IT: Computer Related Crimes Essay
The widespread usage of computing machines and the cyberspace has unluckily been used by people with condemnable purpose to perpetrate a broad scope of computing machine and computer-related offenses.
As with the traditional offense, tribunals of jurisprudence require dependable grounds to successfully prosecute such felons and assist discourage farther escalation of the offenses. Evidence from compromised computing machine systems is rather different from other traditional offense scenes and requires extremely skilled expertness to transport out the designation, aggregation and analysis of informations.As Carlton and Worthley ( 2009 ) say “digital informations, like all scientific information, is considered by the tribunals to be of a complexness that is beyond the apprehension of the general populace ; therefore an expert with specialised instruction, experience, and developing within this field is needed to explicate this complex stuff to the justice and jury” . This so has seen the rise and development of computing machine forensics field where experts use extremely developed digital tools and techniques to transport out probes. However, cyber felons are progressively going more originative and sophisticated, developing contra digital tools and techniques capable of thwarting even the best digital forensic tools and techniques used by research workers. These have become to be by and large accepted as anti-forensics tools and techniques.Harris ( 2006 ) defines anti-forensics as “any efforts to compromise the handiness or utility of grounds to the forensic process” .
In other words, doing it highly hard for grounds to be found, and if found, lacerating it exhaustively, doing it wholly undependable. Maggi, Zanero and Iozzo ( 2008 ) specify anti-forensics as “all the methods that make acquisition, saving and analysis of computer-generated and computer-stored informations hard, undependable or meaningless for jurisprudence enforcement and probe purposes” . Thus the term “anti-forensics” has slight but different definitions, all of which coalesce around hiding the digital grounds that the forensic procedure is looking for, or if found, disfiguring it exhaustively to do it undependable.The art or scientific discipline of anti-forensics is non something new.
It traces its beginning from earlier signifiers of cryptanalysis, where coded messages were transmitted between two secret parties without being detected by a 3rd party. Even in earlier yearss of disc runing systems that were unable to read beyond track 80 of the 5.25 floppy disc, one could easy conceal of import informations beyond that path ( Berghel 2007 ) . It is worthwhile to observe that such methods, and other current anti-forensics tools and techniques by extension, were non needfully made for condemnable purposes, but legitimate intents every bit good.As clip went by, these earlier and crude methods evolved, and it was non uncommon for individuals, particularly with condemnable purpose, to analyze, develop and make sophisticated tools and methods to get the better of echt plans. In the context of digital forensics, this edification is manifested by cyber felons, who smartly hack into a system utilizing anti-forensic tools and leave no trail of their villainous activities. It is these negative activities, as opposed to positive legitimate intents, that this paper will brood on.
The development of anti-forensics tools has become more machine-controlled and easy accessible. This has created a scenario where even people with small proficient expertness can easy utilize these tools to make felonies without being identified. The widespread literature on techniques available to online users about how you can virtually get the better of forensics has non helped the state of affairs either. This has raised great concern among the digital forensics community.
2 Anti-forensics taxonomy
Anti-forensic tools and techniques undermine or frustrate the digital forensic procedure. This procedure has been defined as the scientific method of geting, continuing, placing, measuring and showing digital grounds to a tribunal of jurisprudence ( Grugq 2005 ) .
Although assorted classs of anti-forensic tools and techniques have been defined by different writers, none has encapsulated a standard model upon which this field can be understood in a consensual manner. Possibly this has got to make with the open-ended mode of the field with every bit yet to be discovered fresh tools and techniques the head can believe of.But allow us see the forensic procedure and think of possibilities that each stage is likely to be frustrated by the anti-forensic tools and techniques in order to come up with a suited taxonomy. We can besides compare and contrast some few definitions already proposed. For case, Harris ( 2006 ) breaks down the anti-forensics tools and techniques into for wide classs, viz.
: destroying, concealment, extinguishing beginnings of and forging grounds. Whereas this classification is utile, it still lacks a most utile class viz. :others, which is good captured by Caloyannides ( 2009 ) .
