欢迎来到留学生英语论文网

客服信息

我们支持 澳洲论文代写 Assignment代写、加拿大论文代写 Assignment代写、新西兰论文代写 Assignment代写、美国论文代写 Assignment代写、英国论文代写 Assignment代写、及其他国家的英语文书润色修改代写方案.论文写作指导服务

唯一联系方式Q微:7878393

当前位置:首页 > 论文范文 > It Research

IT Essay: Computer Related Crimes

发布时间:2017-04-13
该论文是我们的学员投稿,并非我们专家级的写作水平!如果你有论文作业写作指导需求请联系我们的客服人员

1 Introduction

The widespread use of computers and the internet has unfortunately been used by people with criminal intent to commit a wide range of computer and computer-related crimes. As with the traditional crime, courts of law require reliable evidence to successfully prosecute such criminals and help deter further escalation of the crimes. Evidence from compromised computer systems is quite different from other traditional crime scenes and requires highly skilled expertise to carry out the identification, collection and analysis of data.

As Carlton and Worthley(2009) say “digital data, like all scientific information, is considered by the courts to be of a complexity that is beyond the understanding of the general public; therefore an expert with specialized education, experience, and training within this field is needed to explain this complex material to the judge and jury”. This then has seen the rise and development of computer forensics field where experts use highly developed digital tools and techniques to carry out investigations. However, cyber criminals are increasingly becoming more creative and sophisticated, developing contra digital tools and techniques capable of frustrating even the best digital forensic tools and techniques used by investigators. These have become to be generally accepted as anti-forensics tools and techniques.

Harris(2006) defines anti-forensics as “any attempts to compromise the availability or usefulness of evidence to the forensic process”. In other words, making it extremely difficult for evidence to be found, and if found, lacerating it thoroughly, making it completely unreliable. Maggi, Zanero and Iozzo(2008) define anti-forensics as “all the methods that make acquisition, preservation and analysis of computer-generated and computer-stored data difficult, unreliable or meaningless for law enforcement and investigation purposes”. Thus the term “anti-forensics” has slight but different definitions, all of which coalesce around concealing the digital evidence that the forensic process is looking for, or if found, defacing it thoroughly to make it unreliable.

The art or science of anti-forensics is not something new. It traces its origin from earlier forms of cryptography, where coded messages were transmitted between two secret parties without being detected by a third party. Even in earlier days of disk operating systems that were unable to read beyond track 80 of the 5.25 floppy disk, one could easily hide important data beyond that track (Berghel 2007). It is worthwhile to note that such methods, and other current anti-forensics tools and techniques by extension, were not necessarily made for criminal intents, but legitimate purposes as well.

As time went by, these earlier and primitive methods evolved, and it was not uncommon for persons, especially with criminal intent, to study, develop and create sophisticated tools and methods to defeat genuine programs. In the context of digital forensics, this sophistication is manifested by cyber criminals, who cleverly hack into a system using anti-forensic tools and leave no trail of their nefarious activities. It is these negative activities, as opposed to positive legitimate purposes, that this paper will dwell on.

The development of anti-forensics tools has become more automated and easily accessible. This has created a scenario where even people with little technical expertise can easily use these tools to create felonies without being identified. The widespread literature on techniques available to online users about how you can virtually defeat forensics has not helped the situation either. This has raised great concern among the digital forensics community.

2 Anti-forensics taxonomy

Anti-forensic tools and techniques undermine or frustrate the digital forensic process. This process has been defined as the scientific method of acquiring, preserving, identifying, evaluating and presenting digital evidence to a court of law (Grugq 2005). Although various categories of anti-forensic tools and techniques have been defined by different authors, none has encapsulated a standard framework upon which this field can be understood in a consensual way. Perhaps this has got to do with the open-ended manner of the field with as yet to be discovered novel tools and techniques the mind can think of.

But let us consider the forensic process and think of possibilities that each phase is likely to be frustrated by the anti-forensic tools and techniques in order to come up with a suitable taxonomy. We can also compare and contrast some few definitions already proposed. For instance, Harris(2006) breaks down the anti-forensics tools and techniques into for broad categories, namely: destroying, hiding, eliminating sources of and counterfeiting evidence. Whereas this categorisation is useful, it still lacks a most useful category namely:others, which is well captured by Caloyannides(2009). It is so useful because, as noted before, there are a myriad ways out there perpetrated by cyber criminals which are yet to be discovered. A challenged and motivated mind can create an out-of-the-box tool or technique which is unthinkable for the moment.

