Accession Number:

ADA576161

Title:

Anti-Forensics: Techniques, Detection and Countermeasures

Descriptive Note:

Conference paper

Corporate Author:

NAVAL POSTGRADUATE SCHOOL MONTEREY CA

Personal Author(s):

Report Date:

2007-03-01

Pagination or Media Count:

9.0

Abstract:

Computer Forensic Tools CFTs allow investigators to recover deleted files, reconstruct an intruders activities, and gain intelligence about a computers user. Anti-Forensics AF tools and techniques frustrate CFTs by erasing or altering information creating chaff that wastes time and hides information implicating innocent parties by planting fake evidence exploiting implementation bugs in known tools and by leaving tracer data that causes CFTs to inadvertently reveal their use to the attacker. Traditional AF tools like disk sanitizers were created to protect the privacy of the user. Anti-debugging techniques were designed to protect the intellectual property of compiled code. Rootkits allow attackers to hide their tools from other programs running on the same computer. But in recent years there has been an emergence of AF that directly target CFTs. This paper categorizes traditional AF techniques such as encrypted file systems and disk sanitization utilities, and presents a survey of recent AF tools including Timestomp and Transmogrify. It discusses approaches for attacking forensic tools by exploiting bugs in those tools, as demonstrated by the 42.zip compression bomb. Finally, it evaluates the effectiveness of these tools for defeating CFTs, presents strategies for their detection, and discusses countermeasures.

Subject Categories:

  • Sociology and Law
  • Computer Hardware

Distribution Statement:

APPROVED FOR PUBLIC RELEASE