Difference between revisions of "Anti-forensic techniques"
(→Secure Data Deletion: added minor paragraph)
(Breaking Encase with FILE0 and Winhex)
|Line 27:||Line 27:|
Revision as of 01:05, 21 August 2006
This can include refusing to run when debugging mode is enabled, refusing to run when running inside of a virtual machine, or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any tool they can be abused.
Secure Data Deletion
Securely deleting data, so that it cannot be restored with forensic methods.
Be aware that software 'data destroyers' may not necessaruly do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.
Encrypting data, in order to prevent access to it.
Preventing Data Creation
Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.
Detecting Forensic Analysis
There are methods to detect whether an investigator tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.