Even the classification by Caloyannides(2009) is free-flowing and not well streamlined. For instance, encryption, data hiding and steganography are all forms of hiding data and should ideally been grouped under a broad category namedhiding dataas other commentators have done. Garfinkel (2007)’s taxonomy is more elaborate, but just like that of Caloyannides(2009), it is not arranged in a coherent manner. For instance, the two categorisations of those anti-forensic tools that directly attack forensic tools and those that detect forensic tools can be compacted into one category namedconfronting forensic tools.

We can go on and on in this discussion, but the important thing is to attempt to define a standard framework, that tries to encapsulate the different manifestations of the anti-forensic tools and techniques as currently known, take work done so far by different authors into consideration and give an allowance for the yet as to be discovered tools and techniques. Since each of the current categorisations can jointly or severally undermine one or more phases of the digital forensic process, we are better off not to do a one to one mapping between the anti-forensic tools and techniques and their corresponding phase of the digital process in our attempt to come up with such framework. Rather, it is fitting to use the way in which an anti-forensic tool or technique affects the forensic process as the criterion when coming up with such taxonomy.

Thus the following taxonomy is proposed based on the current understanding. It is by no means complete and can be flexibly modified depending upon future developments in the digital forensic process.

  • Hiding data

  • Avoiding data

  • Destroying data

  • Obfuscating data

  • Delaying and expensive tactics

  • Confronting forensic tools

  • Others

2.1 Hiding data

Hiding data is the process of concealing it so that it is not easily availed to the digital forensic investigation. In this case, the hiding is said to be effective i.e. data is not destroyed, nor compromised in any way, but concealed in such a way that a digital forensics expert finds hard to locate. Simple hiding techniques like a block of black text on a black background or setting the –h attribute of a file are ineffective.

This category of hiding data is much broader and can be best explained when broken down to different sub-categories of different techniques and tools deployed.

2.1.1 Encryption

Encryption is one of the most potent digital anti-forensic methods used. Initially made with the good intention of making electronic transactions more secure and trustworthy, criminals have used its power to carry out nefarious activities. Volatile network data can be encrypted with well intentioned methods like virtual private network (VPN), Secure Sockets Layer (SSL), Pretty Good Privacy (PGP) and so on, but such methods can be a bane to digital forensic investigations.

Most of the encryption programs that are available, like Free on-the-fly-encryption (FreOTFE) programs, CryptoExpert 2004 Lite, Compusec, Scandisk Encryption etc (Henry 2006) allow a user to encrypt some or all files in disk on-the-fly. Once encrypted, only a designated private key, known by criminals, can open them, virtually making such files or disk data impossible to access by forensic investigators. Caloyannides(2009) argues that even when the computer is off, full disk encryption is an effective anti-forensic method as it encrypts files targeted by forensic methods like swap file, temporary internet files, spool files, history files etc.

2.1.2 Unknown and inaccessible areas

This involves advanced knowledge of the physical medium that the hard disk is and the way the operating system formats or prepares the disk for data storage. A perpetrator who understands the structure of the hard disk and how the process of storing data occurs can hide data in unknown or inaccessible areas of the disk and virtually fool forensic tools from detecting such data. Looked from a more technical perspective, there is no direct one to one correlation between the physical structure of the hard disk and the corresponding logical structure of its file systems. This mismatch potentially create unknown or inaccessible areas where data might be residing (Berghel 2007).

Garfinkel(2007) and Berghel(2007) talk about data being hidden in Host Protected Area (HPA) and Device Configuration Overlay (DCO) areas of modern disk drives. An operating system or BIOS cannot access these areas. A perpetrator who understands the areas’ boundaries can access them through low level machine language, or use a different yet effective booting system, and store suspect data. Berkel(2007) goes further and shows how you can easily hide data in the partition slacks of a volume.

Even though such tricks can be detected by a forensic tool performing a bit by bit analysis, not many of such tools are useful anyway in today’s massive terabyte storage disks as the exercise can prove to be too lengthy, if not almost impossible.

