Anti-Forensics: Techniques, Detection and Countermeasures

Garfinkel, Simson

Anti-Forensics: Techniques, Detection and Countermeasures

Active / Technical Report | Accession Number: ADA576161 |

Open PDF

Abstract:

Computer Forensic Tools CFTs allow investigators to recover deleted files, reconstruct an intruders activities, and gain intelligence about a computers user. Anti-Forensics AF tools and techniques frustrate CFTs by erasing or altering information creating chaff that wastes time and hides information implicating innocent parties by planting fake evidence exploiting implementation bugs in known tools and by leaving tracer data that causes CFTs to inadvertently reveal their use to the attacker. Traditional AF tools like disk sanitizers were created to protect the privacy of the user. Anti-debugging techniques were designed to protect the intellectual property of compiled code. Rootkits allow attackers to hide their tools from other programs running on the same computer. But in recent years there has been an emergence of AF that directly target CFTs. This paper categorizes traditional AF techniques such as encrypted file systems and disk sanitization utilities, and presents a survey of recent AF tools including Timestomp and Transmogrify. It discusses approaches for attacking forensic tools by exploiting bugs in those tools, as demonstrated by the 42.zip compression bomb. Finally, it evaluates the effectiveness of these tools for defeating CFTs, presents strategies for their detection, and discusses countermeasures.

Author(s):

Garfinkel, Simson

Author Organization(s):

NAVAL POSTGRADUATE SCHOOL MONTEREY CA

Descriptive Note:

Conference paper

Supplementary Note:

Presented at the International Conference on Information Warfare and Security (ICIW) (2nd) held in Monterey, CA on 8-9 Mar 2007.

Pagination:

0009

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Monitor Series:

NPS

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.1.3_Switching and Routing; JCA_6.1_Information Transport; JCA_5_Command and Control; JCA_6.4.2_Protect Data and Networks; JCA_6.4.1_Secure Information Exchange; JCA_6.4_Information Assurance; JCA_5.3_Planning; JCA_3_Force Application; JCA_3.2_Engagement; JCA_3.2.2_Non-Kinetic Means; JCA_8_Building Partnerships; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_6.3.1_Optimized Network Functions and Resources; JCA_8.1_Communicate; JCA_6.2_Enterprise Services; JCA_8.2_Shape; JCA_6.3_Net Management; JCA_1.2_Force Preparation; JCA_1_Force Support

Communities of Interest:

Energy and Power Technologies

Descriptor(s):

*COUNTERMEASURES, *DETECTION, *FORENSIC ANALYSIS, CHAFF, COMPUTERS, FILES(RECORDS), INTELLIGENCE, TOOLS

Field(s)/Group(s):

Sociology and Law, Computer Hardware

Keyword(s):

42 ZIP COMPRESSION BOMBS, AF(ANTI FORENSICS), ANTI COMPUTER FORENSICS, CFT(COMPUTER FORENSIC TOOLS), CYBERCRIMES, ENCASE, HACKER TOOLS, PRIVACY ENHANCING TOOLS

Report Date:

2007 Mar 01

Creation Date:

2013 Jun 03