It is a well known fact that computer evidence can easily be modified and just as easily deleted. Over many years, in our analysis of computer based evidence, we have very occasionally come across cases where an individual altered documents in an attempt to confuse or mislead our clients, or had deleted large numbers of files in an attempt to prevent them from being read. These attempts were rarely much of a problem. IT forensic tools are very effective at identifying altered documents and retrieving deleted data when the alteration and deletion is done using conventional means. Until a couple of years ago, we would rarely see sophisticated attempts to dispose of evidence, such as ‘file shredding’ and ‘evidence eliminating’ tools. This activity was found only when investigating the activities of highly skilled computer specialists. But in the last couple of years, things have begun to change. Electronic discovery and IT forensic support of litigation have become far more common, alongside the use by those under

investigation of sophisticated ‘counter-forensic’ techniques to inhibit the recovery of valid evidence from computers. It is now routine procedure to check for data tampering in every case. Consequently, IT forensics specialists have now had to acquire a new set of skills, while at the same time becoming less heavily reliant on the standard forensic applications, some of which counter-forensic tools are designed specifically to subvert.

What Kinds of Counter Forensics Techniques are there?

 

There are four broad options open to an individual trying to prevent or inhibit the investigation and analysis of data on a computer. They can simply attempt to destroy the data; or they can try to alter it; they can hide it inside a computer system; or they can try to pre-empt data recovery altogether by preventing it from accumulating in the first place:

Data Destruction: At first glance, it would appear that the best solution to dealing with incriminating data is simply to destroy it. Many individuals employ different techniques to fully remove accumulated data from their computers, from simply deleting it conventionally, to using sophisticated ‘evidence elimination’ software, to actually replacing the evidential hard drive.

File Deletion: From the perspective of someone with something to hide, the biggest problem with file deletion is that computers store information in many different locations and, in most cases, simple file deletion will do practically nothing to remove it. In the course of normal use, the computer will have created link files and other “tags” in the operating systems as well as references in the registry. All these will indicate that files that once were stored on the computer are no longer there. Also, because many computer applications make temporary copies of the files on which they work, deletion is no guarantee that the data stored in a file cannot be recovered.

Re-Formatting: To reverse the format, all the investigator need to do is locate the deleted file table and reconstruct it. This is something a lot of forensics tools allow investigators to do straightforwardly. Occasionally, individuals reinstall the operating system after a format. This can cause some problems because it usually overwrites the old file table. Nevertheless, deleted files on the hard drive can still be found, although the process is typically a lot more difficult and time-consuming.

Defragmentation: When a computer hard drive gets very full, it becomes difficult for the computer to store large files on it, and sometimes it is impossible to store a file in one contiguous space on the drive. Instead the computer will store parts of the file in a number of different locations. The file is said to have been ‘fragmented’. Fragmentation tends to slow down the computer a great deal. It means that the hard drive has to be searched in a number of different locations to assemble a file before it can be loaded in memory. This is particularly problematic because computers routinely use a number of system files which can find themselves fragmented in this way.

Defragmentation reorganises the hard drive so that all parts of all files are stored in a single location in contiguous fashion and also concatenates all files on a computer into a single logical area on the disk allowing for a faster file search on the disk. In doing this the computer rewrites and erases files all over the disk causing disruption to data in the unallocated spaces of the hard drive. These actions are all normal parts of the defragmentation process and are not normally problematic, unless the computer in question is under forensic analysis. Anything that disrupts the unallocated space is very likely to destroy evidential remnants written in those locations. When combined with file deletion it can greatly increase the chance that forensic traces of a deleted file are rendered irrecoverable. As with file deletion, defragmentation is most likely to be effective in destroying evidence when the disk is nearly full, or when defragmentation is performed a considerable time before analysis occurs. As with file deletion, defragmentation will still leave a lot of trace evidence across a hard drive which will prove that files have been removed. Hence it is of limited effectiveness as a counter forensic technique. Furthermore, using a defragmenter is atypical behaviour, and most courts will become suspicious on a defendant who suddenly becomes enthusiastic about defragmenting their computer only when it becomes the likely subject of forensic analysis.

The full article appears in Issue 2 of Digital Forensics Magazine, published 1st February 2010. You must log in with a valid subscription to read on...