Anti-forensic Practices

SINI N

M1-IS, CET

13/12/2024

Course Name: CYBER FORENSICS AND INCIDENT RESPONSE

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 1 / 28

Outline

1 Introduction

2 Anti-forensic Practices

3 Conclusion

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 2 / 28

 INTRODUCTION

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 3 / 28

What is Cyber Forensics ?

Cyber forensics is the process of investigating and analyzing digital

devices to collect and preserve evidence in a way that is admissible in
court.

Forensics is the practice of identifying, collecting, preserving,

analyzing, and documenting digital evidence.

Cyber forensics plays a major and crucial role in cybercrime

investigations.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 4 / 28

What is Anti-forensics?

Anti-forensics are a collection

of tools and techniques that are
used to damage, erase, or
modify data that obstructs the
normal forensic examination.

Anti-forensic measures
performed on a device will harm
the integrity of the data and
could compromise the
investigation.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 5 / 28

Anti-forensics Basics

The aim of anti-forensics is to reduce the quality and quantity of

forensic artifacts present on the disk.

Anti-forensic measures employed by cybercriminals significantly

complicate the work of forensic investigators.

Both hackers and regular users may use anti-forensic methods, but
their intentions are very different.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 6 / 28

Anti-forensics Basics Conti....

To qualify as an anti-forensic tool or technique, it must meet one or more

of the following criteria:

1. Attack the Data: Modify, delete, or hide data to prevent analysis.

2. Attack Forensic Tools: Exploit weaknesses in forensic software to

disrupt investigations.

3. Attack the Investigator’s Work: Mislead or obstruct the

investigator’s analysis process.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 7 / 28

 Anti-forensic Practices

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 8 / 28

Anti-forensic Practices/Techniques

Cyber forensic experts classify anti-forensic techniques into 4 main

categories based on their functions.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 9 / 28

1. Data Wiping

Wiping is also referred to as Digital shredding or Erasing.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 10 / 28

1. Data Wiping

Wiping is also referred to as Digital shredding or Erasing.

What is Data Wiping?

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 10 / 28

What is Data Wiping

Data wiping means erasing all data on a hard drive by overwriting it

with random data.

It ensures the data cannot be recovered.

Simply deleting files or formatting a disk does not truly erase data.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 11 / 28

How Does Data Wiping Work?

As per the protocols laid out by the Department of Defense (DoD), data
overwriting is performed multiple times, typically using methods such as
the 3-pass or 7-pass techniques.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 12 / 28

How Does Data Wiping Work?

As per the protocols laid out by the Department of Defense (DoD), data
overwriting is performed multiple times, typically using methods such as
the 3-pass or 7-pass techniques.
3-Pass Overwrite (DoD 5220.22-M):

Overwrite with 0s.

Overwrite with 1s.
Overwrite with random characters.

Final verification confirms success.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 12 / 28

How Does Data Wiping Work?

As per the protocols laid out by the Department of Defense (DoD), data
overwriting is performed multiple times, typically using methods such as
the 3-pass or 7-pass techniques.
3-Pass Overwrite (DoD 5220.22-M):

Overwrite with 0s.

Overwrite with 1s.
Overwrite with random characters.

Final verification confirms success.

7-Pass Overwrite (DoD 5220.22-M ECE):
Follows the 3-pass method but adds extra overwriting steps with
random data.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 12 / 28

Why data wiping ?

Wiping effectively removes all data from a system.

Many open-source and commercial tools are available for data wiping.

Examples of tools include Eraser and USB Oblivion.

However, research shows that some tools may leave data fragments
on the system.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 13 / 28

Data Wiping Tools

The tools used for data wiping are the following:

USB Oblivion
USB Oblivion removes all traces of connected USB drives and
CD-ROMs from the Windows Registry.

Eraser
Eraser is an open-source Windows tool that securely removes sensitive
data.
It overwrites the data multiple times with specific patterns to ensure
complete removal.

Disk Wipe
It is an open-source portable Windows tool for permanently erasing
data.
It deletes all disk data and prevents its recovery.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 14 / 28

Data Remanence

Residual data left on a disk after deletion is called data remanence.

Modern anti-forensic tools and techniques ensure minimal data

fragments remain on a system.

