ii

ABSTRACT

To challenge forensic investigators from finding the evidence, attackers are using many

methods since many years where one of the example includes using hand gloves in

criminal activity to avoid fingerprint tracing by investigators. Now a day‘s computer

forensics which deals with digital data became key for investigations so anti-forensics

came into existence which has both tools, techniques that can be used by bad guys to

destroy digital evidence or hide that information from being retrieved by investigators.

It is an accepted fact that anti-forensic techniques are being widely used with

an ultimate goal for bad guys is to challenge investigators and also in return investigators

are gaining considerable knowledge about the drawbacks available in currently used

forensic tools, which helps to develop a error-free forensic tool.

In this project, an investigation of the traditional anti forensic techniques is

conducted such as hiding data using cryptography approaches, masking, changing file

attributes and renaming of a file to unreadable extension by building an anti-forensic

prototype, where the test cases are performed on the currently available forensic tools

FTK and Prodiscover.

Finally, Impact on the developed anti-forensic tool against forensic tools are

given and also comparative results between the other tool DiskOff which is the previous

version of the tool is documented, where it has other methods implemented like cloning,

deleting of files are implemented.

iii

ACKNOWLEDGEMENT

My experience of successfully completing graduate project became possible

because of the never ending support and guidance of Dr. Mario Garcia, Professor of the

Department of Computing Sciences, Texas A & M University –Corpus Christi.

I am very thankful to Dr.Longzhuang Li, Texas A&M University – Corpus Christi

for being part of my project as committee member. His supportive suggestions helped me

to complete this project successfully.

I am very thankful to Dr. David Thomas, Associate Professor of Computing

Sciences, Texas A&M University – Corpus Christi, for his support in completing my

project report and proposal with all the document standards, and also for his valuable

suggestions and attention, which helped me to complete my project on time.

I am very thankful to Srilakshmi for her support in completion of this project, who

provided me all the details about the previous version of the tool, which helped me a lot

to use my time effectively in completion of this project.

My sincere heartfelt thanks to all the faculty, and staff of the Department of

Computing Sciences for making me to complete this project.

Last but not least, I would like to thank my parents, family who provided the

much needed moral support and boosted me in reaching the successful completion of

the project .

iv

TABLE OF CONTENTS

Abstract.................................................................................................................………..ii

Acknowledgement ..................................................................................................……...iii

Table of Contents…….…………………………………………………………………...iv

List of Figures.……………………………………………………………..………….....vii

List of Tables ………………... ...…………………… ………….………..……….... ix

1. Introduction

1.1 Computer Forensics and Anti-Forensics …………………………….…...1

1.1.2 Anti-Forensics Goals……………………….………………………......2

1.2 Anti-Forensics Methods ……………………………………..………….…3

1.2.1 Data Destruction………………………………………………..…...4

1.2.2 Data Hiding………………………..….………………………..…...7

1.2.21 Encryption………………………………………………..…...7

1.2.22 Steganography…………………………………………;….….9

1.2.3 Trail Obfuscation…………………………………………….….….9

1.2.4 Attacks Against Computer Forensics……………………………..10

1.3 History………………………………………………………………......11

1.3.1 Background and Related Work …………………………………...12

1.4 Objective…………………………………………………………...…....13

1.5 Rationale…………………………………………………….………......14

2. Narrative..…………………………………….…..………………......……........15

2.1 Problems from Investigators Approach.…..………………………….....15

v

2.1.1 Scope…………………………………………………………...15

2.2 Functionalities of Anti-Forensic Tools………………….……………..16

2.3 Reducing the Methods of Anti-Forensic Methods.………………....….16

3. Proposed System Design …………………………………………………....…18

3.1 Framework.……………………………………………………………..18

3.2 Proposed Mechanism…………………………………………………...20

4. Functionalities. of the tool… …………………….. ……………………..…....21

4.1 Encryption……………………………………………………………..22

4.2. Camouflage……………………………………………………………23

4.3 Change File Properties………………………………………………..27

4.4 Renaming…………………………………………………………….29

5. Testing and Evaluation……………… . . ………………………………...…..30

5.1 Forensic Tools Used…………………………………………………….…30

5.1.11 FTK………………………………………………………….……….30

5.1.12 Prodiscover…………………………………………………….……..31

5.2 Testing Methodology……………………………………………….……...32

5.2.11 Analyzing Using FTK………………………………………….…….35

5.2.12 Analyzing Using Prodiscover…………………………………….…43

6. Results………………………………………………………………….……...54

7. Conclusion…………………………………………………………….……….56

8. Future work…………………………………………………………….……....57

Bibliography and References…...………………………………...……………………..58

APPENDIX A. DEFINITION OF TOOLS……………………………………………..60

vi

LIST OF FIGURES

Figure 1: Framework…………………………………………………………...………19

Figure 2: Snapshot of the prototype application developed……………………………21

Figure 3: Encryption Window in Encachare Application………………………….…..22

Figure 4: Camouflage Window in Encachare Application……………………….……23

Figure 5: Hiding data using Encachare Application with Camouflage………………..24

Figure 6: Searching for Hidden Files using Encachare Application…………………..25

Figure 7: Unhiding using Encachare Application for Camouflage……………………26

Figure 8: Change File Properties Window in Encachare Application…………….…..27

Figure 9: After Applying File Attributes to File…………………………………...….28

Figure 10.: After Renaming using Encachare Application……………………….…...29

Figure 11: File Selection for Encryption in Encachare………………………….…….32

Figure 12: After Encryption using Encachare Application……………………….…...33

Figure 13. Before Encryption Content in Text file……………………………………34

Figure 14: After Encryption Content in Text File……………………………………..34

Figure 15: FTK Case Information……………………………………………………..35

Figure 16: FTK Processing…………………………………………………………….36

Figure 17: FTK Result Page After Encryption………………………………………...37

Figure 18. Before Renaming the Text File…………………………………………….38

Figure 19: FTK Analyzing Renamed Files…………………………………………….39

Figure 20: FTK Analyzing the File with Changed Properties…………………………40

Figure 21: FTK Searching for Camouflage Files………………………………………41

Figure 22: Properties of Image File after Masking………………………………….…42

vii

Figure 23: Prodiscover in Action to Investigate………………………………………..43

Figure 24: Prodiscover Imaging the Pendrive………………………………………….44

Figure 25: Recovered Files from Pendrive using Prodiscover…………………………45

Figure 26: Prodiscover Analyzing Renamed Files……………………………...……...46

Figure 27: Prodiscover Analyzing Files with Altered Attributes……………..….…….47

Figure 28: Prodiscover Analyzing Camouflage Files on Pendrive……………..….…..48

Figure 29: Prodiscover Analyzing Encrypted Files…………………………...……….49

Figure 30: First Look of Discoff………………………………………...……………..50

Figure 31: Discoff Cleaning User Data…………..……………………………………51

Figure 32: Deleting Files Using Discoff………………………………………..……..52

Figure 33: Cloning Files Using Discoff………………………….………………...…53

viii

LIST OF TABLES

Table 1 Anti-Forensic Methods…………………………. ………………………….. 4

Table 2 Data Destruction Methods and Security level……………………………..… 5

Table 3 Various Exploitations under Anti-Forensic Methods ……………………….17

Table 4 Impact on FTK and Prodiscover…………………………………………….54

Table 5 Comparison between Encachare and Diskoff……….………………………55

1. Introduction

1.1 Computer Forensics

Computer forensics is also called as computer forensic sciences belong to the stream of

