BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
7<br />
Anti-Forensics Measures<br />
Teemu Väisänen<br />
The use of anti-forensics (or counter-forensics) techniques is a common practice for advanced and persistent<br />
actors, particularly in the contexts of targeted attacks or efforts by organised criminals to erase digital traces<br />
[13]. It is also a technique that can be used to provide additional privacy and protection for own systems. As<br />
mentioned in 6.1, it is recommended to train personnel in basic computer forensics and anti-forensics<br />
techniques.<br />
Anti-forensics techniques can be categorised at high-level as (data) hiding, artefact wiping, obfuscation,<br />
exfiltration, attacks against computer forensics, and booby-traps. They can also be categorised based on the<br />
achieved effect. Steganography, for example, can hide and obfuscate data, and can be used for exfiltration.<br />
Botas et al. have used taxonomy in anti-forensics techniques to consider any component of a computer that<br />
handles data: memory, computer forensic tools, network, and data [14].<br />
Anti-forensics might include tampering with log files, using wiping or ‘cleaning’ tools, deploying rootkits, using<br />
hidden data storage areas, or even deploying traps to be activated in the course of a later investigation. Some<br />
of the anti-forensics techniques can be categorised as destructive processes. It should be noted that it is highly<br />
possible that, during a strike, SOF will not be able to do any analysis to discover anti-forensics techniques in<br />
place. Still, it is good to know what kinds of techniques exist at basic level and especially techniques that might<br />
affect the work done during the strike.<br />
Captured devices might be booby-trapped 7 or configured with anti-forensics software, and this is one of the<br />
primary reasons why combat forces require training in digital forensics [15]. If possible, captured computers<br />
should not be shut down. This is because hard drives or SSD disks may be fully encrypted, or the whole OS run<br />
from a live distribution, 8 which often makes later investigation impossible. Instead, live imaging of storage<br />
media and RAM should be considered and pursued. More information about volatile memory capture is given<br />
in Chapter 8 – ‘Exfiltration Solutions‘. It is good to know that memory anti-forensics techniques may be<br />
present, so the volatile memory can be modified or some evidence hidden. With current forensics tools and<br />
manual analysis, there is no time to detect usage of memory anti-forensics techniques during a special<br />
operation: custom acquisition tools are required that are able to automatically check for memory antiforensics.<br />
Even though anti-forensics techniques provide many additional challenges for the operation and subsequent<br />
analysis, it is claimed in [15] that there have been no published reports confirming the use of effective antiforensics<br />
techniques on the digital devices seized from terrorists. It is therefore important to seek for indicators<br />
proving external forms of support in increasingly sophisticated techniques.<br />
7.1 Data and Device Hiding<br />
This chapter describes data and device hiding techniques, which are useful for selected members of SOF,<br />
specifically the (SOF)DFA, to know about.<br />
Data hiding includes various techniques such as encryption, steganography, and use of packers. It is basically<br />
impossible to detect data hiding during a strike, and this should be taken into account when designing and<br />
7 Booby-traps are aimed at creating uncertainty, lowering the morale of the military forces and hindering their movements, and might<br />
contain explosives [3, p. 21]. However, in this study we use the term also to include digital booby-traps intended to destroy data.<br />
8 As described in [13, p.36], no evidence can subsequently found on the hard drive if any Linux live distribution (live-CD) has been used.<br />
30