In rare cases, some fragments may be found, but without sufficient

details, it is difficult to reconstruct meaningful evidence.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 15 / 28

Degaussing

Degaussing is a data-wiping method that uses strong electromagnets

to erase data from a disk.
It is a form of demagnetizing, where the device is exposed to a
fluctuating, strong magnetic field to reset it to a magnetically neutral
state.
The electromagnetic field disrupts and randomizes the magnetic
patterns that store data, effectively erasing data.
The device’s magnetic alignment is restructured, making data
recovery nearly impossible.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 16 / 28

Types of Degaussers
1. Coil Degaussers:
Use a steel core wrapped in copper wire to generate alternating
electromagnetic fields.

Generate high heat; which permits short operational cycles to prevent

overheating.

2. Capacitive Discharge Degaussers:

Use capacitors to store energy, Once fully charged, capacitors release

energy to the coil which creates a very intense electromagnetic
impulse.

3. Permanent Magnet Degaussers:

It possess no electrical component; hence they can be run non-stop.

Depending upon the size of magnets, the degaussers offer a greater
intensity of the magnetic field.
SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 17 / 28
Degaussing Facts

Effectiveness
Data recovery from a hard drive after degaussing is nearly impossible.

Limitations:
Solid-State Drives (SSDs) are immune to degaussing as they do not rely

Market Options:
A variety of commercial and DIY degaussers are available.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 18 / 28

2. Trail Obfuscation

A method used by cybercriminals to mislead investigations by

manipulating evidence.

Aims to confuse and misdirect forensic investigators.

Purpose:

Prevents investigators from tracing the activities of cybercriminals.

Example :
VPN software like TunnelBlick to mask IP addresses and hide online
activity.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 19 / 28

Spoofing

A technique where hackers pretend to be someone else by altering

their IP or MAC address.

Used to hide credentials or mislead investigators.

Purpose:

Conceal identity.

Mislead forensic investigations.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 20 / 28

Types of Spoofing

1. IP Spoofing:

Alters the IP address to random or specified values.

Easy to implement using tools or manually.

Commonly employed by hackers.

2. MAC Spoofing:

Modifies the device’s MAC address for enhanced anonymity.

Less common but offers better identity concealment than IP spoofing.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 21 / 28

Data Modification

This technique manipulates the metadata and timestamps of the

data, thereby creating obstructions in an investigation.

A simple timestamp modification can affect the timeline analysis of a

case.

Manipulating metadata can be equally disruptive, as it may

completely remove the forensically significant data.
Timestamp is the metadata that logs the file information that
includes the time and date of a file’s creation, modification, and
access.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 22 / 28

3. Encryption

This is the first and original method of anti-forensics.

It is a cryptographic process that converts readable data into

unreadable data.

Advanced encryption protocols and standards are being developed to

improve privacy protection.

VeraCrypt: Open-source disk encryption software, supports Windows,

Linux, and macOS.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 23 / 28

4. Data Hiding

A technique used to conceal sensitive data from investigators.

They hide their sensitive data in a Host Protected Area (HPA), Slack
space, and Alternate Data Streams (ADS) since these areas are not
included in any search parameters

cryptography and steganography

Steganography hides/conceals the information within carriers like

images, audios, spam, etc.

SilentEye is an open source tool used for steganography.

cryptography is about hiding the contents of a message to an

unreadable format using algorithms like RSA, AES, DES

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 24 / 28

 Conclusion

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 25 / 28

Conclusion

Anti-forensic practices aim to erase, hide, or manipulate digital

evidence, posing significant challenges to forensic investigations.

Techniques like data wiping, trail obfuscation, spoofing, encryption,

and data hiding require investigators to adopt advanced tools and
strategies.

As technology evolves, so do these techniques, driving innovation in

forensic sciences.

Understanding anti-forensics is essential to enhance investigation

methods, safeguard evidence integrity, and ensure justice against
increasing cyber threats.

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 26 / 28

References

1 TEXTBOOK : Practical Cyber Forensics An Incident-Based Approach

to Forensic Investigations - Niranjan Reddy

2 https://www.linkedin.com/pulse/anti-forensic-techniques-i-dfir-i-rem-
i-mssp-i-threat-hunting-3dbxf

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 27 / 28

 Thank you

SINI N (M1-IS, CET) Anti-forensic Practices 13/12/2024 28 / 28