Anti-Forensic Technologies - Essay Example

? Anti-Forensic Technologies There has been a wide usage of anti-computer forensics all over the world. This paper takes an overview of, and an analysis of the most widely used anti-forensic techniques in the world. Mostly, these techniques hide or make it unrecoverable digital tracks of a crime in any form of magnetic media. Computer forensics department holds the mandate of collecting as much information and documentation about a crime as possible, regardless of whether such information is computer related or not. As such, computer forensics identifies the discipline involved in the study of the techniques and methodologies necessary for collection, analysis and presentation of unequivocal evidence, necessary in legal proceedings. Innovatively, there are anti-investigation techniques, aimed at making information collected by automated tools as well as fresh-and-blood investigators. With the help of modern operating systems, especially by the nature of management of data, events, and information, it is easy to find these individuals. However, due to the different techniques applied by computer users, it is hard to find people who use anti-computer forensics. Introduction Recently, due to the development of anti-computer forensics into a significant field of study, more researchers have undertaken intensive studies and research on the issue. Defined as any attempts focused on affecting negatively the existence, amount or quality of evidence from a crime scene, or making an analysis of the examination of the evidence difficult or impossible to conduct, anti-computer forensics is essentially a creative way of sabotaging any type of investigations into a crime scene. However, anti-computer forensics is a more technologically advanced method, which criminals use in hacking. This approach makes sure that it is hard for investigators to find the criminals, and if they were to find them, make it impossible for them to prove ha they ever found them. Most of the researchers do not put into consideration the use of forensics as a method of ensuring the safety of one’s personal data or information. Criminals use different techniques to protect their identity from the authority. However, not only is this approach useful to criminals, individuals have excessively use it in stalking each other. It is due to the rise in the use of this technology that many researchers have undertaken to conduct research and study on this form of technology (Lim, 2008). As a result, I take to conduct research on the techniques used by people in anti-computer forensics. The effectiveness of these techniques to their users will also form part of this research. Problem Statement In the recent years, there has been a sharp increase in the number of anti-forensic techniques used by criminals in frustrating investigative processes. Due to technological advancement and innovation, criminals have increasingly perfected their acts, by developing means and ways of overwriting data, hiding or deleting it to obscure it from the investigators (Busing, et al. 2005).. This is not the only way in which these criminals make investigations impossible to investigators. Another way of doing this is by sabotaging any form of investigation, to make sure that the law does not catch up with them. This leads to the abandonment of numerous cases in their investigation stages, while others never proceed to full trial due to lack of evidence. Even if the evidence is available, if accessed by criminals, and due to immense tampering, it is scanty, unreliable, misleading or damaged (Shanmugam, et al. 2011). As such, this study seeks to identify the methods and techniques used in anti-forensics. Literature Review According to Busing et al., (2005), computer Forensics is the use of scienti?c knowledge for collecting, analyzing, and presenting evidence to the courts. On the other hand, Anti-Forensics includes tools and techniques that frustrate forensic tools, investigations and investigators. Shanmugam, et al. (2011) point out that it is very hard for the security agencies to investigate and prosecute electronic crimes. This owes to the fact that investigators rely on artifacts left on the computer systems to build their cases. In the current world of crime, criminals are aware of the computer forensic methods and techniques, and therefore try to use countermeasure techniques to slow down and impede the investigation processes. With the application of such countermeasures, investigations into these crimes become an expensive affair for security agencies. In addition, the process gets more complicated, leading to time wastage. Data collected in most cases is unreliable, as criminals track down the investigation process, tampering with the process. As such, abandonment of cases without successful prosecution of the parties involved is common. Investigators feel demoralized, while at the same time holds a sense of self-defeat, owing to the criminals’ creativity and innovativeness. Collectively, all methodologies used the computer forensics processes are referred to as Anti-Forensics. In essence, not only does anti-forensics make investigations on digital media difficult to track, but also more expensive (Osuagwu, et. Al., 2010). However, it is possible to distinguish anti-forensic techniques in their specific categories. Each of these aims at attacking one or more steps performed