Computer Anti-forensics Methods and Their Impact on Computer Forensic InvestigationViewed generically

Computer Anti-forensics Methods and Their Impact on Computer Forensic InvestigationViewed generically, anti-forensics (AF) is that set of tactics and measures taken by someone who wants to thwart
the digital investigation process. This paper describes some of the many AF tools and methods, under the broad
classifications of data hiding, artefact wiping, trail obfuscation, and attacks on the forensics tools themselves.
The concept of AF is neither new nor solely intended to be used by the criminal class; it also has legitimate use
by those who wish to protect their privacy. This paper also introduces the concept of time-sensitive antiforensics,
noting that AF procedures might be employed for the sole purpose of delaying rather than totally
preventing the discovery of digital information.
Keywords
Anti-forensics, data hiding, artefact wiping, trail obfuscation, attacks on computer forensics tools, privacy
INTRODUCING ANTI-FORENSICS
The term anti-forensics (AF) has recently entered into the vernacular of digital investigators. Although
conceptually not new, it is instructive to observe that there is no clear industry definition (Harris, 2006). Rogers
(2006), a practicing digital forensics educator and investigator, defines AF as “attempts to negatively affect the
existence, amount, and/or quality of evidence from a crime scene, or make the examination of evidence difficult
or impossible to conduct.” Liu and Brown (2006), practicing creators of AF methods and tools, offer a slightly
darker definition: “application of the scientific method to digital media in order to invalidate factual information
for judicial review.”
The term forensics is significant and quite specific — whatever AF is pertains to the scientific analysis of