Anti Forensics

Anti-forensics is a term that contradicts Cyber Forensics. It attempts to negatively affect the existing amount and quality of evidence from a crime scene or make the analysis and examination of evidence difficult or impossible to conduct. 

Anti-forensic techniques are actions whose goal is to prevent the proper investigation process or make it much harder. These actions are aimed at reducing the quality and quantity of digital evidence. These are deliberate actions of not only computer users but also of developers who write programs secured prior to the methods of Cyber forensics.

For the anti-forensic techniques, we can include activities such as the intentional deletion of data by overwriting them with new data or protection tools against forensics analysis. Anti-forensic techniques can be used to increase security for example erasing and overwriting data so that they cannot be read by unauthorized persons. These techniques can be misused by perpetrators of cybercrimes in order to protect against disclosure of their actions.

Users of anti-forensics tools can also become computer users who want to remove evidence of criminal activities such as hackers, terrorists, pedophiles, and counterfeiters. Anti-forensics tools can be used by users who will be using it to destroy any data indicating that they could steal valuable data to gain unauthorized access to the computer systems or capture secure information and passwords.

Goals of Anti forensics:

• Avoiding detection of compromising events that have taken place.
• Disrupting and preventing the collection of information.
•  Increasing the time that an examiner needs to spend on a case.
• Casting doubt on a forensic report or testimony.
• Subverting the forensic tool (for example, using the forensic tool itself to attack the organization in which it is running).
• Leaving no evidence that an anti-forensic tool has been run.

Various fields to be used in Anti forensics:

Data Destruction: It is the destruction of any evidence before someone gets a chance to find it. The field used in anti-forensics in cyber security systems are as follows:

• Wiping: Securely deleting data so that it cannot be restored even with forensic software.
• Changing MAC attributes: The changing or deleting file attributes to avoid timeline analysis.

Data Contraception: It is a technique to limit the quantity and quality of forensic evidence by keeping forensically important data off the disk.

• Syscall Proxying:  It is a technique where a local program transparently proxies a process’s system call to the remote server.
• Memory resident compiler/assemblers: They are used when an attacker wants to send remote code fragments from a remote device to the compiler/ assembler residing in the local device.
  • Direct Kernel Object Manipulation (DKOM):  It is a method that allows attackers to use drivers or loadable kernel modules to modify the memory associated with kernel objects. 
  • Data Hiding: It provides an exploration into the present day and next generations of tools and techniques used in data concealment tactics and advanced malware methods.

Steganography: It is the art of writing hidden messages in such a way that no one apart from the sender and intended recipient, suspects the existence of the message.

Other Anti-Forensic Categories:

• Obfuscation and encryption.
• Data forgery
• Data Deletion and Physical Destruction
• Analysis Prevention
• Online anonymity