by different analysts in their activities. This is with the understanding that all types analysis carried out takes specific forms. It is essential to understand these steps in order to determine the limitations and benefits of any of the ant-forensic techniques. These steps include identification, acquisition, analysis and reporting (Busing, et al. 2005). Any efforts focusing on sabotaging any of these processes significantly affects the entire process. This is because, any negative effort aiming any of these steps doing not lead to the desired results of the information. Any data, whether in analogue sources or digital is some form of evidence. Everything done in a system leaves some sort of traces behind. Therefore, everything done creates data that necessitates the removal of or hiding of such data. The goal of doing an anti-forensics is either to reduce or hide the quantity or tamper with the quality of evidentiary data. According to Osuagwu, et al. (2010), there are no frameworks set to analyze the anti-forensic situation. With the understanding that computer forensic investigators rely on high quality data to win a case, any form of tampering significantly affects the quality of their evidence. Thus, skewing of the information renders it impossible for the people to use. While solving the anti-forensic issues, it is imperative to create a consensus view of the problem itself. Methodology There are several sub-categories in the classification of the various tools and techniques used in anti-forensics. These techniques fall in two major categories, the basic and the advanced techniques. The main reasoning and idea behind the analysis prevention, holds that if there is no creation or generation of information, it should not be deleted, hidden or destroyed to hide the attackers (Osuagwu, et al. 2010). These involve a range of practices such as code exec in memory buffers and a specific tuning of the system to prevent it from collecting useful traces by a forensic investigator. This, as experts describe, is a better way than the exact cure. Almost all cases use some form of data obfuscation, a method involving a hacker erasing all his tracks left behind in a system. Contrary to this, data hiding incorporates cryptography power to mask data instead of deleting it (Berghel, 2007). Another approach used by cryptographers is steganography, which involves hiding of data in anti-forensics. Data hiding This is the process of making data difficult to find, but keen to make sure that it is available for future use (Berghel, 2007). Obfuscation and encryption of data limits the ability of the identification and collection of evidence by investigators while allowing access and use by themselves (Berghel, 2007). Encryption and steganography are the commonly used methods of data hiding. These two includes various forms of hardware and software based on data concealment. Each of these methods involves digital forensic examinations difficult. The biggest advantage of data hiding is that it makes it possible to maintain the availability of this data whenever in need. The use of physical disk for data hiding is effective in any form type of operating system. However, there is an increased use of techniques related to the operating system or file system. The use of physical disk for data hiding makes these techniques feasible due to options implemented during their production. The main intention of these options is the facilitation of compatibility and diffusion. Other methods used in data concealment take advantage of the data management property of the operating system. If attack takes place to the information in the first stage, it makes it impossible to find any data, which is not possible to analyze or report (Berghel, 2007). Different methods used in hiding data include; unusual directories and manipulation of file headers, where criminals hide information in unusual places. For instance, hiding data in slack space, taking the form of media like hard drives. Subsequently, criminals divide this data in clusters of sectors (Pedneault, 2010). Currently, NTFS is the most popular files system in use in data hiding. General information about files such as file name, size of file, time stamps and the number of clusters is stored in hard drives. However, storage of the actual data takes place in another place. Stenography technique of hiding data involves the hiding of data within other data where it is hard to reveal the presence (Osuagwu, et al. 2010). Mostly, users of this methodology use it for legitimate reasons, by inserting digital watermarks in the image. Therefore, the owners can easily protect themselves from copyright infringement. Direct Attacks against Computer Forensic Software One of the main ways of carrying out an attack against computer forensics software is its exploitation and usage for vulnerability (Pedneault, 2010). Just like any other software, software vendors created computer forensics software. If such software reveals a questionable credibility during the legal process, there are high chances of disregarding such information due to the unreliability of the software. There are two main ways of compromising the credibility of such software, time stamp modification and hash collision. In time stamp modification, every file on removable media has four values commonly known as M.A.C.E (Richard & Roussev, 2006). Computer forensics packages reading