Analyzing the Effect of Anti-Forensics of Digital

Techniques to Digital Forensic Examination

Halim Maulana#1, Raden Muhammad Khalil Prasetyo #2
#1

Computer Science Faculty of Information Technology, University of North Sumatra

#2
Information System, Sekolah Tinggi Teknik Harapan
#1
Jalan Universitas No. 24 A, Medan, Indonesia
#2
Jalan HM. Joni No.70, Medan, Indonesia
#1

#2

thekazagami@gmail.com
rm.khalilprasetyo@gmail.com

Abstract Digital forensics is a new field of science and is

growing rapidly, digital forensics gather and examine evidence
from crime electronic electronics. As we know electronic crime is
very difficult to investigate because it relies heavily on
information contained on electronic evidence. In the good side of
digital forensics is very useful for dealing with electronic crime,
but what if the method is performed by a digital forensic
criminal, the criminal can easily dig up the information it needs
simply by using live forensics method to the target. With the
growth of technology, the development of science to the field of
forensic computer science is also developing very rapidly, so
there is a wide range of computer forensic techniques to
counteract these so-called anti-forensic to handle the case where
the computer forensik was abused by irresponsible parties. In
this paper will be discussed about exploratory experiments on
the use of anti-forensic techniques to counteract the digital
forensic methods and effect obtained by the use of anti-forensic
investigation of the process of digital evidence by digital
forensics, and techniques that can be used as well as digital
forensic tool that can be used in the forensic process.
Keywords Digital Forensics, Computer Forensics, Digital AntiForensics, Anti-Forensic Tool, Cyber Crime.

I. INTRODUCTION
With the development of rapid information technology, as
well as in the world of Digital Forensic. In the case of
cybercrime, computer hard drive often analyzed for evidence
valid for cases of cybercrime. When inspectors find
potentially incriminating either in the form of data format
.jpgs, .docx, .doc, .mp3, or .mp4, a timeline can usually be
established regarding when they were created. Their
respective timestamps form the basis for the timeline. On an
NTFS file system, timestamps are stored in the Master File
Table (MFT) and are comprised of a Last Modified Time (M),
a Last Accessed Time (A), a File Created Time (C), and the
Entry Modified Time (E). Although originally intended to be
used for accounting purposes by the operating system,
timestamps are relied upon by examiners and investigators to
establish timelines of criminal activity. For instance, since the
C-timestamp is updated when a file is created, this is
probative information that someone had access to the
computer. Potentially, this may be sufficient presumptive
evidence to incriminate a subject if he can be placed within

the timeline. There is a general consensus in the digital

forensic community that commonly used forensic imaging and
analysis tools provide accurate, reliable data. but it was a few
years ago, now appears a technique that can be used to
counteract the digital forensic process that known as antidigital forensic or anti-forensic. Anti-forensics has only
recently been recognized as a legitimate field of study. Within
this field of study, numerous definitions of anti-forensics
abound. One of the more widely known and accepted
definitions comes from Dr. Marc Rogers of Purdue University.
Dr. Rogers uses a more traditional crime scene approach
when defining anti-forensics. Attempts to negatively affect
the existence, amount and/or quality of evidence from a crime
scene, or make the analysis and examination of evidence
difficult or impossible to conduct.[1] Liu and Brown (2006),
practicing creators of AF methods and tools, offer a slightly
darker definition: "application of the scientific method to
digital media in order to invalidate factual information for
judicial review." [2]
Anti-forensic techniques are actions which goal is to
prevent proper forensic investigation process or make it much
harder. These actions are aimed at reducing quantity and
quality of digital evidence. These are deliberate actions of
computer users , but also developers who write programs
secured prior to methods of computer forensics. For the antiforensic techniques, we can include activities such as e.g:
intentional deletion of data by overwrite them with new data
or protection tools against forensics analysis. Anti-forensics
can be a computer investigator's worst nightmare.
Programmers design anti-forensic tools to make it hard or
impossible to retrieve information during an investigation [3].
Essentially, anti-forensics refers to any technique, gadget or
software designed to hamper a computer investigation. Direct
attacks on the computer forensics process are the newest type
of AF and potentially the most threatening. Palmer (2001)
describes six phases in the process of digital forensics; all are
open to attack.[4] There are dozens of ways people can hide
information. Some programs can fool computers by changing
the information in file headers. A file header is normally
invisible to humans, but it's extremely important . It tells the
computer what kind of file the header is attached to. If you
were to rename an mp3 file so that it had a .gif extension, the
computer would still know the file was really an mp3 because

