system, it is frequently possible to determine which files the attacker accessed, by examining file “access” times for every file on the system. Some CFTs can prepare a “timeline” of the attacker’s actions by sorting all of the computer’s timestamps in chronological order. Although an attacker could wipe the contents of the media, this action itself might attract attention. Instead, the attacker might hide her tracks by overwriting the access times themselves so that the timeline could not be reliably constructed.

For example, Timestomp will overwrite NTFS “create,” “modify,” “access,” and “change” timestamps (Metasploit 2006). The Defiler’s Toolkit can overwrite inode timetamps and deleted directory entries on many Unix systems; timestamps on allocated files can also be modified using the Unix touch command (Grugq 2003).

An alternative to overwriting metadata is for the attacker to access the computer in such a way that metadata is not created. For example, a partition can be mounted read-only or accessed through the raw device to prevent the file access times from being updated. The Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate can be set to “1” to disable updating of the last-accessed timestamp; this setting is default under Windows Vista (Microsoft 2006).

Hiding Data

Hiding data where a forensic investigator would not usually look, e.g. using steganography or other means.

Encrypted Data

Encrypting data, in order to prevent access to it.

Preventing Data Creation

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

Detecting Forensic Analysis

There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.


Garfinkel, S., Anti-Forensics: Techniques, Detection and Countermeasures, The 2nd International Conference on i-Warfare and Security (ICIW), Naval Postgraduate School, Monterey, CA, March 8-9, 2007. [1]

See also

Externals Links