2.1.3 Steganography, packing and binding

In digital context, steganography involves hiding a file or message within another file or message (e.g. hiding a terrorist message within a digital image). Similarly, packing involves wrapping an anti-forensic program or root kit onto another file – akin to the Trojan horse – in such a way that it cannot be detected by a forensic tool (Garfinkel 2007). Binding creates a composite executable program, from two or more executable programs, where at least one of the bound programs is innocent. Henry(2006)’s article lists several examples of packers and binders.

However, the three methods are not that simple as they sound. Advanced forms of both steganography and packing incorporate high level ingenious ways, including 128-bit encryption that can be quite difficult to crack. For instance, a steganographic tool such as TrueCrypt (TrueCrypt 2009), which does “on-the-fly” encryption without saving on the hard disk but on a hidden volume, makes it possible to hide an operating system (such as Windows Vista) in a hidden TrueCrypt volume. This combination creates a “red-herring” situation, where the operating system deceives forensic investigators as they cannot proof the existence of the hidden TrueCrypt volume.

Since most forms of steganography can be detected, and therefore not widely used, some commentators, like Berinato(2007) argue that when applied correctly, it can effectively frustrate digital forensic investigations.

2.1.4 Others

There are numerous other forms and techniques like marking those sectors of the disk where data of interest is stored as “bad” by using an anti-forensic tool such as RuneFS (Grugq 2005). That way, a forensic tool doing a sector by sector analysis would treat these “bad” sectors as damaged and ignore them. Grugq(2005) shows other anti-forensic tools like KY FS (or Kill Your File System) that can store data in null directories, Data Mule FS that stores data in the file system meta-data reserved space, all of which are normally ignored by forensic tools.

One of Metasploit Project tool, Slacker(Metasploit 2009), allows you to save data in the slack space of an NTFS file system. A perpetrator can break a file into many pieces and use Slacker to store those pieces into slack spaces of other files. Forensics tools will treat those slack spaces as containing useless data, or jitter, and ignore them. However, the disadvantage with hiding data in slack space is limited storage space or the danger of being overwritten when files hosting the slack space are deleted or resized (Eckstein and Jahnke, 2005).

The Windows registry is another potential area where data can be hidden with cleverness of purpose. Kim, Lee and Hong(2008) demonstrate interesting redundant registry values of uninstalled programs where a perpetrator can easily hide data without raising suspicions from forensic investigations as the forensic experts are more concerned with uninstalled programs as opposed to remnant registry values.

The Alternate Data Streams (ADS) implementation by Windows NTFS file system for Macintosh clients can be used to hide data, although deft forensic tools like Sleuth Kit can easily detect such data (Hueber, Bem and Wee 2006). The disadvantage with current forensic tools capable of detecting data stored in the ADSs is their inability to distinguish genuine data from covert data stored by an anti-forensic tool.

In journaling file systems like ext3 for many Linux operating systems, a perpetrator can fool the file system consistency check during startup and later manually allocate a large part of disk space to hide data and prevent it from being overwritten (Eckstein and Jahnke, 2005). The downside to this might be noticeable inconsistencies when disk free commands report some free space, while in essence, the disk might be completely full.

Whereas hiding data is not absolutely successful, any astute method or technique used can be a highly effective barrier to the forensic process. It is premised on the fact that there are numerous and unusual places in the digital space where the radar of forensic investigators cannot see or think about. It is such blind spots and other limitations of forensic tools that a perpetrator takes advantage of to conceal data.

2.2 Avoiding data

Another technique used to frustrate forensic investigations is to avoid storing data in the disk. The thinking behind this is that since the data is not created, there is no evidence to talk about.

How does this happen? One starts by changing the Basic Input Output System (BIOS) setup to direct the computer boot up from a removable CD or USB device. Before the computer starts, you disconnect the internal hard disk and then boot it from either the CD or USB drive. The CD or USB drive can have its own operating system like Knoppix or BartPE (Smith 2006) and any other required program that will enable you do whatever you want and save the output to another removable drive and shutdown the computer. You then return back the computer to its previous state. Thus the computer will have been used to perform illegal activities, which, when forensic investigators carry out a disk analysis, will not be able to trace any illegal activity.