of the information in the header [5]. Some programs let you

change the information in the header so that the computer
thinks it's a different kind of file. Detectives looking for a
specific file format could skip over important evidence
because it looked like it wasn't relevant. This research will be
carried out analysis of the effects of the use of anti-digital
forensic techniques to the digital forensic process using linux
times and metasploit framework..

sectors. Now the most popular files system in use is NTFS.

Main information about files such as the number of clusters,
size, file name and time stamps is stored on the hard drive.
However, the actual data is stored in other place. In many cases
saved data does not use all sectors in a dedicated cluster, some
of them stay empty. Counter forensic tools can use those empty
places to store data. Tools Ike Slacker can scrap and spread
data into those places. The one and only way to restore it is to
use slacker again by special reversible algorithm. Stenography,
A process of hiding data within other data where the presence
is uncovered. In many it is used for legal reasons by inserting
digital watermarks in the image, so the owners can simply keep
themselves safe from copyright . On the other hand, instead of
watermarks, the owner can use any additional data. Examiner
using forensic tools may easily bypass data hidden in that way,
as many forensic packages are not particularly dedicated to
detect steganography. Every wonderful picture may be in fact a
well camouflaged collection of critical data. Encryption, The
main purpose of data encryption is to protect data from any
unauthorized access, but it can be applied against the computer
forensic investigation process. Using encryption, the presence
of data is not hidden, but it is very to examine encrypted media
using forensic tools. The process may become a time wasting
and the cost is very expensive to implement

II. METHODOLOGIES
This project collects the data from the test cases and uses these
data to ensure that Anti-forensic tools and techniques are working in
sufficient way. The project contains many tasks that need to be
accomplished before making sure that the anti-forensic
implementations are working properly. These tasks can be divided
into five steps. Build up test cases Apply anti-forensic tools and
techniques on these test cases apply the forensic tools Report
findings Comparison between tools used .,
2.1 Creating test cases
Anti forensic techniques will be examined by creating testing
cases; each test case gives a diverse tactic to hide or erased by the
hackers to hide their activities from the investigators. These
examination cases can be done by changing file extension and saving
it and wiping the hard disk, thumbnail caching and windows registry
2.2 Applying anti forensic tools and techniques
In general anti forensic techniques can be classified in to five
major areas, they are elimination of source, data hiding, data
destruction, data contraception, and attack of the forensic tools and
process, but in the Paper we will disucuss to the Three main
techniques of anti forensics that Data Destruction, Data Hiding And
Data Contraception,
1. Data Destruction
Data destruction is the process of destroying data stored on
tapes, hard disks and other forms of electronic media so that it
is completely unreadable and cannot be accessed or used for
unauthorized purposes. Data Desctruction si the most basic set
of techniques in anti-forensics consist of the physical and
logical destruction of data bor evidence. Physical destruction
can be accomplished with the use of magnetic techniques such
as the degaussing of media or through the application of brute
force.
2.

Data Hiding
The simplest and the best basic example of anti-forensics could
be the data hiding. Consider the logical partition and the
physical partition. Once a logical partition is created on a drive,
the logical size of the partition is often smaller than the full size
of the physical partition. So, the results will be in slack space
that is to store data by the user. An additional benefit of
partitions is to hide data with in another partition after creating
a new partition. If the partition is erased; it does not truly delete
the data contained on the partition but eliminates the operating
system reference to the partition. Similar examine it. Therefore
Elimination of source technique has to be done before data
acquisition is applied by the investigators. For example, if the
evidence cannot be found, it will be neither investigated nor
stated. The advantage of data hiding is to sustain the
accessibility of these when there is necessity. Also we need to
applied Hiding data in slack space, on many media devices,
hard drives for example, the data is kept in clusters divided by

3.

