BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
As presented by Azadegan, Liu, Sistani and Acharya in [22], many forensics tools follow a similar pattern of<br />
activities to retrieve data from an Android smartphone. Detection of forensics tools enables various scenarios.<br />
Techniques for causing a ‘sudden death’, erasing sensitive data and replacing all data from the storage, are<br />
presented in the paper [22]. It is worth noting that similar techniques can be used to detect memory and other<br />
types of forensics analysis. Such detection techniques have been used by various malware. Because use of antiforensics<br />
techniques cannot be seen outwardly from the devices, it is impossible to say if something is modified<br />
or deleted when the forensics tool is connected to the device. One approach is to use specially crafted or<br />
modified tools that behave differently from commonly used free and commercial forensics tools. Such antiforensics<br />
techniques can also be categorised under attacks against forensics tools, if they try to harm the tool.<br />
<br />
Recommendation: Be aware that various anti-forensics techniques are able to wipe the storage media<br />
(secure).<br />
7.3 Obfuscation<br />
Obfuscation can be used in various places, such as in files, code, or networks. Usually, ‘trail obfuscation’ means<br />
creating a large amount of fake evidence around the real evidence to make the work of the investigator harder.<br />
This has to be remembered when possible evidence is recovered from the machine. One way, for example, is to<br />
create a huge amount of interesting files with random data, encrypt them with a random key, and remove<br />
them insecurely so that they can be found later by investigators. There are publicly available scripts for these,<br />
as mentioned by Phil Knüfer in [23, p. 9.], which means that even script kiddies can use such techniques.<br />
This chapter does not go into details of all the possible obfuscation techniques, but tries to concentrate on<br />
ones that are useful to know about during a special operation.<br />
One technique the enemy could use is data saturation. This means collecting and distributing a huge amount of<br />
media (such as CDs, DVDs, floppy and Blu-Ray disks, SD cards, USB flash drives, hard drives, SSD disks but also<br />
cell phones). In such a case, it might be impossible to distinguish the real evidence from the fake during the<br />
special operation, 20 and also to collect all the media.<br />
Figure 9. Piles of dead hard drives 21 .<br />
20 In a safe situation (such as in law enforcement) it would be possible to collect all the evidence, but discovering the real ones might still<br />
take too much time in the analysis phase.<br />
21 Figures from Flickr https://www.flickr.com/photos/jpf/152611698 and https://www.flickr.com/photos/jpf/152611490.<br />
34