digital forensics where its main focus is on digital media. Typically the word ‗Forensics‘

can be explained as to bring to evidence in to the court of law and it is mostly related to

the information and network systems field. Forensics help to recover and analyze

evidence whenever a false thing happens in a company, evidence can be of any form

from fingerprints to bloodstains on hard drive [Srilakshmi 2010]. Computer forensics

mainly focuses on the tools and mechanisms available for recovering the evidence and it

can be widely related to the hard drives and other digital media [Berghel 2007].

Benefits of computer forensics include evidence to support user case, helps on

to determine which devices need to be investigated and also to determine if evidence has

been modified or tampered with, to prove if the opposition is ―guilty‖ of wrongdoing, and

finally offer strategies to find the attack traces which provide support for the forensic

community to submit in court of law as an expert witness [Hilley 2007].

Anti-Forensics

Anti-Forensics is a field, which can be concluded as counter field for forensics where

bad guys mainly focus to confuse the investigators from retrieving the evidence. Anti-

forensics attackers have their own tools and mechanisms to outweigh forensic

investigation. The goals of anti-forensics system include avoiding detection, disrupting

information collection, increasing the examiner‘s time, Casting doubt on a forensic report

or testimony, Forcing a tool to reveal its presence, Subverting the tool — using it to

2

attack the examiner or organization. Looking into the past from six to nine years the

research in anti forensics has been improved tremendously in the terms of both scope and

popularity [Hilley 2007].

Anti-forensics tools are mainly used in hiding the data and also to change the Meta

data of files, causing investigator problem to detect the evidence. All these anti-forensics

tools and software are available in hacker‘s websites. [Harris 2006].Tools are being

developed with small goals which includes user-friendly interface, which makes easy

adoption for the hackers where new hackers are able to confuse investigators in very

short time.[Berghel 2007]

1.1.2. Anti-Forensics Goals:

There are 4 important goals that need to be given more importance when a tool is

developed they are as follows

Make impossible for investigator to detect the event happened

Prevent the investigator from detecting the evidence to collect information

Investigator has to spend more time to detect the event

Casting doubt on a forensic report or testimony [Liu and Brown 2006].

Other goals might include:

Make forensic tool to attack the system instead of retrieving the evidence.

There should be no evidence left that antiforensic tool has implemented. [Harris

2006].

3

1.2 Traditional Anti-Forensics and methods:

In the field of forensics related to the digital data, a debate frequently takes place

regarding the issue on Anti-Forensics goals and purpose of using antiforensic tools and

its methods. Most of the people believe that anti-forensic tools are harmful to use and

even to design, others believe they can be used to educate the investigators. This was

first noticed in the 2005 Black hat conference by all the authors related to the anti

forensics community and they finally came to a conclusion that antiforensic tools will

help to develop new efficient forensic tools and improves the investigators efficiency.

[Srilakshmi 2010]

Tool developers for anti-forensics follow a set of policies and rules which include

state laws, manpower, time, and the cost involved to develop tool. Every evidence in

digital format should be valid and reliable, these things are considered and confirmed by

federal community. If the evidence is not valid and reliable then it is considered as

hearsay.

Many researches and studies are made in the anti-forensics field about how these

methods got importance for the usage, where they found that due to its light weight

implementation with simple user interface which make novice user to learn the tool in no

time. Thus, based on the studies conducted anti-forensics has been classified in to

different methods called sub categories.

Anti-forensic methods became prominent in recent days and is divided in to many

sub-fields to make classification of different set of tools available for the specified area ,

Basically all these sub fields are classified in to 4 types according to [Rogers, 2005] they

are destruction, hiding, prevent the creation of evidence and finally counterfeiting data

4

and other scholar classified some categories that include Data Hiding, Trail Obfuscation,

attacks against tools itself [Rogers 2005]. Though both of them classified their own

methods they seem to similar, for example hiding and data hiding gives one the same

sense and in the same way they are similar in all the classified methods. Some of the

important methods that are really challenging for investigators are discussed in this

research

Table 1. Anti-Forensic Methods [Rogers 2005]

1.2.1 Data Destruction:

The most basic and traditional method used in anti forensics is destruction,

which makes investigation impossible by making no evidence available by destroying

everything and its classification is mainly deployed in to two types they are physical

destruction of data and logical destruction of data.

Physical destruction of data is possible by using brute force method

implementation and also with the use of tools that are made with magnets, for example

degaussing the media which is based on using magnet for destruction [Rogers 2005].

5

Data destruction can also be possible by destroying the platter in hard disk where

this involves shredding, smashing and grinding them. One can also dip platter in acid

which completely destroys the data.

Logical destruction is the other way used in antiforensics and it is implemented

by changing the information on the media significantly. Some of the methods for

destruction of data are explained in this research.

The easiest way to destroy the data is by overwriting the data again in to the

drive. Studies currently state that to destroy data one need to pass wiping procedure for

many times to remove the traces but it is not true, in modern disk drive even performing

deletion one time make data unavailable. Wiping is a technique that uses both software

and hardware resources to make data available in every bit. Wiping is more beneficial

compare to just deleting the files in a system [Harris 2006].

Table 2. Data Destruction Methods and Security Level [Rogers

2005]

6

Wiping is one of the techniques that is used for destruction of data, it can be done in

many ways but it have some commonalities where the data is over written at least once.

The current tools available for investigators are not able to discover the over written data.

But electron microscope can be used to find the previous state of electrons to replace the

data. The problem is very few investigators will have access to microscope so it is not

widely applicable to recover data. [Bryan 2006]

File wiping also called as secure deletion, deletes files by over writing the data

and makes the data unrecoverable for future purpose on the disk . In this process it

deletes all files available in the hard disk. [Satya Harini 2010].