It is so utile because, as noted before, there are a countless ways out at that place perpetrated by cyber felons which are yet to be discovered. A challenged and motivated head can make an out-of-the-box tool or technique which is unthinkable for the minute.Even the categorization by Caloyannides ( 2009 ) is free-flowing and non good streamlined. For case, encoding, informations concealment and cryptography are all signifiers of concealing informations and should ideally been grouped under a wide class namedconcealing informationsas other observers have done. Garfinkel ( 2007 ) ’s taxonomy is more luxuriant, but merely like that of Caloyannides ( 2009 ) , it is non arranged in a consistent mode. For case, the two classifications of those anti-forensic tools that straight attack forensic tools and those that detect forensic tools can be compacted into one class namedfacing forensic tools.We can travel on and on in this treatment, but the of import thing is to try to specify a standard model, that tries to encapsulate the different manifestations of the anti-forensic tools and techniques as presently known, take work done so far by different writers into consideration and give an allowance for the yet as to be discovered tools and techniques. Since each of the current classifications can jointly or independently undermine one or more stages of the digital forensic procedure, we are better off non to make a one to one function between the anti-forensic tools and techniques and their corresponding stage of the digital procedure in our effort to come up with such model.
Rather, it is suiting to utilize the manner in which an anti-forensic tool or technique affects the forensic procedure as the standard when coming up with such taxonomy.Therefore the undermentioned taxonomy is proposed based on the current apprehension. It is by no agencies complete and can be flexibly modified depending upon future developments in the digital forensic procedure.
- Hiding informations
- Avoiding informations
- Destroying informations
- Obfuscating informations
- Delaying and expensive tactics
- Confronting forensic tools
2.1 Hiding informations
Hiding informations is the procedure of hiding it so that it is non easy availed to the digital forensic probe. In this instance, the concealment is said to be effectual i.e.
informations is non destroyed, nor compromised in any manner, but concealed in such a manner that a digital forensics adept finds difficult to turn up. Simple concealing techniques like a block of black text on a black background or puting the –h property of a file are uneffective.This class of concealing informations is much broader and can be best explained when broken down to different sub-categories of different techniques and tools deployed.
Encoding is one of the most powerful digital anti-forensic methods used. Initially made with the good purpose of doing electronic minutess more secure and trustworthy, felons have used its power to transport out villainous activities.
Volatile web informations can be encrypted with good intentioned methods like practical private web ( VPN ) , Secure Sockets Layer ( SSL ) , Reasonably Good Privacy ( PGP ) and so on, but such methods can be a curse to digital forensic probes.Most of the encoding plans that are available, like Free on-the-fly-encryption ( FreOTFE ) plans, CryptoExpert 2004 Lite, Compusec, Scandisk Encryption etc ( Henry 2006 ) let a user to code some or all files in disk on-the-fly. Once encrypted, merely a designated private key, known by felons, can open them, virtually doing such files or disc informations impossible to entree by forensic research workers. Caloyannides ( 2009 ) argues that even when the computing machine is off, full disc encoding is an effectual anti-forensic method as it encrypts files targeted by forensic methods like barter file, impermanent cyberspace files, bobbin files, history files etc.
2 Unknown and unaccessible countries
This involves advanced cognition of the physical medium that the difficult disc is and the manner the operating system formats or prepares the disc for informations storage. A culprit who understands the construction of the difficult disc and how the procedure of hive awaying informations occurs can conceal informations in unknown or unaccessible countries of the disc and virtually fool forensic tools from observing such informations. Looked from a more proficient position, there is no direct one to one correlativity between the physical construction of the difficult disc and the corresponding logical construction of its file systems. This mismatch potentially create unknown or unaccessible countries where information might be shacking ( Berghel 2007 ) .
Garfinkel ( 2007 ) and Berghel ( 2007 ) talk about informations being hidden in Host Protected Area ( HPA ) and Device Configuration Overlay ( DCO ) countries of modern disc thrusts. An operating system or BIOS can non entree these countries. A culprit who understands the areas’ boundaries can entree them through low degree machine linguistic communication, or utilize a different yet effectual booting system, and shop suspect informations. Berkel ( 2007 ) goes farther and shows how you can easy conceal informations in the divider slacks of a volume.Even though such fast ones can be detected by a forensic tool executing a spot by spot analysis, non many of such tools are utile anyhow in today’s monolithic TB storage discs as the exercising can turn out to be excessively drawn-out, if non about impossible.
2.1.3 Steganography, packing and adhering
In digital context, cryptography involves concealing a file or message within another file or message ( e.
g. concealing a terrorist message within a digital image ) . Similarly, packing involves wrapping an anti-forensic plan or root kit onto another file – akin to the Trojan Equus caballus – in such a manner that it can non be detected by a forensic tool ( Garfinkel 2007 ) . Adhering creates a composite feasible plan, from two or more feasible plans, where at least one of the edge plans is guiltless.
