Are Digital Investigators countering anti-forensic techniques?

Add to my custom PDF

Anti-Forensics: A Practitioner Perspective

Forensics is the science of investigating artefacts and interpreting their relevance to an investigation. Increasingly, the evidence used in forensic investigations is digital. With the proliferation of electronic devices, digital evidence can be relevant in a wide variety of criminal investigations, to identify an attacker or their actions, as well as identify how and why they perpetrated the alleged crime. Judicial processes rely on the expertise of Digital Forensics investigators for the proper collection and analysis of digital evidence. Fragile by nature, digital evidence can be easily altered, sometimes without any trace. When done intentionally to hide or destroy evidence, this act is known as anti-forensics (AF). Often Anti-Forensics activities are carefully hidden and many may remain undiscovered, so the full impact of Anti-Forensics on investigations is unknown. Before a Digital Forensics practitioner can fully evaluate the impact of Anti-Forensics activity on an investigation, they must first detect the tampering.

The study by de Beer et al. surveyed 35 South African Digital Forensics practitioners to establish the extent and impact of Anti-Forensics activity on investigations. They found several factors that influence Digital Forensics practice:

  • Degree of implementation

Digital Forensics investigators place a high importance on Anti-Forensics, for the contribution to judicial proceedings, but most do not always employ significant efforts to identify Anti-Forensics activity in their investigations.

  • Level of knowledge

Digital Forensics investigators know about some common Anti-Forensics techniques and tools – such as data hiding, data destruction, and encryption), but are less familiar with more complex Anti-Forensics methods, like data contraception, trail obfuscation, and data fabrication. Practitioners report that the better-known methods are the ones impacting forensic cases. However it is unclear if this is because they have the greatest impact or because these are the methods that are most well-known and are hence more often detected.

  • Training, experience, and confidence

There is a connection between participation in Anti-Forensics training and a respondents rating of their own knowledge of Anti-Forensics tools and techniques. Those Digital Forensics practitioners who have training are more likely to rate their knowledge as good or excellent. Also, Digital Forensics practitioners with two or more years on the job rate their own abilities with Anti-Forensics as higher than those with less experience.

This study highlights the need for specific Anti-Forensics knowledge and skills development as a component of Digital Forensics training. Greater fluency with Anti-Forensics tools and techniques might broaden the tools for counter-Anti-Forensics work by Digital Forensics investigators, as well as enhancing their confidence and efficacy.

Digital Forensics Investigators take anti-forensics techniques seriously but only the ones they know well. Formalised implementation of anti-forensics detection and training and mentoring on countering techniques could improve investigations.