Wiping the content available in the slack space where it is defined as unused

space at the end of file which is partially over written. So the data is altered with out

changing the previous contents that are available. When wiping is performed on the slack

space the data will be no longer available and recoverable.[ Garfinkel,S 2006]

Tools available for Destruction:

In this section, two of the most popularly used tools for destruction are discussed

they are klismafile and necrofile. Necrofile is a tool, which is used for dirty inode

selection which lists all dirty inodes meeting a common time for deleting, and scrub all

the inodes leaving no evidence to the forensic investigators.

Klismafile is another tool available for destruction where it removes the entries in

directory, it checks for the deleted entries in the directory and overwrites them, to do that

regular expressions are used [Srilakshmi 2010].

7

1.2.2. Data Hiding:

This is subfield of anti-forensics that is being used prominently among attackers

in both networking field and digital forensics field. This project is based on the data

hiding part which deals with hiding the evidence from investigators which makes the data

difficult to find and to use by forensic investigators in future to make situation more

challenging [Anti-Forensics 2010].

Data hiding is further sub-divided in to categories, they are classified and

explained in this research. Currently in the field of data hiding there are steganography,

encryption, and many different techniques which use software/hardware.

When multiple methods used in a combination to hide data it makes even more

difficult to retrieve the evidence by investigators, which can become a challenge.[Bryan

2006]

Cryptography and steganography are very efficient techniques in the field of anti-

forensics, cryptography is more reliable in information hiding process, though there are

tools in forensics which are used by investigators, where having capability to detect the

encrypted data if the key is obtained which can be possible by using for example spyware

or other covert channels. [Berghel 2007]

1.2.2.21. Encryption:

It is a subfield of cryptography and is widely used by all attackers to challenge

forensic investigators. Most of the forensic experts believe that encryption is nightmare

8

among forensic investigations. Currently there are many encryption based techniques are

available and most of them are based on the key to open the content of data. This process

makes impossible to find data until the key is known correctly [Anti-Forensics 2010].

File level encryption is the technique that is limited to encrypt the files, but this

leaves information about all the attributes of a file such as name, size, date modified, last

accessed as unencrypted. The file can be replaced by joining the parts of file that are

available In temporary files, swap files and unencrypted copies of a file left in the system

Encryption scheme with the combination of any other forensic technique makes the

forensic retrieval of evidence very difficult. The wide spread of this combinatory tools

leads to many disadvantages for digital forensics.

The encryption technique on digital data in a forensic investigation is mainly based

on what type of data is encrypted and how the procedure is implemented. A investigator

without using a key cannot decrypt the data, instead if the investigator follows traditional

brute force method it takes many years to compute the key . So, it is better for

investigator to follow other methods like using keystroke logger of to check in the system

memory for the decryption key. [Hong/Lee/Chang 2007].

Currently most of the techniques based on encryption are on windows based systems

, for other operating systems like Mac Os, Linux they follow partition level encryption

scheme i.e., only pieces of data in hard drive is used to encrypt and all these encrypted

data looks as randomized bits until they are decrypted using a key. These randomized bits

can be even hided in a place that doesn‘t allocated as drive space, this data hided can not

be detected easily until investigator performs attention in retrieving, though investigator

finds the traces of randomized bit cannot access the data until the decryption key is

9

known. [Satya Harini 2010].

1.2.2.22. Steganography:

It is another subfield of data hiding in anti-forensics, in this messages are hidden in

a way such that no one knows the existence of hidden file except the sender and receiver

of the file. Usually the files are hidden in other files like in a image file, mp3 file and also

can be hided in a video file while giving a view of video file in general context called

masking. Most of the investigators and forensics experts believe that this type of hiding is

still not prominent but the fact is if steganography is implemented it is very hard to detect

[Bin Liu 2006].

Steganography is different and has its own importance in data hiding when compared

to cryptography, but the only similarity is both are used for hiding. In modern days the

data is hided after encrypting using specific algorithms where the patterns look simple.

The formats supported by steganography are bmp, jpeg, gif, wav,mp3 and others. [Shawn

2007].

The tools that are currently available and most prominent for steganography are

steganos, s-tools, steghide, jphide, hiderman and others.

1.2.3 Trail Obfuscation:

The main goal of trail obfuscation is to confuse or divert the forensic

investigator from retrieving the evidence. It has its own methods and tools for confusing

the investigator they are log cleaner, spoofing, and zombie accounts.

Recently, In metasploit project they developed a tool called ―Timestomp‖ which

has ability to modify timestamps like data created, modified, last accessed by doing this

one can make a file unusable in the court of law as evidence. The other tool from

10

metasploit on trail obfuscation is named ―Transforgamity‖ where it has capability to

change the file from one extension to other extension , for example a document file can

be changed to an image file. When forensic investigators run tool on the drive they could

see these changed files as a regular file. [Anti-Forensics 2011]

1.2.4 Attacks against Computer Forensics

Recently the antiforensics has emerged a new of attacking the investigators by

making forensic tools itself in efficient, this process came into existence after the

traditional methods like deleting or destroying the data, hiding approaches like encryption

and steganography and also trail obfuscation.[Garfinkel 2006] Examples for the forensic

tools are encase, FTK, prodiscover where these are the target for attackers [Dixon 2005].

There are six methods defined by [palmer2005] which can be a possible

scenario to attack forensic tools they are as follows

1. Identification is a method followed by investigator to learn about the existence of

problem which need investigation. Obscuring the incident, or hiding the nexus between

the digital device and the event under investigation can undermine this phase.

2. Preservation is the second phase described by palmer where integrity is maintained for

the evidence . In this phase doubting the integrity of evidence retrieved by investigator

undermine this phase.

3. Collection is the third phase and concentrates on the details about how the data is

gathered from the available evidence. This phase is undermined when the tools gathered

data are questioned and also when the completeness of data is not achieved.

4. Examination is the fourth phase and is concern with data that is being viewed. This

11

phase can be undermined when tools are not efficient and unable to perform well or

scientifically not valid.

5. Analysis is the means by which an investigator draws conclusions from the evidence.

This phase relies on the tools, investigative prowess of the examiner, and the rest of the

evidence that was found. If a case hinges solely on digital evidence, the interpretation of

the evidence is the part most open to attack.

6. Presentation refers to the methods by which the results of the digital investigation are

presented to the court, jury, or other fact-finders. If the evidence is otherwise solid, anti-

forensics tools and methods will be used to attack the reliability and thoroughness of the

reports -- or the examiner. [Kessler 2006].

1.3 History

Formerly, anti-forensics was not much taken into focus, due to the reason that

majorly networks were internal and private. In forensics, the processors that were used

are largely aloof from enforcement law, passwords, and secret business data. Ever since

then, for business intelligence and data sharing the internet has become the only source.