In this scenario, nothing is written to the hard disk as it is already disconnected. That implies that everything is now loaded and manipulated from the physical memory RAM. Memory is volatile and its contents are usually lost when the system is shut-down. But you can also boot the computer even when the disk is connected and manage to access and change disk contents without leaving a trace. This is one area where smart anti-forensic tools and tricks are deployed and still operated from volatile RAM.

For instance, let us consider an anti-forensic package like Backtrack. It is an excellent framework that can be used with other anti-forensics tools like Metasploit Project (Metasploit 2009) products (Timestomp, Slacker, Transmogrify and SamJuicer). Once a computer is started with a bootable Backtrack CD, the hard disk is mounted, accessed and changes made to disk files without raising suspicion as the native OS on the hard disk is not started to record any activity occurring in log files (Jahankhani and Beqiri, 2008). Timestomp can then be used to perfectly change the files’ timestamps since there is a connection and access to the hard disk. When the disk is later analysed, forensic tools will not detect anything malicious.

The problem with this approach for the perpetrator who wants to avoid his/her trail from being noticed is that the timestamps might look awkward when physically looked at. Even if the changed timestamps might not deviate too much from the actual timestamps, other digital forensic techniques like sequence number casuality (Willassen 2008) can be used to expose the malicious change.

Backtrack can also be used to connect remotely to a computer and steal account passwords (Jahankhani and Beqiri, 2008). Even if there were forensic tools capable of capturing computer activity at the time of password theft, such tools can be easily thwarted by anti-forensics tools capable of detecting and fighting them by either hanging the system or misdirecting them – this will be discussed later. Also, even if there are other methods employed by the investigators, like miniature recording cameras hidden somewhere, such other methods can be easily be defeated by determined criminals.

The problem with this approach of data avoidance, just like data destruction, is that the very fact of avoiding data is evidence in itself. Sometimes, the hype about the effectiveness of such devices like the USB is exaggerated by the vendors as their usage can be easily traced (Bosschert 2006).

2.3 Destroying data

Destroying data involves shredding it, making it unusable to the digital forensic investigation. This is one of the effective anti-forensic methods used. When data is partly or completely destroyed, forensic investigators will find it extremely difficult to find and present credible evidence in a court of law.

There are numerous free and commercial disk wiping utilities available, like CyberScrub, Evidence Eliminator, Necrofile etc, besides formatting disk, that can be easily used to destroy data. They can wipe out entire contents of the disk, or particular files within the disk. However, there are some disadvantages with these utilities. They can leave some sort of signatures that indicate that data in the disk was in some way compromised (Geiger and Cranor, 2006). Deficiencies noted in recovering damaged data from a formatted disk by some forensic tools like Encase and FTK can be minimized by other advanced methods like that developed by Ryu, Kim and Kim(2008). The comfort a perpetrator might get from using tools such as the Evidence Eliminator might be countered by other advanced forensic tools like System Restore Point analysis developed by Yun et al. (2008).

Degaussing is another method used to completely destroy data, especially on magnetic media such as disk. The disadvantages with this method is that it is expensive and cannot be used in non-magnetic media like optical CDs and DVDs. Otherwise, the most common sense method used to destroy the data is actually to physically destroy the device carrying data through means like incineration, shredding, brutally scratching the surface of optical media etc.

The problem with data destruction is that it can render evidence for the forensic investigations. For instance, pieces of shredded hard disk, or an incinerated hard disk for that matter, can be clear and reliable evidence.

2.4 Obfuscating data

The intention here is to mislead forensic investigations. A wide variety of anti-forensic tools and techniques are deployed to achieve such a purpose.

2.4.1 Memory

In this case, ant-forensic tools are able to load malicious programs into the volatile RAM without being detected or reading them from the hard disk. They can then unleash their manipulative abilities and misdirect forensic tools.

Peron and Legary(2005) show how a foe can manipulate the logic of an operating system or forensic tool without affecting the actual code in order to make objects appear trust-worthy, when in essence they are not. In that sense, they argue that it “can result in compromised logging, audit or information sources being trusted by investigative bodies, resulting in the possible the[sic] avoidance of more thorough offline forensic analysis or the misdirection of the investigative bodies themselves”.