those values, give indications to examiners about time and date issues of any updates and changes to the contents of a file. However, it is possible to manipulate real time and date stamps to display incorrect information in computer forensics software. Hash Collision is an algorithm used to create a unique fixed value string relative to any information (Pedneault, 2010). The biggest disadvantage of this is its irreversibility nature. For data to qualify as evidence in forensic investigation, it should possess no alterations during the investigation process. With such an understanding, it is possible to undermine the credibility of digital evidence. Elimination of Source The investigation process relies on securing of all data on an inspected drive regardless of its involvement in an investigation. The only way of doing this is by acquiring an identical image of the media going through the analysis process. This method focuses on the preventing preservation of pertinent data for use in the investigation (Aquilina, et al., 2008). The easiest way is blocking access to the media such that investigator’s efforts of assessing the information prove futile. The next available option is eliminating the source of the data. Just like most of the counter-forensic techniques, when applied before the acquisition of the image, these methodologies are more efficient (Aquilina, et al. 2008). The most effective and easiest way of source elimination is disabling the tool responsible for the creation of the source. Through computer settings modification, editing of an operating system group policy disables the login top the website browser. As such, it is impossible to access the browser’s history. Results Anti-forensic methods rely on inherent problems in the forensics for their success. Although anti-forensics mainly attacks on the investigators, they in other times take advantage of our dependency on specific tools and methods. Additionally, they may also rely on inherent physical and logical issues affecting the investigation process as well as the world in general. Since anti-forensics rely on these methods, and take advantage of the problems inherent in the investigation processes, taking care of these concerns theoretically solves he anti-forensics problem (Mercer, 2004). However, it is impossible to take care of these problems. Therefore, it is hopeless to try to solve these issues with such an understanding. Although it is possible to most of all issues affecting the anti-forensics explain, human element remains he most significant factor hard to deal with. Human aspects require hat an investigator show high levels of alertness. Moreover, anti-forensics, due to the fact that the techniques keep on changing, require high educational achievement, real world experiences and willingness to creatively think along new directions (Mercer, 2004). This keeps investigators on their feet, as the track the new ways that criminals are likely to exploit in their plans. This has necessitated a rise in the educational level and standards of forensic investigators. This is because; investigators have to detect attacks that are more sophisticated; hence require high levels of education. While education is vital in his process, real life experiences play a bigger role in the investigation process as an investigator’s intuition rely on experience (Pedneault, 2010). This has raised the bar high on the investigators requirements. We keep incurring more costs in training experts in forensics, and equipping them with adequate skills to track down the criminals (Gogolin, 2013). Even as governments spend billions on these experts, more criminals loam free. For prosecution of a person to take place, evidence produced in a court of law must prove beyond any reasonable doubt that the person actually performed the crime. However, if there is any form of evidence interference or even lack of a particular piece of important evidence, then the process cannot proceed. Through the different methodologies, whether geared towards hiding or destroying data significantly sabotages the investigation process. This, as criminals envision, gives investigators a hard time, in their investigations (Gogolin, 2013). Moreover, it is a costly affair for the investigators, especially when they have to keep on running after the perpetrators of these crimes. In the recent times, there has been an increase in the number of anti-forensic techniques. Even tools in use matter a lot, as they keep on changing by the day (Gogolin, 2013). As software developers keep on developing new and more sophisticated computer investigation software, other individuals counter this by developing anti-computer forensics, which successfully counters this software (Mercer, 2004). As a result, it makes it difficult for the investigators to keep track of the investigation process, with their efforts reaching a dead end. It is a requirement that an investigator should prove beyond a reasonable doubt responsibility of the accused in the crime. With this understanding, criminals know that tampering with the process either at one stage or in different stages makes it impossible for their prosecution. According to Murphy (2007), any form of tampering with such information leads to a disregard of the information and evidence provided by these sources. This makes it impossible to investigate criminals, through this method. Different techniques