Thus, anti-forensics gained importance and is being focused which helps in securing

networks and companies from external environment. From the time of their growth,

computer operating systems and the resultant applications produce large amounts of

information regarding the client‘s actions. All these reports tremendously became very

essential cause of confirmation along with the concentration on the legal innovation and

investigation. During this time only, consciousness among the clients has increased. For

example, clients learnt that removing documents does not signify erasing the data that

they hold. This knowledge has generated the need for counter-forensics software that

12

developers advertise as securing the clients privacy and/or safeguarding them from

acquiring penalty for the tasks carried on the system.

1.3.1 Background and Related Work

It is too tough to differentiate viable anti-forensic packages from other anti-forensic

utilities that are interrelated to attackers. Majorly, the commercial anti-forensic

applications that are designed so far are for Microsoft windows operating system and

among them only some are intended for Unix Linux platforms. These anti forensic

software‘s designed can be categorized into two sets based on their chief goals and ideas

like mentioned as follows:

The domain information is required about precise operating systems and structure

of their documents to follow the location of particular documents on a system.

The other set focuses on removing the information that is tracked on a system.

Some of these applications does not just concentrate on removing information but

also executes the functionality masking. This results in overwriting the erased

areas by application efficiently using any random values such that the data cannot

be recovered through any forensic tool. [Matthew 2005]

Primarily, the anti-forensics methods adopted general practices of using the

conventional techniques such as information thrashing commands and encryption. In

a while, the digitally accumulated information is where the major reliance is on and

also has significantly influenced many criminal and civil actions. Thus, to fight

against the threats the new methods were required and are in high demand that is seen

by forensic investigators [Scott 2007]. More on the challenges on anti-forensic tools

13

is described in detail in the ―Test Results‖ section of this paper that effectively locates

and also removes targeted information.

1.4 Objective

It may be a complex job for the analysts of digital forensics from many

commercial software tools that are developed to hide and to keep track of the records of

the system activities. In order to eradicate the proofs in criminal and civil legal

proceedings, these counter-forensic techniques have been used and also they signify an

area of ongoing apprehension for forensic examiners. [Matthew 2005]

The main aim of this project work is to develop a model application that can be

used as an anti-forensic tool and also to authenticate the efficacy and accuracy.

Evaluating can do this and testing with the other commercial anti-forensic methods in the

windows supported environment.

1. Through learning anti-anti-forensic techniques the vulnerabilities can be appraised

and also the effectiveness of these techniques will be decreased.

2. Report the problems of anti-forensic by making use of large range of available

tools that are on different platforms such as Linux, Windows, etc.

3. Need to assist the forensic tool builders in developing good products and also it is

important to direct the forensic investigators in knowing about those tools.

Moreover, in this project the performance of the tool and masking of information

is majorly concentrated, such that the techniques that are used in the process of forensics

that cannot retrieve any information that is erased priory.[Scott 2007]

14

1.5 Rationale

In view of the fact that the conventional research was typically done in 2004 to

2005, this category of study is relatively considered. In the period of 2004-2005, the

study in the field of anti-forensics has become mainly dissident. Soon after 2006, the

research shows that foundations of definitions, terms and other actions were implicated in

anti-forensics. Sequentially, the tasks were performed majorly beginning with the

explanation of techniques and procedures that are complex and designing of the tools that

destruct the forensic threats. Considering all these aspects, in this project, a framework to

test is designed in order to examine some of the anti-forensic applications which could

improve the new-fangled directions in building superior forensic applications for

exploration purposes.

Presently, the organizations that are supported by the government are performing

their research on these anti-forensic tools to know how those work and take advantage of

these tools by the digital forensic examination. In the direction to improve forensic

applications more this project helps in developing a archetype version. Also overcomes

the problems that are faced with the existing tools. The present methodology of forensic

investigation through exploration and attacking has largely resulted in disconnecting the

system or powering off the computer and this led to do a postmortem investigation about

the storage medium.

The report that includes all these anti-forensics applications and their affect on the

information is highlighted in this paper. The severe counter methodologies should be

handling the steady vulnerabilities of anti-forensics applications. There is a scope of

15

pointing out in this project considering all anti-forensics features, their functionalities and

methods to overcome the problems faced by using anti-anti-forensic approaches.

2. NARRATIVE

2.1 Problems from Investigator’s approach

The process of forensic examination becomes highly complex when a fraud

person makes the attacks. Everyday designed methods in encryption, steganography and

threats impose the digital forensic investigators to over think regarding the activities

performed by them. The present forensic procedures are not that strong in handling the

situations but these applications will surely add in very smart additions. This shows that

the present forensic procedure does not completely reply upon the forensic tools instead

will trust on the information and practice which they acquire while examining.

Thus, the necessity for evaluating and developing the anti-forensic applications

has increased. Many of the applications that presently exist for commercial use struggle

to remove information without leaving any functional names on the system. For

executing this, an extensive choice of forensic tools are considered to perform a thorough

study is performed that could cause danger to examiners by opening up specific threats.

This methodology will improve the developments by studying about the methods to

overcome the problems faced by all anti-forensic tools that use anti-anti-forensic

techniques [Rogers 2005].

2.1.1 Scope

The aim of the project is to present a support to study the anti-forensic

applications performance by calculating the use of the tools in the real time systems for

16

different platforms. Ultimately, this results in filing the problem scenarios that are

observed in the traditional software applications considering various test cases. In

addition, also comprehensive testing is performed in order to provide a solution for the

issues faced by using the anti-forensic techniques that uses anti-anti-forensic commercial

tools like FTK, Encase etc.

2.2 Functionalities of Anti-Forensic Tools

The key goal of this project will be helpful for the builders of the forensic

applications in manufacturing better products that could direct the examiners in carrying

out research and understanding the concepts in depth. The scope of the project includes

formerly the prototype developing and then follows with the evaluations by testing.

Besides, this project also provides the capability to figure out the functional signatures

that every applications loop holes such that the forensic investigation department can

understand and make better applications in capturing digital evidence. All these are

developed to halt the system forensic technologists.

2.3 Reducing the effectiveness of Anti-Forensic Methods

For the anti-forensic techniques to perform their actions well, they should depend

on the intrinsic issues with the forensic techniques. Attacks are usually used by the anti-

forensics, examiners and also exploit the dependency on particular applications or

procedures [Grugq 2005]. Unfortunately, it is not possible for anyone to fully control the

problems and cannot avoid the fraud of confirmation [Rogers 2005]. Nevertheless, one

after other if the goals to the issues are solved then there are chances of minimizing the

vulnerabilities of anti-forensics.

17

Table 3 explains the various exploitations of methods which depends on three

factors; human element, tool dependence, physical/logical limitations.