Henry ( 2006 ) ’s article lists several illustrations of baggers and binders.However, the three methods are non that simple as they sound. Advanced signifiers of both cryptography and packing integrated high degree clever ways, including 128-bit encoding that can be rather hard to check. For case, a steganographic tool such as TrueCrypt ( TrueCrypt 2009 ) , which does “on-the-fly” encoding without salvaging on the difficult disc but on a concealed volume, makes it possible to conceal an operating system ( such as Windows Vista ) in a concealed TrueCrypt volume. This combination creates a “red-herring” state of affairs, where the operating system deceives forensic research workers as they can non proof the being of the concealed TrueCrypt volume.Since most signifiers of cryptography can be detected, and hence non widely used, some observers, like Berinato ( 2007 ) argue that when applied right, it can efficaciously thwart digital forensic probes.
There are legion other signifiers and techniques like taging those sectors of the disc where information of involvement is stored as “bad” by utilizing an anti-forensic tool such as RuneFS ( Grugq 2005 ) . That manner, a forensic tool making a sector by sector analysis would handle these “bad” sectors as damaged and disregard them. Grugq ( 2005 ) shows other anti-forensic tools like KY FS ( or Kill Your File System ) that can hive away informations in void directories, Data Mule FS that shops informations in the file system meta-data reserved infinite, all of which are usually ignored by forensic tools.One of Metasploit Project tool, Slacker ( Metasploit 2009 ) , allows you to salvage informations in the slack infinite of an NTFS file system. A culprit can interrupt a file into many pieces and usage Slacker to hive away those pieces into loose infinites of other files.
Forensicss tools will handle those loose infinites as incorporating useless informations, or jitter, and disregard them. However, the disadvantage with concealing informations in slack infinite is limited storage infinite or the danger of being overwritten when files hosting the slack infinite are deleted or resized ( Eckstein and Jahnke, 2005 ) .The Windows register is another possible country where informations can be hidden with inventiveness of intent. Kim, Lee and Hong ( 2008 ) demonstrate interesting excess register values of uninstalled plans where a culprit can easy conceal informations without raising intuitions from forensic probes as the forensic experts are more concerned with uninstalled plans as opposed to remnant register values.The Alternate Data Streams ( ADS ) execution by Windows NTFS file system for Macintosh clients can be used to conceal informations, although dexterous forensic tools like Sleuth Kit can easy observe such informations ( Hueber, Bem and Wee 2006 ) . The disadvantage with current forensic tools capable of observing informations stored in the ADSs is their inability to separate echt informations from covert informations stored by an anti-forensic tool.In journaling file systems like ext3 for many Linux runing systems, a culprit can gull the file system consistence cheque during startup and subsequently manually apportion a big portion of disc infinite to conceal informations and prevent it from being overwritten ( Eckstein and Jahnke, 2005 ) .
The downside to this might be noticeable incompatibilities when disc free bids describe some free infinite, while in kernel, the disc might be wholly full.Whereas concealing informations is non perfectly successful, any sharp method or technique used can be a extremely effectual barrier to the forensic procedure. It is premised on the fact that there are legion and unusual topographic points in the digital infinite where the radio detection and ranging of forensic research workers can non see or believe about. It is such blind musca volitanss and other restrictions of forensic tools that a culprit takes advantage of to hide informations.
2.2 Avoiding informations
Another technique used to thwart forensic probes is to avoid hive awaying informations in the disc.
The thought behind this is that since the information is non created, there is no grounds to speak about.How does this go on? One starts by altering the Basic Input Output System ( BIOS ) apparatus to direct the computing machine boot up from a removable Cadmium or USB device. Before the computing machine starts, you disconnect the internal difficult disc and so boot it from either the Cadmium or USB thrust. The Cadmium or USB thrust can hold its ain operating system like Knoppix or BartPE ( Smith 2006 ) and any other required plan that will enable you do whatever you want and save the end product to another removable thrust and shutdown the computing machine.
You so return back the computing machine to its old province. Therefore the computing machine will hold been used to execute illegal activities, which, when forensic research workers carry out a disc analysis, will non be able to follow any illegal activity.In this scenario, nil is written to the difficult disc as it is already disconnected. That implies that everything is now loaded and manipulated from the physical memory RAM. Memory is volatile and its contents are normally lost when the system is shut-down. But you can besides boot the computing machine even when the disc is connected and manage to entree and alteration disc contents without go forthing a hint. This is one country where smart anti-forensic tools and fast ones are deployed and still operated from volatile RAM.For case, allow us see an anti-forensic bundle like Backtrack.