2.4.2 Anonymous accounts

Forensic experts face the difficulty of finding the true identity of who placed the offending data or programs in a suspect machine. There are many ways such offending data or programs can enter the compromised machine without the owner’s knowledge. In such cases, the owner becomes a ‘victim of circumstances’. For instance, a remote hacker can gain access to a machine not well protected (say by a firewall) and have the ability to add, delete, change files or install programs. Programs installed through such backdoor means (or any other means like unsolicited malicious email attachments) cause further damage like turning the local machine into a zombie used for denial of service attacks on others in the network or internet (Caloyannides 2009; Hayes and Qureshi, 2009).

This issue is also compounded by free email and user storage accounts offered by companies like Yahoo and Google that can enable perpetrators to communicate anonymously, although such anonymity can be identified to a great extend by advanced stylometrics-based methods (Dardick, Roche and Flanigan, 2007).

2.4.3 Metasploit Anti-Forensic Investigation Arsenal (MAFIA)

Take an instance where forensic experts thoroughly analyse a file’s meta-data to see whether it has been compromised. If the extension of a file is changed from, say .doc to .gif, the file header will still show a .doc and a forensic tool performing a header analysis will raise an alert the file is compromised as the header information and the extension don’t match. However, an anti-forensic tool, such as Transmogrify, one of Metasploit Project tools (Metasploit 2009), which has the ability to change both the header and extension from .doc to .gif without being detected, will make the file unsuspicious to a forensic tool like EnCase.

Timestomp allows you to change any of the timestamps of a file i.e. when created, accessed, modified and master file table entry modified – MACE in short. Anyone, even a perpetrator can use Timestomp with –c attribute to change the creation date of a file to indicate that it will be created 20 years from now, or with –m attribute to change the last modified date to indicate that it was modified 50 years ago. Such an action confuses a forensic investigator by effectively rendering the file as useless evidence.

The ability by Slacker to hide files within NTFS file slack and Sam Juicer to obtain hashes from Windows Security Account Manager without hitting the hard drive thoroughly confuses digital investigations (Kessler 2007).

2.4.4 Others

An anti-forensic tool residing in a USB storage device, capable of manipulating Windows registry keys and setup log files, can write false registry and setup values or create fake registry keys and manipulated log files where investigators normally look for data (Thomas and Morris, 2008). An article appearing in the Washington Post show how terrorist email messages can be shared without being transmitted, by being stored in the draft folder of a free email account accessible only by the terrorists, thereby defeating forensic investigations (Noguchi and Goo, 2006).

2.5 Delaying and expensive tactics

In this category, anti-forensic tools and technique aim to make the digital forensic investigation a lengthy, time consuming and costly process. The rationale behind this is that by making it lengthy and costly, the exercise is unlikely to achieve its mission or abandoned all together.

For instance, storing data on very many places in a network with many systems makes the search of that data a costly affair (Foster and Liu, 2005). Analyzing today’s large storage disks for evidence can be quite a lengthy exercise even if the process is automated. Kessler (2007) adds that perpetrators who belong to this category don’t aim to scuttle the forensic investigation, but rather slow it down by inundating it with useless or too much information to keep it going on and on.

2.6 Confronting forensic tools

This category comprise some of the latest smart moves and tools cyber criminals utilise to either detect a forensic tool and perform evasion techniques, or to directly attack the forensic tool.

2.6.1 Detection of forensic tools

In this case, an anti-forensic tool becomes evasive upon detection of a forensic tool or technique. Says Garfinkel (2007): “For example, a packer might not decrypt its payload if it realizes that it is running on a disk that has been imaged. A worm might refuse to propagate if it discovers that a network is being surveilled”. However, digital forensic safeguards like uniquely renaming a tool (Sutherland et al. 2008) defeats such evasive anti-forensic tools.

2.6.2 Attack against forensic tools

Here, cyber criminals take advantage of the detailed knowledge they have of a forensic tool and develop anti-forensic tools that capitalize on the forensic tool’s inherent vulnerabilities to achieve different missions. Such missions can include forcing the forensic tool to loop continuously, thereby hanging the system, denial of service attacks etc. So impressive are these anti-forensic tools that they put the reliability of evidence into question or can even implicate the investigator! (Kessler 2007).

2.7 Others

All other possible tools and techniques can be grouped here. For instance, you can write binary data to text-based log files, flood fake entries to log files, alter all ASCII logs to dynamic link libraries or executables to make forensic tools or system hang (Foster and Liu 2005). You can attack SQL servers (Cerrudo 2009) to frustrate the forensic investigation. Goh, Leong and Yeo (2009)’s experiment on a Trusted Platform Module (TPM) connected to the client side of a client-server system conveys the message that forensic investigations can be adequately hindered by devices thought to promote trust and security.