have different effects on the investigation process. Traditionally, the most common techniques include secure deleting of the data. Any form of deleting of data totally wipes it out, making it impossible to restore it regardless of the efforts extended towards its restoration (Richard & Roussev, 2006). In deleting, the system happens in three ways, overwriting the entire media, overwriting individual files and overwriting files already deleted but left on the drive. Sometimes, deleting leaves files in the system. However, overwriting these files makes them invisible to other people. Analysis / Discussion Many questions keep arising on the reasons why efforts to counter these techniques have been unsuccessful. While some experts attribute this failure to the rapid changes in technology, some argue that there is a knowledge vacuum in this field. Recommendations from experts agree that there is every reason to do extensive research to address this gap. It is also probable that researchers follow the wrong path, which eventually gives no results. The fact that there are more bloggers than academicians are on this issue gives us an illusion of lack of technological and educational advancement. Too much concentration on forensic technology has led to the ignorance of the relevant training that people must receive as well as the development of the processes. While a section of investigators assert that it is helpless to counter any of these technologies, experts believe that it is possible to counter the problem successfully. By either improving the monitoring systems, or by fixing bugs in the computer generation processes, it is possible to take care of this problem (Rocha, et al. 2011). Such a move targeting the current generation of computer forensics potentially arrests this situation. Richard & Roussev (2006) observes that it is possible to frustrate the efforts of overwriting tools by positioning data in such a way that it makes it impossible for an attacker to overwrite this data. Further, replacing the Weak file identification heuristics with strong ones increases the security of the data. It is possible to defeat compression bombs by increased use of intelligence decompression libraries. Conclusion Although anecdotal evidence points out that file encryption and encrypted file systems pose a problem to the law enforcement, there are increasing hopes that of reverting this problem. Many reports point out that investigation officers have managed to recover cryptographic passwords and keys the criminals use using spyware, keyboard loggers, among others. Any prudent attacker can only prove their safety by using sanitization tools, rather than cryptographic ones. This is because the sanitizer actually destroys information. This paper covers only the commonly used techniques in anti-forensics currently in use. Nonetheless, criminals use other methods that are more sophisticated than the highlighted in their operations. As technology keeps advancing, so do such ways and means, as criminals try to design more solid and complex methods of hiding their identity and committing crime. Specifically, the goal of anti-forensic technology is to confound investigations. Therefore, in future, most organizations might ban their use and perhaps even possession. However, this move faces a myriad of challenges, as many technological developers have sought to include high quality anti-forensic technology in consumer operating systems, aimed at promoting data privacy. References Aquilina, J. M., Casey, E., & Malin, C. H. (2008). Malware forensics: Investigating and analyzing malicious code. Burlington, MA: Syngress Pub. Berghel, H. (2007). Hiding Data, Forensics, and Anti-Forensics. Communications Of The ACM, 50(4), 15-20. Berghel, H. (2007). Hiding Data, Forensics, and Anti-Forensics. Communications Of The ACM, 50(4), 15-20. Busing, M. E., Null, J. D., & Forcht, K. A. (2005). Computer Forensics: The Modern Crime Fighting Tool. Journal Of Computer Information Systems, 46(2), 115-119. Gogolin, G. (2013). Digital forensics explained. Boca Raton, FL: CRC Press. Lim, N. (2008). Escaping the Computer-Forensics Certification Maze: A Survey of Professional Certifications. Communications Of The Association For Information Systems, 23547-574. Mercer, L. D. (2004). Computer Forensics Characteristics and Preservation of Digital Evidence. FBI Law Enforcement Bulletin,73(3), 28-32. Murphy, E. (2007). The New Forensics: Criminal Justice, False Certainty, and the Second Generation of Scientific Evidence. California Law Review, 95(3), 721-797. Osuagwu, O. E., Ogiemien, T., & Okide, S. (2010). Deploying Forensics Science &Technology For Resolving National Cyber-Security Challenges. Journal Of Mathematics & Technology, (3), 21-45. Pedneault, S. (2010). Anatomy of a fraud investigation: From detection to prosecution. Hoboken, N.J: John Wiley & Sons. Richard, I. G., & Roussev, V. (2006). Next-Generation: Digital Forensics. Communications Of The ACM, 49(2), 76-80. Rocha, A., Scheirer, W., Boult, T., & Goldenstein, S. (2011). Vision of the Unseen: Current Trends and Challenges in Digital Image and Video Forensics. ACM Computing Surveys, 43(4), 26.1-26.42. doi:10.1145/1978802.1978805 Shanmugam, K., Powell, R., & Owens, T. (2011). An Approach for Validation of Digital Anti-Forensic Evidence. Information Security Journal: A Global Perspective, 20(4/5), 219-230. doi:10.1080/19393555.2011.604667 Read More