It is an first-class model that can be used with other anti-forensics tools like Metasploit Project ( Metasploit 2009 ) merchandises ( Timestomp, Slacker, Transmogrify and SamJuicer ) . Once a computing machine is started with a bootable Backtrack Cadmium, the difficult disc is mounted, accessed and alterations made to harrow files without raising intuition as the native OS on the difficult disc is non started to enter any activity happening in log files ( Jahankhani and Beqiri, 2008 ) . Timestomp can so be used to absolutely alter the files’ timestamps since there is a connexion and entree to the difficult disc. When the disc is subsequently analysed, forensic tools will non observe anything malicious.
The job with this attack for the culprit who wants to avoid his/her trail from being noticed is that the timestamps might look awkward when physically looked at. Even if the changed timestamps might non divert excessively much from the existent timestamps, other digital forensic techniques like sequence figure casuality ( Willassen 2008 ) can be used to expose the malicious alteration.Backtrack can besides be used to link remotely to a computing machine and steal history watchwords ( Jahankhani and Beqiri, 2008 ) .
Even if there were forensic tools capable of capturing computing machine activity at the clip of watchword larceny, such tools can be easy thwarted by anti-forensics tools capable of observing and contending them by either hanging the system or corrupting them – this will be discussed subsequently. Besides, even if there are other methods employed by the research workers, like illumination entering cameras hidden someplace, such other methods can be easy be defeated by determined felons.The job with this attack of informations turning away, merely like informations devastation, is that the really fact of avoiding informations is grounds in itself.
Sometimes, the ballyhoo about the effectivity of such devices like the USB is exaggerated by the sellers as their use can be easy traced ( Bosschert 2006 ) .
2.3 Destroying informations
Destroying informations involves tear uping it, doing it unserviceable to the digital forensic probe. This is one of the effectual anti-forensic methods used. When information is partially or wholly destroyed, forensic research workers will happen it highly hard to happen and present believable grounds in a tribunal of jurisprudence.
There are legion free and commercial disc pass overing public-service corporations available, like CyberScrub, Evidence Eliminator, Necrofile etc, besides formatting disc, that can be easy used to destruct informations. They can pass over out full contents of the disc, or peculiar files within the disc. However, there are some disadvantages with these public-service corporations. They can go forth some kind of signatures that indicate that information in the disc was in some manner compromised ( Geiger and Cranor, 2006 ) .
Deficiencies noted in retrieving damaged informations from a formatted disc by some forensic tools like Encase and FTK can be minimized by other advanced methods like that developed by Ryu, Kim and Kim ( 2008 ) . The comfort a culprit might acquire from utilizing tools such as the Evidence Eliminator might be countered by other advanced forensic tools like System Restore Point analysis developed by Yun et Al. ( 2008 ) .Degaussing is another method used to wholly destruct informations, particularly on magnetic media such as disc. The disadvantages with this method is that it is expensive and can non be used in non-magnetic media like optical Cadmiums and DVDs.
Otherwise, the most common sense method used to destruct the information is really to physically destruct the device transporting informations through agencies like incineration, tear uping, viciously rubing the surface of optical media etc.The job with informations devastation is that it can render grounds for the forensic probes. For case, pieces of chopped difficult disc, or an incinerated difficult disc for that affair, can be clear and dependable grounds.
2.4 Obfuscating informations
The purpose here is to misdirect forensic probes. A broad assortment of anti-forensic tools and techniques are deployed to accomplish such a intent.
In this instance, ant-forensic tools are able to lade malicious plans into the volatile Random-access memory without being detected or reading them from the difficult disc. They can so unleash their manipulative abilities and misdirect forensic tools.Peron and Legary ( 2005 ) demo how a enemy can pull strings the logic of an operating system or forensic tool without impacting the existent codification in order to do objects appear trust-worthy, when in kernel they are non. In that sense, they argue that it “can consequence in compromised logging, audit or information beginnings being trusted by fact-finding organic structures, ensuing in the possible the [ sic ] turning away of more thorough offline forensic analysis or the misdirection of the fact-finding organic structures themselves” .
2.4.2 Anonymous histories
Forensic experts face the trouble of happening the true individuality of who placed the piquing informations or plans in a fishy machine. There are many ways such piquing informations or plans can come in the compromised machine without the owner’s cognition.
In such instances, the proprietor becomes a ‘victim of circumstances’ . For case, a distant hacker can derive entree to a machine non good protected ( state by a firewall ) and have the ability to add, delete, change files or install plans. Programs installed through such back door agencies ( or any other agencies like unasked malicious electronic mail fond regards ) cause farther harm like turning the local machine into a living dead used for denial of service onslaughts on others in the web or cyberspace ( Caloyannides 2009 ; Hayes and Qureshi, 2009 ) .This issue is besides compounded by free electronic mail and user storage histories offered by companies like Yahoo and Google that can enable culprits to pass on anonymously, although such namelessness can be identified to a great extend by advanced stylometrics-based methods ( Dardick, Roche and Flanigan, 2007 ) .