There are many websites out there churning out lots of anti-forensics techniques and happily bragging about such exploits, for example Anti-Forensics (2009) whose motto is “Rendering computer investigations irrelevant”. One shudders to imagine how many other anti-forensic tools and techniques are out there that are yet to be identified.


3 Current efforts to counter anti-forensic tools and techniques

The challenges posed by anti-forensic tools and methods have not been left unchallenged. Practitioners and interested parties have continuously sought and came up with a wide array of techniques, suggestions and models to confront the anti-forensic developments. Some commentators have argued for solutions that actively monitor suspicious cyber activities and raise real-time alert levels to system administrators. But others argue for a fundamental shift in which the forensic investigations have been done.

Says Berinato(2007):

“In fact, one of the reasons for the success of anti-forensics has been the limited and unimaginative approach computer forensic professionals take to gathering evidence. They rely on the technology, on the hard disk image and the data dump. But when evidence is gathered in such predictable, automated ways, it’s easy for a criminal to defeat that”.

Adelstein (2006) proposes the concept of live forensics. He illustrates it as follows:

“Traditional digital forensics attempts to preserve all (disk) evidence in an unchanging state, while live digital forensic techniques seek to take a snapshot of the state of the computer, similar to a photograph of the scene of the crime”.

His argument is that important evidential data, which might not have been captured to disk before pulling the plug, is lost. However, he acknowledges that this approach has its drawbacks (e.g. the evidence captured is dynamic in nature which changes as time goes by) and calls for more research in this area – calls nonetheless already taken by recent works like that of Lister and Kornblum (2008)’s method, which when integrated to the operating system, is capable of capturing the volatile memory contents, including malicious programs. The downside with this method though is that it will not be “live” as such as it needs to be loaded into a separate protected memory page and invoked by a keyboard combination of characters.

This concept of live forensics has two important implications for countering anti-forensics tools and techniques. First, by actually attempting to capture ‘live’ evidence as opposed to “post-mortem evidence” that the disk data is, it will have supposedly obliterated the anti-forensic tools and techniques. For what meaning will these anti-forensic tools and techniques have trying to hamper or frustrate a process that has already taken place?

Secondly, since the purpose of anti-forensic tools and techniques is to frustrate the digital forensic investigation (including the “live” concept), they will be captured ‘live’ while doing their thing – although one can argue that they will attack the “live” capture of evidence. Such “live” capture of these anti-forensic tools and techniques is so critical to the forensic digital investigation as it will shed more useful insight or unravel mysteries in an expeditious manner. These will then lead to the development of better tools and techniques to counter the problem.

Hayes and Qureshi(2009) argue that in order to ensure strong prosecutorial digital evidence and therefore deal a big blow to the anti-forensics problem, there is need for advanced technical training, intelligence gathering, enhanced tools and methods in as far as operating systems are concerned. Others like Maggi, Zanero and Iozzo(2008) propose an interesting technical solution of using algorithms that enable a machine to “learn” normal execution and detect anomalous calls, especially system calls, in order to counter a wide range of evidence elimination anti-forensics techniques. However, their model is more useful in UNIX or Linux-like environments, which is a minimal 2.54% of the global operating system market (Hayes and Qureshi, 2009).

Casey (2006) suggests that the task of digital investigation should not be left to digital forensic experts, but rather should be an effort involving a multi-disciplinary team. “The ideal investigative team has expertise in information security, digital forensics, penetration testing, reverse engineering, programming, and behavioural profiling” and adds that it should “involve people who have experience interacting with law enforcement and intelligence agencies in multiple jurisdictions and managing digital investigations”. This argument seems to suggest that for a more effective way to deal with the anti-forensics problem, such a multi-prong approach is desirable.

There are plenty of ways for the forensic community to be optimistic and not yield to anti-forensics. “People are still generally unaware of or do not care about anti-forensics”, contents Bellamy(2007)and poses the question: “If people do not perform routine tasks like updates and backups, why expect them to use anti-forensic tools frequently enough to be effective?”

