Anti-Forensics: Techniques, Detection and Countermeasures
MetadataShow full item record
Computer Forensic Tools (CFTs) allow investigators to recover deleted files, reconstruct an intruder's activities, and gain intelligence about a computer's user. Anti-Forensics (AF) tools and techniques frustrate CFTs by erasing or altering information; creating "chaff" that wastes time and hides information; implicating innocent parties by planting fake evidence; exploiting implementation bugs in known tools; and by leaving "tracer" data that causes CFTs to inadvertently reveal their use to the attacker. Traditional AF tools like disk sanitizers were created to protect the privacy of the user. Anti-debugging techniques were designed to protect the intellectual property of compiled code. Rootkits allow attackers to hide their tools from other programs running on the same computer. But in recent years there has been an emergence of AF that directly target CFTs. This paper categorizes traditional AF techniques such as encrypted file systems and disk sanitization utilities, and presents a survey of recent AF tools including Timestomp and Transmogrify. It discusses approaches for attacking forensic tools by exploiting bugs in those tools, as demonstrated by the "42.zip" compression bomb. Finally, it evaluates the effectiveness of these tools for defeating CFTs, presents strategies for their detection, and discusses countermeasures.
The 2nd International Conference on i-Warfare and SecurityRefereed Conference Paper
Showing items related by title, author, creator and subject.
Naval Postgraduate School Center for Homeland Defense and Security (CHDS) (Monterey, California. Naval Postgraduate SchoolCenter for Homeland Defense and Security, 2007-09);September 2007. Six years after the attacks of 9/11, the practice and discipline of homeland defense and security have evolved and matured, moving into an era of self-evaluation. The essays and articles in Volume III, Issue ...
Jones, Ken M. (Monterey, California: Naval Postgraduate School, 2015-03);Defining and understanding what constitutes a cyber-attack is a complicated matter, largely due to the fact that there has not yet been a large-scale cyber-attack upon any nation. With the help of Michael Schmitt’s Tallinn ...
Powell, Robert (2008-06);How much should a defender spend on defense and how should it allocate those resources across the sites it is trying to protect? This paper analyzes a model in which a defender first has to decide how much to spend on ...