This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
towards removing data from Windows and its NTFS file sys- tampered or erased files. Some such programs will simply
tem. The large majority of documents retrieved in electronic remove the first few characters of each file table entry in the
discovery procedures will also be acquired from computers knowledge that Guidance Software’s widely used EnCase
running some version of Windows. application will not then resolve the entry. However, the mere
fact that such file table entries are missing should warn the
/ Counter-Forensics investigator that something is amiss.
Counter-forensics (or “anti-forensics” as it is often termed in Another major problem is that very little research has been
the USA) is the collective term for techniques intended to com- carried out on identifying the telltales left by general purpose
plicate, inhibit, subvert, or delay forensic techniques for find- counter-forensic tools and determining what data specific
ing evidence. It can be seen as encompassing a broad range of tools actually leave behind. The counter-forensic tools used by
techniques from subtle and highly sophisticated data altering computer hackers are often highly specific, targeting particular
techniques to methods as crude as smashing evidential hard types of forensic evidence. A skilled hacker can surgically re-
drives with a hammer. The purpose of counter-forensics is to move practically every trace of his presence on a computer. The
make sure that evidence is not discovered and subsequently general purpose evidence removal tools used by non-hackers
disclosed to a court, arbitrator, or some other forum. Addition- are different, and are often either too general – removing data
ally, in most cases at least some attempt is made to disguise that does not need be removed – or too specific – failing to
the fact that evidence is being altered or withheld. In the vast remove data that does. It should be possible to work out which
majority of cases such tampering with evidence will damage tool has been deployed to destroy data by examining what has
the interests of those using these counter-forensic techniques. been removed and what has been missed. Unfortunately most
research appears to be done in the field of hacking counter-fo-
The forensic maTerial on
rensics, and the more general tools used by less sophisticated
IT users has not really attracted much attention.[2]
compuTer hard drives can be
A related issue is that most research on counter-forensics is
broken up inTo a number of
done in the context of computer security and counter-hacking
rather than the more mundane arena of civil law, despite the
broad caTegories
fact that counter-forensics can potentially do far more dam-
age when employed in civil cases than it does in hacks. (The
Counter-forensics is sometimes seen as being mostly about prosecution rate for hackers was extremely low even before
evidence destruction or erasure, but this is not the whole counter-forensic techniques became common, so their intro-
story. In many instances, particularly in respect to evidence duction has not greatly altered the overall picture). [3]
in civil cases, it may not be necessary for counter-forensic In hacking, it may prevent an investigator pursuing a hacker,
techniques to destroy or erase data on evidential media. It but deployed in legal cases, it directly acts to subvert the fair
is enough if they make it more difficult for an investigator resolution of cases. Its purpose is to directly “load” the scales
or analyst to recover the data. Commercial digital forensics of justice, by altering the “database” of information available
specialists usually operate within time limits and charge an to the court and to the parties to any dispute, necessarily
hourly or daily rate for their services. Slowing an investigator’s influencing the likely eventual outcome.
rate of progress, by disrupting the evidence or converting it
to a format that is difficult to search, increases the costs of / Forensic evidence on computers: What is
an investigation for the clients or legal professionals who pay there to destroy?
the bills. This can deter them from pushing enquiries as far as We all know that computers typically store large numbers
they otherwise might. of word processing files, spreadsheets, databases, cached
As we have already pointed out, many modern digital forensics Web pages, emails and other “working” documents as part
practitioners are trained to use specialised software applications of their normal operation. These documents are the material
such as EnCase and FTK, but do not understand how the comput- upon which most legal activity is based. It is also becoming
ers they examine actually work at a deep level. Some counter- well known that most operating systems in current use do
forensic tool developers have even designed their applications not delete files very efficiently, and that deletion does not by
specifically to defeat common forensic analysis applications. any means guarantee complete erasure of all data from the
They realise that many unsophisticated users will unquestion- disk. The “empty” portions of a hard drive can, in fact, be full
ingly believe outputs given to them by their tools, and so can be of fragments (more or less complete) of files deleted earlier –
easily deceived. Detecting the use of counter-forensic methods is sometimes, much earlier.
often a matter of knowing what should be on a hard drive, but is Computers are designed to retain and retrieve information
missing from the drive being investigated. If an investigator does very efficiently and to protect the integrity of files and docu-
not understand exactly what should be there in the first place, he ments against internal failures and external errors. In conse-
is not going to know if it has been removed. quence they tend to retain surprising numbers of copies of
For example, some counter-forensic applications will the files stored on their disks. These are usually deleted when
remove the Windows file table entries associated with deleted the software has finished with them, but they persist in the
files, making it considerably less straightforward to identify “empty spaces” of disks long after they are supposedly gone.
44 Digital / ForensicS
DF1_43-46_5th Feature.indd 44 29/10/09 5:23:36 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com