3 Metasploit Anti-Forensic Investigation Arsenal ( MAFIA )
Take an case where forensic experts exhaustively analyse a file’s meta-data to see whether it has been compromised. If the extension of a file is changed from, say.doc to.gif, the file heading will still demo a.doc and a forensic tool executing a heading analysis will raise an watchful the file is compromised as the heading information and the extension don’t lucifer. However, an anti-forensic tool, such as Transmogrify, one of Metasploit Project tools ( Metasploit 2009 ) , which has the ability to alter both the heading and extension from.doc to.
gif without being detected, will do the file unsuspecting to a forensic tool like EnCase.Timestomp allows you to alter any of the timestamps of a file i.e. when created, accessed, modified and master file table entry modified – MACE in short. Anyone, even a culprit can utilize Timestomp with –c property to alter the creative activity day of the month of a file to bespeak that it will be created 20 old ages from now, or with –m property to alter the last modified day of the month to bespeak that it was modified 50 old ages ago. Such an action confuses a forensic research worker by efficaciously rendering the file as useless grounds.The ability by Slacker to conceal files within NTFS file slack and Sam Juicer to obtain hashes from Windows Security Account Manager without hitting the difficult thrust thoroughly confuses digital probes ( Kessler 2007 ) .
An anti-forensic tool residing in a USB storage device, capable of pull stringsing Windows register keys and apparatus log files, can compose false register and apparatus values or make bogus register keys and manipulated log files where research workers usually look for informations ( Thomas and Morris, 2008 ) . An article looking in the Washington Post show how terrorist electronic mail messages can be shared without being transmitted, by being stored in the bill of exchange booklet of a free electronic mail history accessible merely by the terrorists, thereby get the better ofing forensic probes ( Noguchi and Goo, 2006 ) .
2.5 Delaying and expensive tactics
In this class, anti-forensic tools and technique purpose to do the digital forensic probe a drawn-out, clip consuming and dearly-won procedure. The principle behind this is that by doing it drawn-out and dearly-won, the exercising is improbable to accomplish its mission or abandoned all together.
For case, hive awaying informations on really many topographic points in a web with many systems makes the hunt of that data a dearly-won matter ( Foster and Liu, 2005 ) . Analyzing today’s big storage discs for grounds can be rather a drawn-out exercising even if the procedure is automated. Kessler ( 2007 ) adds that culprits who belong to this class don’t purpose to scurry the forensic probe, but instead decelerate it down by deluging it with useless or excessively much information to maintain it traveling on and on.
2.6 Confronting forensic tools
This class consist some of the latest smart moves and tools cyber felons utilise to either observe a forensic tool and execute equivocation techniques, or to straight assail the forensic tool.
6.1 Detection of forensic tools
In this instance, an anti-forensic tool becomes evasive upon sensing of a forensic tool or technique. Says Garfinkel ( 2007 ) : “For illustration, a bagger might non decode its warhead if it realizes that it is running on a disc that has been imaged. A worm might decline to propagate if it discovers that a web is being surveilled” . However, digital forensic precautions like unambiguously renaming a tool ( Sutherland et al.
2008 ) lickings such evasive anti-forensic tools.
2 Attack against forensic tools
Here, cyber felons take advantage of the elaborate cognition they have of a forensic tool and develop anti-forensic tools that capitalize on the forensic tool’s built-in exposures to accomplish different missions. Such missions can include coercing the forensic tool to loop continuously, thereby hanging the system, denial of service onslaughts etc. So impressive are these anti-forensic tools that they put the dependability of grounds into inquiry or can even implicate the research worker! ( Kessler 2007 ) .
All other possible tools and techniques can be grouped here. For case, you can compose binary informations to text-based log files, flood bogus entries to log files, alter all ASCII logs to dynamic link libraries or executables to do forensic tools or system bent ( Foster and Liu 2005 ) . You can assail SQL waiters ( Cerrudo 2009 ) to thwart the forensic probe.
Goh, Leong and Yeo ( 2009 ) ’s experiment on a Trusted Platform Module ( TPM ) connected to the client side of a client-server system conveys the message that forensic probes can be adequately hindered by devices thought to advance trust and security.There are many web sites out at that place churning out tonss of anti-forensics techniques and merrily boasting about such feats, for illustration Anti-Forensics ( 2009 ) whose slogan is “Rendering computing machine probes irrelevant” . One frissons to conceive of how many other anti-forensic tools and techniques are out at that place that are yet to be identified.