Despite all the efforts undertaken so far by various practitioners, academics and other interested parties, anti-forensics tools and techniques continue to pose serious challenges to the digital forensic process. The main question is: How do we handle these challenges? I then went to find out from professional practitioners what their thoughts were regarding this anti-forensics dilemma. Specifically, I sought to establish the following:

  • What are the obstacles digital forensics investigators face when identifying, collecting and analysing evidential data?

  • What types of digital anti-forensic tools and methods exist?

  • How are the current digital forensics tools and techniques useful in handling or overcoming obstacles posed by anti-forensic tools/methods?

  • Is the current trend of development and utilisation of digital forensics tools and techniques sufficient for the foreseeable future? If not, how feasible is it to develop radically different approaches or tools?

References

Adelstein, F. 2006. Live forensics: diagnosing your system without killing it first.Communications of ACM49(2):63-66.

Anti-Forensics. 2009.http://www.anti-forensics.com/(accessed July 27, 2009).

Bellamy, B.J. 2007. Anti-Forensics and Reasons for Optimism.Kentucky Auditor’s Office.http://www.nasact.org/conferences_training/nsaa/conferences/ITWorkshopConferences/2007ITWorkshopConference/PresentationsHandouts/bellamy.ppt(accessed July 17, 2009).

Berghel, H. 2007. Hiding data, forensics, and anti-forensics.Communications of ACM50(4):15-20.

Berinato, S. 2007. The Rise of Anti-Forensics.CSO Online – Security & Risk.http://www.csoonline.com/article/221208/The_Rise_of_Anti_Forensics(accessed July 03, 2009).

Bosschert, T. 2006. Battling Anti-Forensics: Beating the U3 Stick.Journal of Digital Forensic Practice1(4):265-273.

Caloyannides, M.A. 2009. Forensics Is So "Yesterday".Security & Privacy, IEEE7(2):18-25.

Carlton, G.H. and R. Worthley. 2009. An evaluation of agreement and conflict among computer forensics experts.Proceedings of the 42nd Hawaii International Conference on System Sciences – 2009, Jan 5-8, 2009.HICSS '09:Big Island, HI.

Casey, E. 2006. Investigating sophisticated security breaches.Communications of ACM49(2):48-55.

Cerrudo, C. 2009. SQL Server Anti-Forensics: Techniques and Countermeasures.Black Hat DC 2009, February 16-19, 2009.Arlington, Virginia.http://www.blackhat.com/presentations/bh-dc-09/Cerrudo/BlackHat-dc-09-Cerrudo-SQL-Anti-Forensics.pdf(accessed July 18, 2009).

Dardick, G.S., C.R.L. Roche and M.A. Flanigan. 2007. Blogs: Anti-Forensics and Counter Anti-Forensics.Proceedings of the 5th Australian Digital Forensics Conference, December, 3-3, 2007. Edith Cowan University, Australia.

Eckstein, K. and M. Jahnke. 2005. Data Hiding in Journaling File Systems.Proceedings of the 5th Annual Digital Forensic Research Workshop, August 17-19, 2005.DFRWS 2005, Louisiana, USA.http://www.dfrws.org/2005/proceedings/eckstein_journal.pdf(accessed July 26, 2009).

Foster, J.C. and V. Liu. 2005. Catch me if you can…….Black Hat USA 2005, July 23-28, 2005.Caesars Palace, Las Vegas.http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf(accessed July 16, 2009).

Garfinkel, S. 2007. Anti-Forensics: Techniques, Detection and Countermeasures.Proceedings of the 2ndInternational Conference on i-Warfare & Security (ICIW), March 8-9, 2007.Monterey, CA, USA.http://simson.net/clips/academic/2007.ICIW.AntiForensics.pdf(accessed July 15, 2009).

Geiger, M. and L.F. Cranor. 2006. Scrubbing Stubborn Data: An Evaluation of Counter-Forensic Privacy Tools.IEEE Security & Privacy4(5):16-25.

Goh, W., P.C. Leong and C.K. Yeo. 2009. A Trusted Platform Module Based Anti-Forensics System.Proceedings of the International Conference on Network and Service Security (N2S ’09), Jun 24-26,2009. N2S ’09:Paris.

Grugq. 2005. The Art of Defiling: Defeating Forensic Analysis.Black Hat USA 2005, July 23-28, 2005.Caesars Palace, Las Vegas.http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-grugq.pdf(accessed July 16, 2009).

