Evaluating Challenges and Impacts of Anti-Forensics

Steve Stawski, Director of Electronic Discovery and Forensics, Sony Electronics

Steve Stawski, Director of Electronic Discovery and Forensics, Sony Electronics

Anti-Forensic tools and  methods challenge  and disrupt a Forensic  Examiner’s defensible  conclusions and  observations. The  “realm” of Anti-Forensics (AF) range  from wiping and encryption tools  through apps that eliminate evidentiary  artifacts. Almost no device is immune  from AF, including the Cloud. Conclusions  and even testimony based on tainted  digital evidence is a huge risk. 

We might start by expanding the  realm of what we define as AF. Let’s  include apps that by design are not AF  but could be utilized for AF activities.  Hackers are using AF as part of their  toolset, but let us go a step further and  include the insider threat. A corporate  investigation on compromised systems  or IP theft, a breach of security controls,  Law enforcement digital investigations,  Critical Government Counter Intelligence  investigations, all of these examples  have one thing in common. They all rely  on the integrity and completeness of  digital artifacts. It is this integrity that  can be unknowingly compromised by AF. 

Best practices call for users to  complete an annual Security Awareness  Program. Users are trained to  implement strong passwords and to  change them frequently. Strong and  complex passwords can be an AF Tool.  During an investigation, circumventing  password protected files, containers,  and devices can be straight forward or  insurmountable. A corporate user turned  bad actor could impact access to files  and devices through strong passwords.  As an exercise, think of all the standard  security controls that users have at  their disposal (Encryption, Archiving,  Biometrics, 2FA, Data Sanitization,  Cloud Storage) and how they can be  leveraged for AF. Think about how you  would identify malicious or accidental AF  activities from legitimate ones for these  controls. 

Phones and cell service enabled  tablets can be remotely wiped. A  determination would have to be made  if this was malicious. Hackers have the  technical backgrounds and expertise to  leverage all of these methods. However,  many of the methods don’t require a lot  of technical expertise and are readily  available to anyone. Missing laptop or  cell phone credentials can lead to actions  resulting in spoliation. For example,  rebooting systems or interacting  with active devices will impact digital  artifacts. The insider threat combined  with AF tools can have devastating  results on an investigation. We might call  this User Security Control Hijacking. 

Further examples are: AV, DLP, EP  Agents, HIPS, HIDS, GPO, and Firewalls.  These are the necessary security  controls. Used together they form a  concentric layer of security on personal  devices, IOT, Cloud, and small-to-large  enterprise environments. However, they  have the unintentional effect of creating  major challenges to the preservation  of digital evidence. These controls may  need to be defused (disabled or even  removed) during acquisition. If not,  this can prevent defensible acquisition  of ethereal artifacts and data-at-rest.  Consider that even defusing security  controls can lead to unintended AF  consequences. 

How can we address the impact of  AF? The answer to this question may  lie in Digital Forensic best practices:  education, tool-mastery, defensible and  repeatable methodologies, consistent  testing, and at times perseverance. Anti-  Forensics is considered by some to be a  myth. Consider that the simplest security  control, i.e. a ten-digit code on a phone  versus four digits, can make evidence  inaccessible. Locating Anti- Forensic  activity may be the most important  finding of a forensic investigation.

Read Also

Leveraging Effective Communications for Strengthening Cybersecurity

Leveraging Effective Communications for Strengthening Cybersecurity

Grant McKechnie, Chief Information Security Officer, Endeavour Group
How To Think Digitally And Transform Your Organization To Win The Digital Customer

How To Think Digitally And Transform Your Organization To Win The...

Dobyl Malubane, CX Business Dev & Strategy Director, Oracle Africa
The Future Of Cloud Is Mobile

The Future Of Cloud Is Mobile

Rudi Strydom, Head of IT Operations, Technology and Architecture, Imperial South Africa
Exploring New Technological Impacts

Exploring New Technological Impacts

Melissa Orchard, Digital Hub & PDC Director, Marketing; CMI, Unilever Africa
The Human Reality Of Cyber Security

The Human Reality Of Cyber Security

Henry Denner, ICT Security Officer, Gautrain Management Agency
Zelle Fraud! Or is it?

Zelle Fraud! Or is it?

Karen Boyer, Vice President Fraud, People's United Bank, N.A.