3 Current attempts to counter anti-forensic tools and techniques
The challenges posed by anti-forensic tools and methods have non been left undisputed. Practitioners and interested parties have continuously sought and came up with a broad array of techniques, suggestions and theoretical accounts to face the anti-forensic developments. Some observers have argued for solutions that actively monitor leery cyber activities and raise real-time qui vive degrees to system decision makers.
But others argue for a cardinal displacement in which the forensic probes have been done.Says Berinato ( 2007 ) :“In fact, one of the grounds for the success of anti-forensics has been the limited and sterile attack computing machine forensic professionals take to garnering grounds. They rely on the engineering, on the difficult disc image and the informations shit.
But when grounds is gathered in such predictable, machine-controlled ways, it’s easy for a condemnable to get the better of that” .Adelstein ( 2006 ) proposes the construct of unrecorded forensics. He illustrates it as follows:“Traditional digital forensics efforts to continue all ( disc ) grounds in an unchanging province, while unrecorded digital forensic techniques seek to take a snapshot of the province of the computing machine, similar to a exposure of the scene of the crime” .His statement is that of import evidentiary informations, which might non hold been captured to harrow before drawing the stopper, is lost. However, he acknowledges that this attack has its drawbacks ( e.g. the grounds captured is dynamic in nature which changes as clip goes by ) and calls for more research in this country – calls however already taken by recent plants like that of Lister and Kornblum ( 2008 ) ’s method, which when integrated to the operating system, is capable of capturing the volatile memory contents, including malicious plans.
The downside with this method though is that it will non be “live” every bit such as it needs to be loaded into a separate protected memory page and invoked by a keyboard combination of characters.This construct of unrecorded forensics has two of import deductions for countering anti-forensics tools and techniques. First, by really trying to capture ‘live’ grounds as opposed to “post-mortem evidence” that the disc informations is, it will hold purportedly obliterated the anti-forensic tools and techniques. For what significance will these anti-forensic tools and techniques have seeking to halter or thwart a procedure that has already taken topographic point?Second, since the intent of anti-forensic tools and techniques is to thwart the digital forensic probe ( including the “live” construct ) , they will be captured ‘live’ while making their thing – although one can reason that they will assail the “live” gaining control of grounds. Such “live” gaining control of these anti-forensic tools and techniques is so critical to the forensic digital probe as it will cast more utile penetration or unravel enigmas in an expeditious mode. These will so take to the development of better tools and techniques to counter the job.
Hayes and Qureshi ( 2009 ) argue that in order to guarantee strong prosecutorial digital grounds and hence cover a large blow to the anti-forensics job, there is demand for advanced proficient preparation, intelligence assemblage, enhanced tools and methods in every bit far as operating systems are concerned. Others like Maggi, Zanero and Iozzo ( 2008 ) propose an interesting proficient solution of utilizing algorithms that enable a machine to “learn” normal executing and detect anomalous calls, particularly system calls, in order to counter a broad scope of grounds riddance anti-forensics techniques. However, their theoretical account is more utile in UNIX or Linux-like environments, which is a minimum 2.54 % of the planetary operating system market ( Hayes and Qureshi, 2009 ) .Casey ( 2006 ) suggests that the undertaking of digital probe should non be left to digital forensic experts, but instead should be an attempt affecting a multi-disciplinary squad. “The ideal fact-finding squad has expertise in information security, digital forensics, incursion testing, contrary technology, scheduling, and behavioral profiling” and adds that it should “involve people who have experience interacting with jurisprudence enforcement and intelligence bureaus in multiple legal powers and pull offing digital investigations” . This statement seems to propose that for a more effectual manner to cover with the anti-forensics job, such a multi-prong attack is desirable.
There are plentifulness of ways for the forensic community to be optimistic and non give to anti-forensics. “People are still by and large incognizant of or make non care about anti-forensics” , contents Bellamy ( 2007 ) and poses the inquiry: “If people do non execute everyday undertakings like updates and backups, why expect them to utilize anti-forensic tools often plenty to be effectual? ”Despite all the attempts undertaken so far by assorted practicians, faculty members and other interested parties, anti-forensics tools and techniques continue to present serious challenges to the digital forensic procedure. The chief inquiry is: How do we manage these challenges? I so went to happen out from professional practicians what their ideas were sing this anti-forensics quandary. Specifically, I sought to set up the followers:
- What are the obstructions digital forensics research workers face when identifying, roll uping and analyzing evidentiary informations?
- What types of digital anti-forensic tools and methods exist?
