Wednesday, October 1, 2008

Defeating Computer Forensics

From time to time the subject of anti-forensics (defeating computer forensics) comes up. I thought I would share some of my experience in this area to hopefully clarify some misinformation out there.

Can digital forensics be defeated? The short answer is, yes it can. But it is harder to do than most people think.

You probably have seen or even use one of the privacy programs out there, that advertise to completely remove your Internet browsing tracks or evidence of your computer usage.

While that seems really cool, the reality of it is that these products work, but with caveats.

While one may be good a removing your Internet history from the time you start using it, they typically do not go back and remove older history from the computer. Some do this some do not.

They also claim to wipe out your tracks in other areas, including wiping the deleted files from your computer. The ones that have this feature do a good job of it.

The reality of it is that most people who use these products are more interested in hiding their actions from their spouse or employer than from a forensics examiner. Simply because few people believe that their computer will ever be subjected to an examination by a computer forensics expert.

So while they do a good job of hiding your activities from your spouse or boss, they are not a cure all if you get your computer seized by police or taken in a civil case via subpoena.

So let's talk about what happens in real life when it comes to trying to defeat digital forensics:

1. Some of these tools actually create a log of their activities that details exactly what they wiped and when, including file names.
2. What the tools actually remove varies widely in success rate and is dependent in many cases on the options set by the user.
3. Wiping the unused portion of the hard drive takes a long time and few users have the patience to do it regularly.
4. None of these tools is 100% effective in wiping out all forensically useful data. You simply can't do it and still have an operational computer.
5. The average computer user is just as lazy about keeping their computer clean using these tools as they are about maintaining the security of their passwords.

The only way to completely defeat a forensics examination is to completely overwrite the entire hard drive with data such as 1s or 0s. This takes a long time, requires the use of wiping software and renders the computer inoperable until you completely reinstall the operating system. Very few people are willing to go to this extent to cover their tracks or are even aware of how to do it. And it is obviously suspicious behavior on its own.

And of course, if law enforcement is knocking on the door with a warrant, this method is not going to work anyway.

I have examined quite a few computers that have had evidence erasing software used on them (not a complete overwrite mind you). In every case, I was able to recover valid information to use in the case.

For one thing, there are files created by Windows that these tools do not address that store user activity information that can easily be located by a competent forensics examiner.

On the other side of the coin, a very savvy computer user can completely defeat any type of forensics examination and freely commit all kinds of skulduggery without fear of being caught by an examination of their computer and without using any of the tools mentioned here or wiping the hard drive on their computer.

I know how to do it and I am sure others do as well. But I am not going to tell anyone, especially not in this blog. My apologies to those budding criminal masterminds out there.

2 comments:

  1. Wonderful post. Really enjoyed reading it. Didn't know this was possible. However as a law abiding citizens shouldn't we corporate in case of an emergency?

    ReplyDelete
  2. Thank you for the kind comment.

    I would be happy to share information with any law enforcement agency who contacts me. However, I don't have the ego to believe I am the only one who has discovered this. In any case, I would never release this kind of information to the general public.

    To your point, cooperation is always best.

    ReplyDelete

I have moderated my comments due to spam.