Data Contraception
Data contraception is the attempt to limit the quantity and
quality offorensic evidence by keeping forensically valuable, or
useful, data off thedisk. To accomplish this there are two core
techniques for interacting with the operating system: firstly,
operate purely in memory, and secondly use common utilities
rather than custom crafted tools. In short Data Contraception
means using software that is not creating hardly any evidences
such as , Sycall Proxying,
Memory resident
compiler/assemblers
Direct Kernel Object Manipulation
(DKOM), Portable software, Live Distros.

2.3 Applying Forensic Technique

The anti-forensic tools are run on the specified test cases and
after effects of the tools are examined by trying to access the files
which are modified by these tools. The forensic tools are run on the
same test cases to check if the forensic tool is succeeded and able to
show the changes made to the files and view the content of the file.
Situations violation complicated means using tools that are left no
footprints in the system.
2.4 Digital Forensics Acquisition and Examination tools will
applied

Forensic toolkit (Kali Linux)

III. TESTING AND EVALUATION

A. Testing Methodology
This project testing is based on four factors.

Forensic tool used

Presence of data.

Result of experiment.

Efficiency of Technique

B. Steganography

The art and science of hiding information by embedding

messages within other, seemingly harmless messages.
Steganography works by replacing bits of useless or unused
data in regular computer files (such as graphics, sound, text,
HTML, or even floppy disks) with bits of different, invisible
information. This hidden information can be plain text, cipher
text, or even images. It is like embedding documents, images,
and other files into another unsuspecting file , like picture of
your car. The medium or transporting file is called carrier file.

Tool
Steghide

Experiment Tools
Manufacturer
Version
Free Software Foundation, 0.5.1.
Inc

License
Free

Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Autopsy)
C. Data Hiding (Slack Spaces)
Blocks are specific sized containers used by file system to store
data. Blocks can also be defined as the smallest pieces of data that a
file system can use to store information. Files can consist of a single
or multiple blocks/clusters in order to fulfill the size requirements of
the file. When data is stored in these blocks two mutually exclusive
conditions can occur; The block is completely full, or the block is
partially full. If the block is completely full then the most optimal
situation for the file system has occurred. If the block is only
partially full then the area between the end of the file the end of the
container is referred to as slack space[6].
Experiment Tools
Tool
Manufacturer
Version
License
bmap
Free
Software 1.2.3
GNU General Public
Foundation, Inc
License version 3.0
(GPLv3)
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Digital Forensic
Framework)
D. Data Destruction
For this method, we use ErAce, ErAce is very easy to use
because you simply boot from it and then press one button to wipe
all the data from a Drive with DoD 5220.22-M Method. DoD
5220.22-M is a software based data sanitization method used in
various file shredder and data destruction programs to overwrite
existing information on a hard drive or other storage device.
Erasing a hard drive using the DoD 5220.22-M data sanitization
method will prevent all software based file recovery methods from
lifting information from the drive and should also prevent most if
not all hardware based recovery methods. The DoD 5220.22-M
method is often misspelled as DoD 5220.2-M (.2-M instead of .22M).[7]

DoD 5220.22-M Wipe Method

The DoD 5220.22-M data sanitization method is usually
implemented in the following way:
Pass 1: Writes a zero and verifies the write
Pass 2: Writes a one and verifies the write
Pass 3: Writes a random character and verifies the write