- How are the current digital forensics tools and techniques utile in managing or get the better ofing obstructions posed by anti-forensic tools/methods?
- Is the current tendency of development and use of digital forensics tools and techniques sufficient for the foreseeable hereafter? If non, how executable is it to develop radically different attacks or tools?
2006. Live forensics: naming your system without killing it foremost.Communicationss of ACM49 ( 2 ) :63-66.Anti-Forensics. 2009. hypertext transfer protocol: //www.anti-forensics.
com/ ( accessed July 27, 2009 ) .Bellamy, B.J.
2007. Anti-Forensics and Reasons for Optimism.Kentucky Auditor’s Office. hypertext transfer protocol: //www.
nasact.org/conferences_training/nsaa/conferences/ITWorkshopConferences/2007ITWorkshopConference/PresentationsHandouts/bellamy.ppt ( accessed July 17, 2009 ) .
Berghel, H. 2007. Hiding informations, forensics, and anti-forensics.Communicationss of ACM50 ( 4 ) :15-20.Berinato, S. 2007.
The Rise of Anti-Forensics.CSO Online – Security & A ; Risk.hypertext transfer protocol: //www.csoonline.com/article/221208/The_Rise_of_Anti_Forensics ( accessed July 03, 2009 ) .
Bosschert, T. 2006. Battling Anti-Forensics: Beating the U3 Stick.Journal of Digital Forensic Practice1 ( 4 ) :265-273.Caloyannides, M.A. 2009.
Forensics Is So “ Yesterday ” .Security & A ; Privacy, IEEE7 ( 2 ) :18-25.Carlton, G.H. and R. Worthley. 2009.
An rating of understanding and struggle among computing machine forensics experts.Phosphorusroceedings of the 42nd Hawaii International Conference on System Sciences – 2009, Jan 5-8, 2009.HICSS ’09: Large Island, HI.Casey, E. 2006. Investigating sophisticated security breaches.Communicationss of ACM49 ( 2 ) :48-55.
Cerrudo, C. 2009. SQL Server Anti-Forensics: Techniques and Countermeasures.
Black Hat DC 2009, February 16-19, 2009.Arlington, Virginia. hypertext transfer protocol: //www.blackhat.com/presentations/bh-dc-09/Cerrudo/BlackHat-dc-09-Cerrudo-SQL-Anti-Forensics.pdf ( accessed July 18, 2009 ) .
Dardick, G.S. , C.R.
L. Roche and M.A.
Flanigan. 2007. Web logs: Anti-Forensics and Counter Anti-Forensics.Proceedings of the fifth Australian Digital Forensics Conference, December, 3-3, 2007. Edith Cowan University, Australia.Eckstein, K. and M.
Jahnke. 2005. Data Hiding in Journaling File Systems.
Proceedings of the fifth Annual Digital Forensic Research Workshop, August 17-19, 2005.DFRWS 2005, Louisiana, USA. hypertext transfer protocol: //www.dfrws.org/2005/proceedings/eckstein_journal.pdf ( accessed July 26, 2009 ) .
Foster, J.C. and V. Liu. 2005. Catch me if you can…… .Black Hat USA 2005, July 23-28, 2005.
Caesars Palace, Las Vegas. hypertext transfer protocol: //www.blackhat.
com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf ( accessed July 16, 2009 ) .Garfinkel, S. 2007. Anti-Forensics: Techniques, Detection and Countermeasures.Proceedings of the 2neodymiumInternational Conference on i-Warfare & A ; Security ( ICIW ) , March 8-9, 2007.Monterey, CA, USA.
hypertext transfer protocol: //simson.net/clips/academic/2007.ICIW.AntiForensics.
pdf ( accessed July 15, 2009 ) .Geiger, M. and L.F.
Cranor. 2006. Scrubing Stubborn Datas: An Evaluation of Counter-Forensic Privacy Tools.IEEE Security & A ; Privacy4 ( 5 ) :16-25.
Goh, W. , P.C. Leong and C.K.
Yeo. 2009. A Sure Platform Module Based Anti-Forensics System.Proceedings of the International Conference on Network and Service Security ( N2S ’09 ) , Jun 24-26,2009. N2S ’09: Paris.Grugq. 2005. The Art of Defiling: Get the better ofing Forensic Analysis.
Black Hat USA 2005, July 23-28, 2005.Caesars Palace, Las Vegas. hypertext transfer protocol: //www.blackhat.com/presentations/bh-usa-05/bh-us-05-grugq.pdf ( accessed July 16, 2009 ) .Harris, R.
