Anti-forensics techniques are designed to frustrate digital forensics investigators. They comprise tact and tools to hoodwink digital forensics investigation. Besides, cybercriminals use anti-forensics tools to hide their footprints from computer forensics experts after a data breach or malware campaigns.
This article explains anti-forensics and its top techniques that attackers use to hide or delay forensics investigation.
Purpose of Anti-Forensics
Anti-forensics refers to any strategy or software to thwart a computer inquiry. People can hide information in a variety of ways. Some applications can deceive computers by changing data. Cybercriminals can circumvent data by changing the header or metadata or altering the header from .jpg to .mp3 to trick people into believing it is an audio file.
Cybercriminals use anti-forensic techniques to falsify the cyber forensics evidence report, leading the forensic investigators on a wrong investigation trail. Therefore, it becomes a daunting task for the forensic investigator to retrieve any evidence from the crime scene. The forensics investigation process requires a lot of time to identify these anti-forensic techniques.
Anti-forensic techniques are used to:
- Delete evidence of cybercrime
- Compromise forensic analyst’s reports
- Delete or modify the log records of the attacker’s activities
Forensic investigators find it tough to recover any solid evidence against the attacker or trace the digital footprints. Therefore, they cannot pinpoint the origin of the attack to retrieve stolen data or reach the attacker group to negotiate the outcomes of the attacks. Several anti-forensic techniques go undetected in a threat or malware detection tool or security analysis.
Top 6 Anti-Forensic Techniques
With the increase in ransomware attacks and other malware campaigns, it’s evident that cybercrimes are increasingly using sophisticated techniques to launch their attack. Some of the popular anti-forensics’ methods threat attackers use include:
One of the widespread anti-forensic techniques is encryption, which is the art of embedding confidential and sensitive information into ciphertext (garbled text). Modern-day encryption algorithms are used to prevent unwanted eyes from accessing the concealed text, image, or code. Attackers make use of full-volume encryption and a key file to hide their malicious codes or campaigns. A secret key is used to seal the information, which is then decrypted — deciphering ciphertext back to plain text at the destination point.
Forensic analysts are unable to decrypt malicious files without an authenticated secret key. Malicious files which are encrypted are not detected in many security screening techniques and tools.
2. Program Packers
Program packers are just one of the many anti-forensics techniques that attackers use to hide their data from any detection or scanning methods. Like cryptography, the packers first compress/encrypt the data files and other executable file codes. The program packers were initially used to compress the size of the files and programs. However, hackers started utilizing packers to hide an infected file or program to trespass the security by avoiding detection through anti-malware tools or security analysis.
Some of the packers used for malicious purposes are UPX, The Enigma Protector, MPRESS, etc.
3. Overwriting data
Attackers use overwriting programs to circumvent forensics investigations and minimize digital footprints. Otherwise known as data cleaning or data erasure, securely deleting data is an old-school trick that attackers use. Many tools are available today to overwrite crucial text, metadata, or entire media on a storage system, which hinders the task of forensic analysts during the recovery phase. This technique of overwriting original data minimizes the attacker’s digital footprints of false and altered data. Overwriting data includes:
- Overwriting all the original data
- Overwriting individual files
- Overwriting previously deleted files and working on those files until no free space remains
4. Onion Routing
Onion routing is a technique used to communicate anonymously over a network where the messages are encrypted in a layered manner. The layered encryption resembles an onion, hence the name. The Onion Router or TOR is used to access the web anonymously, providing hackers with a great option to access the dark web, hide their footprints and launch cyberattacks. Onion Routing allows hackers to hide their internet activities, IP address, and network usage.
The data transmitted through onion routing passes through multiple network nodes, each with layered encryption. The data reaches the destination when the last encryption layer is passed through. Forensic investigators will successfully break through each layer from the destination to the exit node to determine the attacker. Onion routing makes it difficult for forensic investigators to trace the attack back to the attacker and increases the time for security analysis.
Steganography is the process of hiding secret messages or information within an audio, image, video, or text file in a non-suspicious manner. Steganography techniques are often incorporated with encryption to provide an added layer of security. The secret data is extracted by the authenticated person with access to the destination using a steganography tool for decoding the hidden message.
Hackers have been using steganography to hide malicious codes and files within legitimate files to bypass security and obfuscate their trails. This anti-forensic technique allows attackers to conduct malicious activities without being detected through threat detection tools and other security parameters. Hackers have been known to hide secret malicious payloads or suspicious messages with invisible ink within images of celebrities, news articles, advertisements, etc.
6. Changing Timestamps
Forensic investigators can pinpoint or trace the attacker by figuring out the location and time of the attack. Therefore, attackers use anti-forensic techniques such as changing timestamps to hide or eliminate the logs, determining the attacker’s location or attack time. Changing timestamps can delete the entries or overwrite the entry logs, making it difficult for the investigator to determine the actual information for evidence.
Attackers can even modify the timestamp of a file or program as an added method to escape the investigation. They alter the timestamp on the servers to bypass the network security, launch an attack and delete the evidence without it being logged into the server.
The challenges anti-forensics tools present to a digital forensics’ investigation are alarming. Businesses are transitioning to remote work frameworks and adopting sophisticated digital practices. Likewise, malicious actors using anti-forensics tools and techniques to launch malware campaigns are evolving and increasingly complex. They can also encrypt network protocols to perform identity theft or corrupt files. Therefore, organizations must implement countermeasure strategies to detect, report, and restrict the use of anti-forensic techniques. However, only a qualified team of digital forensic experts trained in the field can perform these tasks. So, if you further your career in this field, you need to gain knowledge and a certificate in a credible program.
Become a Certified Hacking Forensics Investigator
Certified Hacking Forensics Investigator (C|HFI) certification presents a detailed insight into digital forensics with hands-on and lab-based training. The program trains participants to tackle real-life threat incidents allowing them to investigate, record, and report cybercrimes to prevent future attacks. You can also gain proficiency in different subjects under this program – cloud forensics, data acquisition and duplication, computer forensics investigation process.
Computer forensics is a thriving field. Through C|HFI you can prepare yourself to be eligible for different job roles such as forensic analysts, cybercrime investigators, malware analysts, and security consultants.
20+ Job Roles | 4,000+ Job Openings | Avg. Salary of $96,000
Start your C|HFI Certification and Explore New Career Opportunities in the World of Digital Forensics.
1. What is the role of computer forensics in an investigation?
To gather the digital forensics evidence in case of cybercrime, one can understand the role of a computer forensics expert in three steps to track the attacker:
- Preserving or securing the digital device
- Analyzing the state of digital device
- Reporting retrieved information
2. How much can one earn as digital forensics professional?