Detecting and mitigating anti-forensic techniques: A comprehensive framework for digital investigators

Abstract

The main goal of anti-forensics tools and techniques are to "frustrate" not only the investigators but also the forensic tools used such as Sleuth Kit. Anti-forensics is quite exactly the opposite of Cyber Forensics. These tools affect an investigation negatively making it harder to reach a conclusion. Anti-forensic methods include operations such as deliberate deletion of data by means of overwriting it with new data by using anti-forensic tools, safely wiping out data that cannot be restored ever, altering the file properties to avoid being identified in timeline analysis and many other such methods. While tools such as Autopsy, X-Ways, FTK, EnCase present the ability to detect some anti-forensic techniques if not all, these are not particularly dedicated for anti-forensic technique detection. To summarize, general forensic tools as mentioned above, perform several functions on the data source, of which anti-forensic is just one aspect. Though there exist tools like Timestomp Detector that are made for detecting altered file timestamps. Again, it is specific to only one feature and not many of the anti-forensic techniques. This dissertation aims to develop a dedicated framework that can help detect a few anti-forensic techniques based on user input. This will be integrated within a website format in order to make it easy for the users. This type of prototype could be very useful for investigators working on cases. Instead of going through the entire disk image, that could potentially take hours, investigators could separate any suspicious files and use this detection framework to identify if any of the files have been altered or managed using the anti-forensic techniques.