Harris, R. 2006. Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem.Digital Investigation3(1):44-49.

Hayes, D. R. and S. Qureshi. 2009. Implications of Microsoft Vista operating system for computer forensics investigations.Systems, Applications and Technology Conference, May 1-1, 2009. LISAT '09: IEEE Long Island.

Henry, P. A. 2006. Anti-Forensics: Considering a career in Computer Forensics? Don’t quit your day job……..Secure Computing.http://layerone.info/archives/2006/Anti-Forensics-LayerOne-Paul_Henry.pdf(accessed July 17, 2009).

Hueber, E., D. Bem and C.K. Wee. 2006. Data hiding in the NTFS file system.Digital Investigation3(4):211-226.

Jahankhani, H. and E. Bekiri. 2008. Memory-Based Anti-Forensic Tools and Techniques.International Journal of Information Security and Privacy2(2):1-13.http://www.infosci-online.com/downloadPDF/pdf/ITJ4221_VC1B6STBaF.pdf(accessed July18, 2009).

Kessler, G.C. 2007. Anti-Forensics and the Digital Investigator.Proceedings of the 5th Australian Digital Forensics Conference, December, 3-3, 2007. Edith Cowan University, Australia.

Kim, Y.S., S.S. Lee and D.W. Hong. 2008. Suspects’ data hiding at remaining registry values of uninstalled programs.e-Forensics '08: Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop. ICST, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering: ICST, Brussels, Belgium: 1-4.

Libster, E. and J.D. Kornblum. 2008. A proposal for an integrated memory acquisition mechanism.ACM SIGOPS Operating Systems Review42(3):14-20.

Maggi, F., S. Zanero and V. Iozzo. 2008. Seeing the invisible: forensic uses of anomaly detection and machine learning.ACM SIGOPS Operating System Review42(3):51-58.

Metasploit. 2009. Metasploit Anti-Forensics Project.http://www.metasploit.com/research/projects/antiforensics(accessed July 18, 2009).

Noguchi, Y. and S.K. Goo. 2006. Terrorists’ Web Chatter Shows Concern About Internet Privacy.The Washington Post.http://www.washingtonpost.com/wp-dyn/content/article/2006/04/12/AR2006041201968_pf.html(accessed July 22, 2009).

Peron, C.S.J. and M. Legary. 2005. Digital Anti-Forensics: Emerging trends in data transformation techniques.Seccuris Labs.http://www.seccuris.com/documents/whitepapers/Seccuris-Antiforensics.pdf(accessed July 5, 2009).

Ryu, D., M. Kim and Y.M. Kim. 2008. An Automatic Identification of a Damaged Malicious File Using HMM against Anti-Forensics.Fourth International Conference on Networked Computing and Advanced Information Management, September 2-4, 2008. NCM '08:Gyeongju, South Korea.

Smith, A. 2006. Describing and Categorizing Disk-Avoidance Anti-Forensic Tools.Journal of Digital Forensic Practice1(4):309-313.

Sutherland, I., J. Evans, T. Tryfonas and A. Blyth. 2008. Acquiring volatile operating system data tools and techniques.ACM SIGOPS Operating Systems Review42(3):65-73.

Thomas, P. and A. Morris. 2008. An Investigation into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform.Proceedings of the 3rdAnnual Workshop on Digital Forensics and Incident Analysis( WDFIA ‘08), October 9-9, 2008.Malaga, Spain.

TrueCrypt. 2009. Frequently Asked Questions.TrueCrypt-Free Open-Source Disk Encryption Software.http://www.truecrypt.org/faq(accessed July 16, 2009).

Willassen, S.Y. 2008. Finding Evidence of Antedating in Digital Investigations.The Third International Conference on Availability, Reliability and Security, March 4-7, 2008. ARES 08:Barcelona, Spain.

Yun, S.M., A. Savoldi, P. Gubian, Y. Kim, S. Lee and S. Lee. 2008. Design and Implementation of a Tool for System Restore Point Analysis.International Conference on Intelligent Information Hiding and Multimedia Signal Processing, August 15-17, 2008. IIHMSP '08:Harbin, China.

上一篇:Network protocols 下一篇:IT Essay: Information Technology Outsourcing