Anti-Forensic Techniques: Secure Deletion and File Hiding

 

Secure Deletion

Anti-Forensics includes many things for secure deletion of data or evidence. Some of them are mentioned below.

Destruction of Evidence

This method removes the evidence and make recovery impossible.

Two methods mention below about this:

  • Physical destruction: Use of magnetic field or other less subtle and unconventional methods.
  • Logical destruction: Overwriting information/data or eliminating it.

Artifact wiping is the technique by which we can successfully delete file or completely remove file from any drive. By this particular files or file system is permanently eliminate from system.

There are various methods for this:

  • Disk cleaning utilities: There are so many techniques are present like BC Wipe, Eraser, cyberscrubs cybercide, killdisk, PC inspector, CMRR secure erase.
  • File wiping utilities: This utility is used for deleting individual files from an OS. It is relatively fast as compared to disk wiping utility. There are also some utilities are present like BC wipe, R-wipe & clean, eraser avital wipe, cyberscrubs privacysuite shred. Then for SSDs it is more difficult to wipe since firmware can write to other cells and hence allow data recovery. Hence ATA secure erase should be used on the whole drive with tools like hdparm.
  • Disk degaussing/destruction techniques: A magnetic field is applied to a digital media device. The result is a device that is entirely clean of any previously stored data. It is effective but costly because of specialized instruments. It is NIST recommended techniques. Some techniques are disintegration, incineration (burning), pulverize (to fine particles), shredding, melting.

File Hiding

File hiding is the process of making data difficult to find while also keeping it accessible for future use. Makes digital forensic examinations difficult. When different data hiding methods are combined they can make a successful forensic investigation nearly impossible.

Some forms of data hiding are:

Encryption: One of the most used techniques to defeat anti forensics for computer is data encryption. Most publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Using modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key. File level encryption encrypts only the file contents. This leaves important information such as file name, size and timestamps unencrypted. Parts of the content of the file can be reconstructed from other locations, such as temporary files, swap file and deleted, unencrypted copies. Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult. Some of these functions include the use of a key file, full-volume encryption, and plausible deniability. The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.

Steganography: The secret key steganography uses the combination of the secret key cryptography technique and the steganography approach. The idea of this type is to encrypt the secret message or data by secret key approach and the hide the encrypted data within cover carrier. Steganography is the technique of hiding secret data within an ordinary, non-secret, file, or message in order to avoid detection; the secret data is then extracted at its destination. The use of steganography can be combined with encryption as an extra step for hiding or protecting data. For example, using invisible ink to hide secret messages in otherwise inoffensive messages; hiding documents recorded on microdot — which can be as small as 1 millimetre in diameter — on or inside legitimate-seeming correspondence; and even by using multiplayer gaming environments to share information.

In modern digital steganography, data is first encrypted or obfuscated in some other way and then inserted, using a special algorithm, into data that is part of a particular file format such as a JPEG image, audio, or video file. The secret message can be embedded into ordinary data files in many ways. One technique is to hide data in bits that represent the same colour pixels repeated in a row in an image file. By applying the encrypted data to this redundant data in some inconspicuous way, the result will be an image file that appears identical to the original image but that has “noise” patterns of regular, unencrypted data.

Slack space: The ‘Slack Space’ in a nutshell, is the unused space between the end of a stored file, and the end of a given data unit, also known as cluster or block. If the file occupies a less amount of space than the size of the data cluster where it is going to be stored, the excess space is known as slack space. 

Slack space is the leftover storage that exists on a computer’s hard disk drive when a computer file does not need all the space it has been allocated by the operating system. The examination of slack space is an important aspect of computer forensics. Slack space is an important form of evidence in the field of forensic investigation. Often, slack space can contain relevant information about a suspect that a prosecutor can use in a trial.

Primarily three different types of slack space

  • RAM Slack: Unused space between the end of the logical file and the end of the memory page.
  • File Slack: Unused sectors within the last sector the file occupies
  • Volume/partition slack: Unused space between the end of the filesystem and the end of the partition that it occupies
We learnt various techniques to secure delete the file and file or data hiding methods.

Comments

Post a Comment

Popular posts from this blog

Basics Forensics Imaging with dd, dcfldd, and dc3dd

Image
  Linux Data acquiring commands DD (Data Dump) dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes. Some practical examples on dd command: To backup the entire hard disk:  To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.      # dd if=/dev/sda of=/dev/sdb      'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully. To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.     # dd if=/dev/sda of=/dev/sdb conv=noerror, sync To backup a Partition: You can use the device name of a partition in the input data file, and into the output data either you will be able ...
Read more

Understanding and Demonstrating working of Jumplists

Image
  To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool. Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7. For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic. There are two sets created for storing jumplists in windows: AutomaticDestinations This is automatically generated by Operating System when any file or application opened. The files stored in it, has  .automaticDesinations-ms  extension. To access this file we need to go through the following path. C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinat...
Read more

Study and install Pro-discover and Encase free version

Image
  Pro-discover Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation. Some key features of Pro-discover includes: Preview and Image Disks Investigate all filesystems Analyse email artifacts and web Report generation (hash value or automatic) View Internet History You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button. Standard format of Project Number is like  '001-HDD-1-27-07-2022'  and Project File Name is  'SampleDemo-001-HDD-1-27-07-2022'. Then click on the Capture and Add Image which is in the left h...
Read more