2006. Arriving at an anti-forensics consensus: Examining how to specify and command the anti-forensics job.Digital Investigation3 ( 1 ) :44-49.Hayes, D. R. and S.
Qureshi. 2009. Deductions of Microsoft Vista runing system for computing machine forensics probes.Systems, Applications and Technology Conference, May 1-1, 2009. LISAT ’09: IEEE Long Island.Henry, P. A. 2006.
Anti-Forensics: Sing a calling in Computer Forensics? Don’t discontinue your twenty-four hours job……..Secure Computing.
hypertext transfer protocol: //layerone.info/archives/2006/Anti-Forensics-LayerOne-Paul_Henry.pdf ( accessed July 17, 2009 ) .Hueber, E.
, D. Bem and C.K.
Wee. 2006. Data concealment in the NTFS file system.Digital Investigation3 ( 4 ) :211-226.Jahankhani, H. and E.
Bekiri. 2008. Memory-Based Anti-Forensic Tools and Techniques.International Journal of Information Security and Privacy2 ( 2 ) :1-13. hypertext transfer protocol: //www.infosci-online.com/downloadPDF/pdf/ITJ4221_VC1B6STBaF.
pdf ( accessed July18, 2009 ) .Kessler, G.C.
2007. Anti-Forensics and the Digital Investigator.Proceedings of the fifth Australian Digital Forensics Conference, December, 3-3, 2007. Edith Cowan University, Australia.Kim, Y.S.
, S.S. Lee and D.W.
Hong. 2008. Suspects’ data concealment at staying register values of uninstalled plans.e-Forensics ’08: Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop. ICST, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering: ICST, Brussels, Belgium: 1-4.
Libster, E. and J.D. Kornblum. 2008. A proposal for an incorporate memory acquisition mechanism.
ACM SIGOPS Operating Systems Review42 ( 3 ) :14-20.Maggi, F. , S. Zanero and V. Iozzo. 2008. Sing the unseeable: forensic utilizations of anomaly sensing and machine acquisition.
ACM SIGOPS Operating System Review42 ( 3 ) :51-58.Metasploit. 2009. Metasploit Anti-Forensics Project. hypertext transfer protocol: //www.metasploit.
com/research/projects/antiforensics ( accessed July 18, 2009 ) .Noguchi, Y. and S.K. Goo. 2006.
Terrorists’ Web Chatter Shows Concern About Internet Privacy.The Washington Post.hypertext transfer protocol: //www.washingtonpost.com/wp-dyn/content/article/2006/04/12/AR2006041201968_pf.html ( accessed July 22, 2009 ) .Peron, C.
S.J. and M. Legary. 2005.
Digital Anti-Forensics: Emerging tendencies in informations transmutation techniques.Seccuris Labs.hypertext transfer protocol: //www.seccuris.com/documents/whitepapers/Seccuris-Antiforensics.pdf ( accessed July 5, 2009 ) .
Ryu, D. , M. Kim and Y.M. Kim. 2008. An Automatic Designation of a Damaged Malicious File Using HMM against Anti-Forensics.
Fourth International Conference on Networked Computing and Advanced Information Management, September 2-4, 2008. NCM ’08: Gyeongju, South Korea.Smith, A.
2006. Describing and Categorizing Disk-Avoidance Anti-Forensic Tools.Journal of Digital Forensic Practice1 ( 4 ) :309-313.Sutherland, I. , J. Evans, T. Tryfonas and A. Blyth.
2008. Geting volatile runing system informations tools and techniques.ACM SIGOPS Operating Systems Review42 ( 3 ) :65-73.Thomas, P. and A. Morris. 2008. An Probe into the Development of an Anti-forensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform.
Proceedings of the 3rdAnnual Workshop on Digital Forensics and Incident Analysis ( WDFIA ‘08 ) , October 9-9, 2008.Malaga, Spain.TrueCrypt. 2009.
Frequently Asked Questions.TrueCrypt-Free Open-Source Disk Encryption Software. hypertext transfer protocol: //www.truecrypt.org/faq ( accessed July 16, 2009 ) .Willassen, S.Y. 2008.
Finding Evidence of Antedating in Digital Investigations.The Third International Conference on Availability, Reliability and Security, March 4-7, 2008. ARES 08: Barcelona, Spain.Yun, S.M. , A. Savoldi, P. Gubian, Y. Kim, S. Lee and S. Lee. 2008. Design and Implementation of a Tool for System Restore Point Analysis.International Conference on Intelligent Information Hiding and Multimedia Signal Processing, August 15-17, 2008. IIHMSP ’08: Harbin, China.