Table 3: Various Exploitations under Anti-Forensic Methods [Garfinkel 2006]

Name Human Element Tool Dependence Physical/Logical

Limitations

MACE alteration Investigator may

assume accuracy of

dates and times

Tools may not

function with

invalid or missing

dates and times

Invalid times and

dates make collating

information from

multiple evidentiary

sources difficult or

impossible

Removing/wiping

files

Investigator may

fail to examine

deleted files

Methods of

restoring deleted

files are specific to

the tool so

effectiveness may

vary

Time required to

restore wiped file

contents may

outweigh the

evidentiary value of

the data it contained

Account hijacking May fail to consider

whether the owner

of the account was

actually the person

at keyboard

Tools may not be

capable of

extracting

information that

would aid

investigator

Zombied computers

may produce

indirection

Archive/Image

bombs

Improperly designed

software may crash

Useful data might

be located in the

bomb itself

Disabling logs May not notice

missing logs

Software may not

flag events

Missing data might

be impossible to

reconstruct

Any client resolving the problems of anti-forensics will have to understand the

real problem in deeper view. This project makes efforts to explain the clear meaning of

anti-forensics and its increasing troubles that the forensic examiners have to face with the

tremendously growing usage of anti-forensics tools, and also should learn how the

attackers use anti-forensics to combat and calculate the forensic study. Always the

performed tests might not result useful content so the examiner of anti-forensics needs to

18

take advantage of the data to advance the faults in order to study more and should always

be updated with the each variation and changes happening in the field of anti-forensics

tools which are developed and introduced in today‘s internet.

3. PROPOSED SYSTEM DESIGN

The project has been designed keeping in consideration 4 clear goals

Simplicity: The application is developed in a way which can be easily understandable,

tested for user which indeed helps user to define the different implementations of

antiforensics in a declarative way by considering the results obtained from this project.

Adaptivity: The application should easily adopt all the testing modules without showing

any errors, any further updating should be supported in order to make application even

more powerful.

Scalability: It should be scalable for all test cases that are implemented by the forensic

investigator and should be able to perform well for all test cases leaving no evidence to

the forensic investigator.

Light-weight implementation: This application is implemented in a way that it does not

require large hardware requirements, even with limited network connectivity application

works well and also needs very minimal configuration and also is very easy to use.

3.1 Framework

This project main idea is to develop a tool which is completely based on anti-

forensic methods and procedures, and should be compared with currently available free

19

tools available and later to test under forensic tools for the integrity of the prototype

developed, where forensic tools try to break the efficient working of anti-forensics tools.

The main idea for this project is to discover the limitations that exist in the

current forensic tools that are available commercially or free tools and also to educate

forensic investigators about different type of antiforensic tools are in implementation and

how to react to the situation when exists. Because, now- a – days most of the people are

attracted towards forensic tools development. The figure below explains clearly about the

procedure that exactly takes place between the attacker and investigator

Client Side Investigator Side

Figure 1:Framework Supported for the Application and the Targets of Use

[Srilakshmi 2010]

Applications, Files

(includes MP3 files, text

files) and other storage

media

Anti-Forensic Tools

Forensic Examiner Tools

Equipment

&

Techniques

Various Platforms and File Systems

Windows, Unix/Linux, FAT and NTFS

Analysis Tools

FTK, ProDiscover, True crypt, Discoff etc

20

On the client side, the one who committed crime will have several applications,

browsers and other files on the disk at the crime scene to be evaluated along with anti-

forensic tools to damage the digital investigation process. Whereas, the investigator side

will posses forensic tool techniques used to acquire evidence. Both types of users work

on various platforms and file systems in which the functionality of forensic tools should

be well known in accordingly.

3.2 Proposed Mechanism:

The project is divided in to multiple phases, where in the first phase an application is

developed which looks similarly like an anti-forensic tool and this tool is developed by

taking reference of tools that are open source and currently in existence. The application

developed will be user friendly which can be easily learned by all the users who even

don‘t have any computer knowledge and it will be simple. The performance of the

application is checked in the later phase using the forensic tools used by investigators to

check the integrity of the application. The application developed possess following

requirements that are mentioned below.

1. The application should be able to hide all of the information using anti-

forensic techniques like stenography and encryption mechanism

2. It should be able to hide data from computer forensic tools to retrieve the data.

3. It should be able to better results in terms of both performance and usability.

4. The application will be developed using one well-known programming language

with an user-friendly interface.

5. After developing the application, it is tested under many forensic tools that are

available currently in order to educate forensic investigators about anti-forensics

21

Figure 2: Snapshot of the prototype application developed

4.Functionalities

The application developed has been divided into 3 phases for hiding the data, where the

phases are encryption, camouflage, and change file properties. Encryption is the first

phase where the data is encrypted using SHA algorithm; it converts the data to

unreadable format by using a key. The second phase is to mask the data into another file

at the tail, this seems to be very cool feature to hide data where the file looks like same as

22

the original file. The third phase is changing file attributes where the date last accessed

and the name of the file can be modified to keep investigation out of track.

4.1 Encryption:

Here in this project a encryption algorithm is used to hide the data where one can hide all

kinds of file formats including audio and video files. Encryption follows a mechanism

where it converts the text in to cipher using standard symmetric encryption algorithm

where a key should be given in before and then the file that need to be encrypted should

be added from the drive then you can encrypt the file which changes the content

unreadable.

If you want to decrypt the content to original file you need to specify the same key

that was given at the time of encryption. Be sure to remember the key that you give to

encrypt the file because, if you forget the key then you may lose the data forever.

Figure 3: Encryption Window in Encachare Application

23

4.2 Camouflage:

The second functionality involved in the application is camouflage which masks a file,

which can be a text, audio or any kind of file in an image. It involve any encryption

mechanism where the application needs a key to be entered in order to hide the data in a

secure way, one can unhide the data when the key is entered otherwise the data is not

found, it is the coolest thing that one cannot determine the existence of data by simply

looking at the file. It has another feature of destroying the source file where it is used for

data hiding leaving no evidence to the observer. Unhiding is done when the file which is

used for hiding is selected and a specific key given when the hiding is

done.

24

Figure 4: Camouflage Window in Encachare Application

Figure 5: Hiding data using Encachare Application with Camouflage

Figure 5. give a view about how data is hided in image file, here a key is given on the

top of the window which should not be less than 4 letters. A text file is selected and then

it is hided in jpeg file when hide button is clicked.

There are two check boxes, where one is used to create new copy of mask file

while keeping the existing file in its own space, other one is to destroy the source file

before hiding.

25

Figure 6: Searching for Hidden Files using Encachare Application

If the user forgets the file in which the data is hided, Encachare application has

a feature of searching for a file that has hidden data. To do this one need to remember the

key that was given during the time the data is hided.