We might also come across various iterations of DoD 5220.22M including DoD 5220.22-M (E), DoD 5220.22-M (ECE), or
others. Each will probably use a character and its compliment
(as in 1 and 0) and varying frequencies of verifications. Some
versions of DoD 5220.22-M write a 97 during the last pass.
Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(FTK)
E. Data Contraception
To use The Method we we will use Remote Exec, Using gdb as
an IUD allows an attacker to be exploit agnost for anti-forensic
attacks. After using an arbitrary exploit to gain access to shell, an
attacker is able to execute any binar without creating aforensic trace.
By the same token, once an attacker has shell access to a host, he is
able to execute an artibtrary command without leaving anyevidence
of forensic value. An IUD seperate from an exploited process allows
an attacker to use anti-forensic attacks at any point after owning a
box, rather than only during the initial exploitation phase[6].
Experiment Tools
Tool
Remote Exec

Manufacturer
Phrack Inc

Manufacturer
Erace.it

Version
1.0

License
Free

License
Free

Experiment Step :
1. Applying Anti-Forensic Tool
2. Examining Evidence With Forensic Tools(Autopsy)

IV. TESTING AND EVALUATION

After the anti-forensic process and have done well against a
process of digital forensic evidence, it will be a comparison to
analyze effect obtained after anti-forensic techniques to the
analysis of the evidence digital.proses digital forensic process.
TABLE I
ANALYS OF RESULT

Method Use
Steganography

Forensic
Tool
Used
Steghide

Data
Hiding
(Slack Spaces)

Bmap

Data

ErAce

Experiment Tools
Tool
ErAce

Version
1.0

Presence
Of Data
Detected
the
Previosly
Data Or
Not
Detected
Data that
Hidden
Detected
Hidden
Data
/
Not
Detected
Data

Result

Efficiency
Of
Technique

Destruction
Data
Contraception

Remote
Exec

Exist
/
Data Not
Exist
Data
Exist
/
Not Exist

kill disk and some other tools, we found that steganography

technique was perfectly able to hide information within
another file in order to hide information, which can be also
very difficult for forensics investigators to detect the
information hidden within a file.
REFERENCES

V. CONCLUSIONS
Due to the rapid and great progress of information
technology development, Examiners must be fully aware of
the great development in information technology, where they
must develop themselves in the field of cyber crime to
overcome anti forensics technique. Examiner who is aware of
the recent techniques, would be able to resolve new issues
Which include the latest methods of ant forensics. In this
paper covers only the commonly used techniques in antiforensics currently in use. Nonetheless, criminals use other
methods that are more sophisticated than the highlighted in
their operations. As technology keeps advancing, so do such
ways and means, as criminals try to design more solid and
complex methods of hiding their identity and committing
crime. Specifically, the goal of anti-forensic technology is to
confuse investigations. Therefore, in future, most
organizations might ban their use and perhaps even
possession. However, this move faces a myriad of challenges,
as many technological developers have look to include high
quality anti-forensic technology in consumer operating
systems, aimed at promoting data
privacy. In this
experimental, only four forensics tools out of several
techniques were identified by the forensic tools such as FTK
Imager, DFF,and Autopsy. We have used different antiforensics techniques and tools such as steganography, active

[1]. Rogers, D. M, Anti-Forensic Presentation given to Lockheed

Martin. San Diego. (2005).
[2] Liu, V., & Brown, F. (2006, April 3). Bleeding-Edge
AntiForensics. Presentation at InfoSec World 2006. Retrieved
September

11,

2007,

from

stachliu.com/files/InfoSecWorld_2006-K2-Bleeding_Edge_
AntiForensics.ppt
[3]. Berinato, S. (2007). The Rise of Anti Forensics. Retrieved
April 19, 2008.
[4] Palmer, C., Newsham, T., Stamos, A., & Ridder, C. (2007,
August 1). Breaking Forensics Software:Weaknesses in Critical
Evidence Collection. Abstract of presentation at Black Hat
USA 2007.
[5] Ahsan, K. (2002). Covert Channel Analysis and Data Hiding in
TCP/IP.
[6] Sartin, B.: Anti-forensics, distorting the evidence. Journal of
Computer Fraud and Security (5), 46 (2006)
[7] Brian Carrier, Defining Digital Forensic Examination and
Analysis Research Workshop II, 2002.
http://www.dfrws.org.

Available at: