This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
was a big time saver in the past when Internet connections were
/ Anti-Forensics and
typically a lot slower than today. Of course, it also means that
Counter-Forensics
a user’s Web browsing can often be literally reconstructed from
the browser cache, often to his considerable embarrassment.
“Anti-forensics” is a less satisfactory term than “counter-
(Recently, browser suppliers have started providing optional
forensics”. The term “counter-forensics” implies that
measures are taken to complicate, inhibit or subvert forensic
features for deleting much of this potential evidence).
investigation. “Anti-forensics” suggests that these measures
Residual data is the data left behind in the “empty spaces”
actually prevent forensics being performed, which rarely of the drive. The two principal repositories of residual data on
if ever happens. Even if an evidential hard drive is actually
any computer are the “unallocated” and “slack” spaces.
replaced, it is still possible to determine this fact, providing
useful evidence to the investigation. Anti-forensics is a term
To understand these we must briefly review how a hard drive
originally coined by the computer hacking community who
operates. In simple terms, hard drives work the same way as old-
tend to see forensics in a negative way. fashioned libraries. The files are arranged across the hard drive
Moreover the term “anti-forensics” appears to deny Locard’s
much as books are organised in the shelves of a library, and like
Exchange Principle, one of the fundamental tenets of all forensic
science. In essence, the principle simply states that “Every
a library the disk maintains an index system, usually called the
contact leaves a trace.” In digital forensics this means that any
file table. When a user wants to access a file, the computer does
action on a computer device can change the data on that device not search through the disk looking for it – that would take far too
long. Instead it goes to the file table (the “card index”) looks up
exactly where the file is, and then goes straight to it.
Forensic data also accumulates folders of “intact” parts of a When a file is deleted most file systems do not overwrite the
computer’s file system. Modern computers are designed to be space on the disk where the file was stored, in effect “removing
user friendly, which regularly involves giving hints and remind- the book from the shelves”. Instead a small note is made on the
ers to users as to where important documents are located. In file table entry (the “index card”) that the file is now “deleted”
addition, operating systems keep regularly updated lists of and the card and space on the disk is available for reuse.
links to programs and documents most often visited by users. The computer takes this short cut to save time. Hard drives
The upshot is that computers save a lot of information besides operate very slowly indeed compared to the computer’s pro-
the actual “working” documents stored on the hard drive. cessor and memory. They are therefore a potential bottleneck,
This information is of immense value to forensics examiners in throttling system performance. Overwriting deleted files
gaining an understanding of what computers have been used would take a lot of time, and in any case they will, in theory,
for over the previous days, months, or even years. be overwritten with the passage of time, so the file system
The forensic material on computer hard drives can be does not do it. In the meantime, however, a digital forensics
broken up into a number of broad categories, not necessarily specialist may still be able to retrieve the abandoned frag-
mutually exclusive: ments of those deleted files.
Active Data Active data is the working data on a computer: Sometimes the space on the hard drive used by a deleted
the operating system, programs, and working files stored on file is reused before the corresponding file table entry has
hard drives. The documents, emails, spreadsheets and other been reused. In this case a digital forensics specialist will
data people use day-to-day is active data, and consequently it still be able to determine the name, creation data, size, and
is the material that is most often used in administrative, civil other characteristics of the deleted file, even if she is unable
and criminal litigation. to recover the deleted file itself. On other occasions the file
Temporary or Replicate Data This is the mass of copied table entry is reused, leaving the data intact on the hard disk.
data stored on hard drives. It is produced in large quantities The file is then said to be in “unallocated” space. The great
by most popular applications. For example, Microsoft Word majority of the empty space on a hard drive is made up of this
automatically makes copies on the hard disk of whatever “unallocated space”. It is normally a junkyard of different file
documents are currently being written or edited. It does this fragments from documents, system files, and other ephemera.
so that, if the program or computer crashes, the working docu- Slack space is more persistent. It, too, is a by-product of
ment will not be lost. As soon as the completed document is the way hard disks are organised. In order to further speed up
saved, Word will delete its temporary copies and the user will the process of finding the location of a file on the hard drive,
often never be aware that they ever existed. But on modern the computer divides the drive’s address space into a large
computers, deletion is not the same as erasure and the data number of units called “clusters”. On Windows, clusters are
from Word’s temporary copies of a document can hang around usually 4 kilobytes (4,096 8-bit bytes) in length. The start of
for a long time in the empty spaces of the disk. any document can only lie at the start of one of these clusters.
Another common source of replicate data is Internet browser Of course this is rather inefficient in terms of storage capacity.
software like Internet Explorer, Firefox, or Safari. These pro- It means a 1 kilobyte file will still take up 4 kilobytes on the
grams usually store the component parts of the Web pages disk. 3 kilobytes of data will be wasted. This “wasted” space
they download from the Internet in an area called the “browser is called the cluster slack (or sometime cluster tip).
cache”. They do this so they can reuse the data if the user revis- Now, say a 4 kilobyte file is deleted, and the cluster is reused
its the Web page at a later time. This sometimes saves the com- by the computer later to store a 1 kilobyte file. Obviously the first
puter having to download the full Web page a second time. This kilobyte of the cluster will contain the data of the new file, but the
45
DF1_43-46_5th Feature.indd 45 29/10/09 5:23:36 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com