26

Figure 7: Unhiding using Encachare Application for Camouflage

Figure 7. explains the un hiding procedure for camouflage application, where one needs

to select the file in which data is hidden. Then need to specify a folder where the un hided

data to be placed. There is a check box at the bottom which specifies to cut the secret file

from the file that has hidden data.

27

4.3 Change File Properties:

Change file properties is functionality in the application where the file properties

can be changed like date accessed, created, modified. Here in this application a file

should be selected and then apply the attributes to the file like hidden, system, read only

and more and change the properties of the file and then apply all the changes. Then the

file that changes applied have all the modifications done in the folder this may help when

the investigator looks date as reference to retrieve the data. It has another cool feature of

renaming the file to another format like files can be even changed to system files making

the content unreadable and leaving investigator no evidence by simply looking at the file.

Figure 8: Change File Properties Window in Encachare Application

28

Figure 9: After applying attributes to a file

To apply attributes like accessed, created, modified, first one has to select a file

that need to be changed, then should select properties in the Encachare application

and later apply the attributes. By following this process attributes of a file

changes.

29

4.4 Renaming:

Encachare has another functionality called file renaming, where using this feature

user can change the file into any format like one can make file as a system file or any

video , audio format e.t.c which makes file unreadable and makes hard to determine what

exactly the file is.

Figure 10: After Renaming using Encachare Application

In Figure 10, there is a batch file where it has been changed to batch file from text file

using Encachare application, if one tries to access the file it gives an error message like

unreadable format. This feature makes investigator confused when looking for specific

format of files.

30

5. Testing and Evaluation

This project has its own implementation of function and is developed under certain

procedures. Testing of this application can be done on desktop or any portable machine

with minimum system requirements like it should support all set of files and should have

minimum amount of RAM , Disk space. This tool developed is compare with the other

free anti-forensics tools that are available and the performance of the application is

determined by undergoing process through forensic tools like pro-discover and FTK. All

the respective anti-forensic tools and forensic tools are installed in the system with

separate user account, performance of the tools is determined and included in the final

results section. Though all tools doesn‘t have same functionality to the application

developed the tools with approximate similar functionality are used to determine the

efficiency of anti-forensic methods.

5.1Forensic Tools Used

5.1.11 FTK:

This tool is used by the most of the investigators to retrieve the evidence in the field of

computer forensics; this is widely used tool and is able to retrieve all the evidence related

to the files like pictures, documents, and encrypted data. The approach or mechanism

followed by this tool to retrieve data is it scans all the hard disk for text strings to detect

passwords in order to decrypt the encrypted data. [Garfinkel 2006].

5.1.12 Pro-Discover:

This is the second tool used to test the integrity of the anti-forensic application

developed, this tool is reliable and the retrieved evidence by the investigators at crime

scene can be provided in the court. It is being considered as evidence in both criminal

31

and civil cases. It has the capability of using an image in to a forensic workstation. This

tool got acceptance from many forensic investigators after testing its accuracy for many

times. It generates SHA1 hash signature after the evidence is retrieved which helps not

making modifications for the data gathered.

5.2Testing Methodology

Testing for this application is conducted on portable drive, to check the accuracy

of results, as the application is developed for windows system the portable drive is

connected to the windows system and all the anti-forensic methods are performed in the

drive using the application developed. Later the drive is tested with the tools specified in

order to check the working of the application. The application deals with hiding of data

so it is named Encachare and the performance of the application is evaluated by the other

tools that are available online. Testing is based on factors like the interface of application,

impact on forensic tools.

The encrypted data can be caught usually by performing scanning of character

string that exists in header of a file or a footer of a file. FTK can identify the existence of

data that is encrypted and in the same way password recovery tool kit. To find the

encryption in image file FTK processing is directly implemented on the images and finds

if any data is encrypted. After finding the existence of encrypted data, it is mandatory for

investigator to move the data to separate folder to decrypt it. To decrypt the files one has

to know the password this can be obtained by asking the person who encrypted the data

or by using password recovery toolkit. In this project a standard encryption mechanism

has been used which makes decryption impossible and password recovery is a night mare

for password recovery toolkit.

32

Encachare

Using this application a text file is encrypted in a pen drive and later performed

investigation with FTK tool to find the evidence of the encrypted data, after completion

of investigation the result is FTK did not recognize the encrypted data which makes the

tool more powerful with the encryption scheme that it has followed.

To encrypt a file application has been implemented one of technique in symmetric key

encryption mechanism. It is very important to remember the key that entered to encrypt

the data because once the key is lost then data is lost.

The steps that need to be followed while hiding the data using the prototype

developed can be clearly explained and all the screenshots taken when the FTK tool run

on the drive which is encrypted can be shown as follows.

Figure 11: File Selection for Encryption in Encachare

33

Figure 12: After Encryption using Encachare Application

After selecting a file, specify the key that needs to be remembered to encrypt and decrypt

the file and finally click on encrypt to encrypt the file. In Figure 12. Text file is created

and selected, then user need to check one of the two boxes in encryption window one is

to implement changes to the source file itself and the other one is to destroy source file

and creating a new one.

34

Figure 13. Before Encryption Content in Text file

Figure 14: After Encryption Content in the Text File

In this way user can encrypt all the file formats using a specific key to unreadable format.

Encachare performs many functionalities during encryption like destroying the source file

after encryption, one can even change the file format by renaming.

35

Now after this encryption, the next order of planning is to test with the forensic tool

to find the traces of the encrypted data using FTK and this involves several steps and it

takes more time to scan each frame of the disk to retrieve all the evidence from portable

drive like previously deleted files, any string data to determine the password for the

encryption done and many more operations.

5.2. 11 Analysis using FTK:

Figure 15: FTK Case Information

Figure 15. gives us the case details which can be used as reference for investigation about

the details like when investigation is done, who did the investigation, where is the

location of the results in the hard drive. This is the first step of FTK investigation

procedure.

36

Figure 16: FTK Processing

In this process the evidence added in local drive, then FTK processing on the drive is

performed and finally after certain amount of time able to retrieve the results page to find

the traces of encryption mechanism.

37

Figure 17: FTK Result Page After Encryption

In result page you can see on the encryption files tab, there are no files encrypted on the

drive which in turn gives us a conclusion that FTK did not recognize the existence of

encryption by the application prototype developed. Testing results are completely given

for the portable drive. FTK could able to display the file as a regular file but doesn‘t give

any clue for the investigation.

38

Figure 18. Before Renaming the Text File

Figure 18. gives user a view of the file chosen for renaming, skotha.txt file is selected

here and then Encachare application changed the file to other extension.

39

Figure 19: FTK analyzing renamed files

Using Encachare the file renaming is done , actually for this case a pdf file is renamed

with batch extension, Encachare able to change the extension excellently but when FTK

is run on the portable drive it is able to detect the file with bad extension also able to

determine the original version of the file. This concludes that FTK is capable to find the

bad extensions efficiently.

40

Figure 20: FTK analyzing the files with changed properties

In this test case, a file has been considered and the properties of the file have been change

like last accessed, last modified, date created. FTK could not show the original date it

was created, modified, accessed instead it shows the details of changed attributes.

Whenever the investigator is trying to do investigation looking for the traces on specific

dates, this tool can overcome the investigation from being data retrieved.

41

Figure 21: FTK searching for camouflage files

Using Encachare application developed the masking of one file in to another file has been

successfully done, where here a mp3 file is hidden in the image file. After running FTK

on portable drive the result is it could detect the image file as a normal file, it could not

able to determine the hidden content in the file, even though if it could recognize the

existence of hidden data, to retrieve the data the password should be known. This makes

more complex for the investigator in the retrieval of evidence.

42

Figure 22: Properties of Image File after Masking

Figure 22. gives the view of the properties that are shown are after performing

the masking, originally the image size was 834kb after masking the mp3 file into

the image file the properties changes like size. When tested on FTK it is shown as

a regular jpeg file.

43

5.2.12 Analysis using ProDiscover

To retrieve the evidence and evaluate the application developed the investigation is

performed using pro discover tool and the results obtained are as follows.

Figure 23: ProDiscover in action to investigate

Figure 23 describes the tool ProDiscover at the start up. In this figure _._ shows opening

of new case with name anti forensics and project number 01. With this investigation

begins using ProDiscover and followed by adding the suspects device for analysis.

44

Figure 24: ProDiscover imaging the pen drive

Figure 24 shows adding suspects device for imaging using ProDiscover. This enables

forensic investigator to choose among the devices that connected with forensic

workstation. It gives the flexibility to investigator to choose their own location to save the

suspect device image. The compression option can be altered depending up on

requirement, if imaging needs bit by bit copy the compression should be none.

ProDiscover also provides password option to protect image from being accessed by

others.

45

Figure 25: Recovered files from pen drive using ProDiscover

The first look of the evidence extraction using ProDiscover is shown in Figure

25 ProDiscover shows all the files folders extracted. ProDiscover recovers the deleted

files and marks them as deleted by using Red Cross mark. ProDiscover supplies different

views for extracted files for example tree structure, file view, cluster view, and etc.

46

Figure 26: ProDiscover analyzing renamed files

One of the test case is to search for files that have been renamed, ProDiscover unable to

detect he files that have been renamed by the tool Encachare. The folder attribute changes

contain the files that have been renamed using the tool Encachare. These files recovered

as any regular files by ProDiscover. The only way to detect those files with the help of

file attributes, which describes the file access date and timings.

47

Figure 27: Prodiscover analyzing files with altered attributes

ProDiscover unable to detect the renamed files, the next way of detecting the renamed

files is shown in the Figure 27. describes inability of ProDiscover to realize the changes

made to the file attributes such as date of creation, last modified date by the Encachare

application. Even ProDiscover unable to figure out bad extension files created by

Encachare application.

48

Figure 28: ProDiscover analyzing camouflage files on pen drive

Figure 28. gives user a conclusion about the inability of the tool in discovering the hided

file in the image, where after testing is done it shows the camouflage file as normal image

file.

49

Figure 29: ProDiscover analyzing encrypted files

Figure 29. clearly shows that prodiscover tool is not able to distinguish with the regular

file and encrypted file which concludes the lacking feature of prodiscover in determining

the encrypted files.

50

DiskOff:

Figure 30: First look of DiscOff

Figure 30 shows the first look of the application DiscOff[srilakshmi 2010].

DiscOff application provides three basic operation deleting files, cloning files and

masking of files.

51

Figure 31: DiscOff cleaning user data.

DiscOff clears all user data information such as cookies, favorites, history, and etc.

shown in figure 31. User can choose any of the fields to erase completely.

52

Figure 32: Deletion of files using DiscOff.

Figure 32. shows the file deletion process using DiscOff application. Normal file deletion

just deletes the pointer to the files, which makes file disappear from the user device, but

DiscOff overwrites the deleted files with some garbage values. This overwriting makes

forensic tools not to detect he deleted files.

53

Figure 33: Cloning operation by DiscOff

DiscOff ability to clone the files overwrites all the free space on the disk. Because of

cloning all the deleted files will be deleted permanently, without leaving any traces.

Cloning operation is shown in Figure 33.

54

6.Results

Table 4: Impact on FTK and ProDiscover

Criteria

Tool

Change in file

attributes

Camouflage Encrypted files

FTK Unable detect the changes to file attributes, but able to point out the files with bad extension

Unable to detect camouflaged files

Unable detect the encrypted files

ProDiscover Unable to detect neither changes in file attributes nor renamed or bad extension files.

Unable to detect camouflaged files

Unable detect the encrypted files

Table 4(fisrt table) shows the impact of Encachare application on FTK and ProDiscover

Table 4. give a complete overview of the test results obtained when prototype is

tested with different test cases against forensic tools. Testing criteria is based on the

individual feature of application and its impact on forensic tools.

When tested with Prodiscover it couldn‘t able to detect any of the problem with the

hiding techniques implemented. Whereas, in FTK it could able to find out the problem

for renaming.

55

Table 5: Comparison between Encachare and DiskOff [Srilakshmi 2010]

Application

Criteria

Encachare DiskOff

Deletion Not implemented Deletes the files along with extensions.

Encryption Encrypts the files No encryption

Masking Ability to mask any type and any size of files, uses stenographic techniques, any type of files can be used to mask the secret files. The secret files can be retrieved

Masks the files with any garbage values, and masked files can not be retrieved

Cloning Not implemented Can clone any number of files.

Changing file attributes Can change date created, date modified and last date accessed. Also can rename the file.

No such implementation

Impact on FTK FTK unable to detect the presence of evidence files even though they exists. But able to detect the bad extension files.

FTK unable to recover the deleted files

Impact on ProDiscover Unable to detect any files that can be suspected.

Unable to recover any deleted files.

Table 5. describes the functionalities of both DiscOff and Encachare by comparing the

operations performed and impact on forensic tools. The significant difference between

the two applications DiscOff implements delete operation, where as DiskOff do not

delete any content rather it hides the files from being detected by forensic investigators.

The files deleted by using DiscOff cannot be retrieved, but the files hidden by Encachare

can be made available by unhiding them. FTK and ProDiscover unable to recover the

content of files that were hidden by Disk Hide.

56

7. CONCLUSION

Due to the inefficiency of currently available forensic tools, attackers are

implementing different vulnerable tools with out getting caught from the investigators.

This project helps investigators in determining the different ways attackers can use,

where techniques are based on anti-forensics which in turn helps in fixing the errors and

also to eradicate the inability in determining the attack with the currently available

forensic tools .

Many of the currently available anti-forensic tools are mainly focused on

developing tools based on the techniques either using steganography or encryption and

this tool Encachare has the implementation of both steganography and also encryption.

Besides this, it also has a unique feature which is not focused by many antiforensic

attackers i.e., changing attributes, renaming the extension of a file.

The main goal of this project is to develop a tool to overcome the

investigation process done by the investigators with out getting caught. This tool is tested

with most popular and widely used tools FTK and Prodiscover and gave excellent results

with out leaving evidence. FTK caught only one feature in the Encachare application i.e.,

renaming extension .

Finally, forensic tool developers need to concentrate on the mechanisms

implemented in this project in order to protect the data. As most of the companies mainly

rely on data like banking. Though there are set of rules available for companies regarding

security, it is hard to detect if the attacker is a worker in the company.

f

57

8. FUTURE WORK

Due to the vast growth in anti-forensic tools and new techniques led researchers to

discover variety of tools which are challenging to investigators. Forensic investigators

should be educated on the various implementations. This project provides a detail on

things to be improved in the currently existing forensic tools. The future work for this

project can be implementing anti-forensic mechanisms that attacks forensic tools itself

and later behave like antiforensic tools. The future work can also be implementing all the

lacking features that exist in currently existing forensic tools like FTK and Prodiscover.

The project can also be extended on attacking the secure data which involves encryption

to challenge forensic investigators. Finally, research and on going study should be a part

of attackers in order to keep update themselves with the changes in forensic area.

58

9. BIBILIOGRAPHY & REFERENCES

[Anti-Forensics 2011] Anti-Computer Forensics, Available from Wikipedia ( visited

April 12th

2011)

[Berghel, H. (2007 / Vol. 50, No. 4)] Hiding Data, Forensics, and Anti-Forensics.

Communications of the ACM, 15-20, 2007.

[Bin Liu, 2006] ―Real-Time steganography in Compressed Video‖, 2006

[Bryan, S.(2006)]. Anti-Forensics-Distorting the Evidence, Computer Fraud and Security,

May 2006.

[Bragg 2004] Bragg, The Encrypting File System, Available from

www.technet.microsoft.com (visited April 14th

2011).

[Dixon 2005] An Overview of Computer Forensics, IEEE, Volume 24 Issue 5. IEEE

International, 2005

[Garfinkel,S.(2006)]. Anti-Forensics: Techniques, Detection and Counter measures. 2nd

International Conference on i-Warfare and Security, August 2006.

[Harris, R. (2006)]. Arriving at an Anti-Forensics Consensus: Examining how to define

and Control the Anti-Forensics Problem. Retrieved December 9, 2010

[Hilley, S.(2007)] Anti-forensics with a Small Army of Exploits, Digital Investigation,

2007.

[Hong, D/ Lee, S/ Lee, D/ Chang, K. (2007)] A new anti-forensic tool based on simple

data encryption, December 8, 2007.

[Kessler, G. (2006)] Anti-Forensics and Digital Investigator, Accessed on April 2011.

[Mathew, G. (2005)] Evaluating Commercial Counter Forensic Tools, Digital Forensics

Research Work shop, 2005.

[Przemyslaw, p./ Pimenidis, E.(2009)] Computer Anti-forensics Methods and Their

Impact on Computer Forensic Investigation, Springer-Verlag Berlin Heidelberg 2009.

[Rogers 2005], Rogers, Anti-Forensics, Available from www.cyberforensics.purdue.edu

(visited April 14th

2011).

[Srilakshmi, E. (2010)] Implementation of Anti-forensic Mechanisms and Testing with

59

Forensic Methods, December 14, 2010.

[Scott 2007] Scott, The Rise of Anti-Forensics, Available from

www.csoonline.com/article/221208/The_Rise_of_Anti_Forensics, 2010).

[ St. Louis Technology News. (2009)]. The Dark Side of Anti- Forensics, Accessed on

April 4th

2011.

[Shawn, D. (2007)]. An Overview of Steganography, July, 2007.

[Satya Harini, R. (2010)]. Analysis, Implementation and Testing of Anti-Forensic

Techniques, May , 2009.

[Sandeep 2010] Implementation of Steganalysis Tool to Detect Steganography in

Wireless Forensics Investigations, December 2010.

60

APPENDIX A. DEFINITIONS OF TOOLS [Srilakshmi 2010]

A-1: Tools which target Internet history, tracks of Internet activities and accounts

Absolute Shield: Absolute Shield Internet Eraser protects privacy by cleaning up

all the tracks of your Internet and computer activities.

Evidence Blaster: It has the capability to clear all the browsers history, cache,

system cookies and other temporary files.

Secure Clean: It securely cleans up all unwanted files and internet clutters which

thereby include the traces of passwords and other personal information.

Tracks Eraser Pro: Tracks Eraser erases the cache, cookies, history, typed URLs,

auto complete memory, index.dat from the browser and temp folder.

A-2: Tools which target computer related entities like logs, timestamps and hashes

Clear Logs: Clear Logs clears the event log (Security, System or Application) that

is specified.

Timestomp: It can be used to modify date and time stamps thereby falsifying the

validity of the document.

61

A-3: Tools which target forensic tool vulnerabilities

Evidence Eliminator: Evidence Eliminator quickly and professionally deep cleans

any computer that has sensitive material.

Hash Tool: Hash (Hacker Shell) is a tool to enable people to evade detection

while penetrating a system.

A-4: Tools which target the storage media in hard disk [Grugq 2005]

DBan: DBAN will automatically and completely delete the contents of any hard

disk that it can detect, which makes it an appropriate utility for bulk or emergency

data destruction.

Declasfy: The program is designed to "wipe" hard disks by writing the entire disk

with O‘s and 1‘s.

Diskzapper: Diskzapper Dangerous automatically begins erasing all the disks as

soon as the booting process is completed.

Eraser: Eraser is a Windows tool that allows you to securely remove files from

computer‘s hard drive and securely wipe free space.

Overwrite: Overwrite is a UNIX utility that tries to make harder data recovering.

Wipe: It is a tool that effectively degausses the surface of a hard disk, making it

virtually impossible to retrieve the data.

A-5: Tools, which target on hiding of files using encryption and steganography

techniques. [Bragg 2004]

62

BestCrypt: It tries to disguise the data needed by using strong encryption

techniques.

Cryptomite: CryptoMite enables the user to encrypt, decrypt, and wipe files and

folders of any type.

Invisible Secrets: Not only encrypts but also hides in places which appear to be

innocent.