Dr.

Zunera Jalil
Email: [email protected]
 Anti Forensics 2

A set of techniques that attackers or perpetrators used in

order to avert or sidetrack the forensic investigation process
or try to make it much harder.

• Attackers try to reduce the quality as well as quantity of

digital evidence.
• Attackers try to cover their tracks by deleting browser
history, cache memory, and even cookies.
• Use programmed software and tools to alter their digital
footprints.
 Anti Forensics 3

• Makes a computer investigator’s life difficult.

• Cybercriminals can perform a wide range of nefarious
activities (committing fraud, stealing crucial data, etc.)
• Anti forensic tools are designed to hide, remove,
and eventually hinder cyber forensic analysis.
• Exhausting to retrieve evidence during
a computer investigation.
 Some Examples 4

• Attacker can alter the header of a file to deceive people.

 Changing the header from .jpg to .mp3 will give the impression of
an audio file, but the system will still treat as an image file.
 An investigator focused on a particular file format can skip over
important evidence.
• Attacker can use slack space, i.e., unused space of a file,
to hide sensitive sections of a file.
• Dividing a file into smaller sections and hiding the
information in the slack space, makes the data retrieval
and data assembly challenging.
 Anti-Forensic Techniques 5

• Data Deletion
• Password Protection
• Steganography
• Encryption
• Tunnelling
• Onion Routing
• Obfuscation
• Spoofing
 Steganography 6

• Steganography is the act of concealing data in plain sight.

• Most often, data is exchanged via an image.
• A portion of the image is altered so that it is not identifiable
easily.
• The processed file looks ordinary and can go unnoticed.
• In the modern-day, the message is concealed using
microdots and invisible ink.
 Steganography 7

• There is another form, linguistic steganography, where the

message is hidden in a natural context.
• Steganography allows messages and even huge files to be
hidden in pictures, text, audio, and video files.
• It is challenging to identify a steganography-attack, but
repetitive patterns can reveal the secret message to the
investigator.
• Professionals use advanced tools to spot hidden data.
Steganography 8
 Steganography 9

https://stylesuxx.github.io/steganography/
Example 10
Steganography 11
 Steganography- Question 12

How Steganography can be used as anti-

forensic technique?
 Steganography- Question 13

What type of crimes can be committed

using steganography?
 Encryption 14

Data is converted into an unreadable format (“encrypted

data” or “ciphertext”) using a pair of keys.
• A process that encodes a message or file so that it can be
only be read by certain people.
• Encryption uses an algorithm to scramble, or encrypt, data
and then uses a key for the receiving party to unscramble,
or decrypt, the information.
Encryption 15
 Encryption 16

• Used to prevent confidential files or data from unauthorized

access.
• The encrypted data can be deciphered only by using the
paired-up key.
• Data Encryption Standard (DES) and Advanced Encryption
Standard (AES), are techniques using symmetric as well as
asymmetric encryption.
 Symmetric algorithms use a single key to encrypt and decrypt data,
 Asymmetric algorithms use two separate keys for both the processes.
Encryption 17
 Encryption Standards 18

• There are a number of standards related to cryptography.

• Following standards are used for encryption:

 Data Encryption Standard (now obsolete)
 Advanced Encryption Standard
 RSA (the original public-key algorithm)
 Open PGP
 Encryption- Question 19

How Encryption can be used as anti-

forensic technique?
 Encryption- Question 20

What type of crimes can be committed

using encryption?
 Tunneling 21

• This method uses encapsulation to allow private

communications to be exchanged over a public network.
• The data packets will flow from public networks, thus
generating no suspicion.
• Example:
 Using a Virtual Private Network (VPN), which encrypts the data
for security reasons.
• To eliminate such attacks, organizations must continuously
monitor their encrypted network connections.
 Tunneling 22

• Encapsulating (Packaging/ Placing) entire packet in

another packet of same or higher layer.
• Placing IP Packet with Private Address inside the IP Packet
with Global Address.
 VPN

• Stands for Virtual Private Network

• A means of carrying private traffic over a public network.
• Connects two private networks, over a public network, to form a virtual
network
• Virtual means two private networks seem to be seamlessly connected to
each other.
• Seemingly part of a single virtual private network (although physically
they are two separate networks).
• Benefits: connectivity, security, privacy
• The VPN should provide the same connectivity and privacy you would
find on a typical local private network.
 VPN

• Placing packet of one layer into packet of another layer.

• Usually Packets of Higher Layers are encapsulated by Packets of
lower Layer.
 Tunneling- Question 25

How Tunneling can be used as anti-

forensic technique?
 Tunneling- Question 26

What type of crimes can be committed

using tunneling?
 Onion Routing 27

• The process of sending messages which are encrypted in

layers, denoting layers of an onion, is referred to as onion
routing.
• Data packet goes through several networking nodes
where every layer of encryption gets peeled off.
• With the stripping of the final layer, the message gets closer
to reach its destination.
• The message remains anonymous to the entire message
delivery chain except the nodes placed after the source
and before the destination.

https://www.sciencedirect.com/science/article/abs/pii/S0379073819301082
 Onion Routing 28

• One of the best practices to fight against onion routing is to

use reverse routing.
• This elimination process is time-consuming but can be used
to defeat onion routing.
29
 Obfuscation 30

• A technique that makes a message difficult to understand

because of its ambiguous language is known as obfuscation.
• This method uses jargon and ingroup phrases to communicate.
• Could be intentional and unintentional.
• Objective of obfuscation is to reduce the risk of exposure.
• Can be done by altering the signature or fingerprint of malicious
code.

https://www.digitalforensics.com/blog/obfuscation-and-detection-techniques/

http://cet4862.pbworks.com/w/file/fetch/69342454/Craiger,%20Swauger,%20and%20Marberry.pdf
 Obfuscation 31

• Attackers try to make forensics investigations more difficult

and resource-consuming.
• To deter attack obfuscation is preventing a host from being
compromised in the first place.
• De-obfuscation is the same as countering onion routing.
Removing layers exposes clean and readable code.

https://info-savvy.com/anti-forensics-techniques-trail-obfuscation-artifact-wiping-encryption-
encrypted-network-protocols-and-program-packers/
Obfuscation 32
 Spoofing 33

• The act of disguising communication to gain access to

unauthorized systems or data.

• Spoofing can be performed through emails, phone calls,

and websites.
• Two most common ways of spoofing are:
 IP Spoofing
 MAC Spoofing
 Spoofing 34

• IP Spoofing –
 Perpetrators use a different IP address to hide their system’s IP address for
initiating malicious activities.
 Generally, this type of spoofing intends to carry out a distributed denial of service
(DDoS).
 It can be performed either manually or by the use of tools.

• MAC Spoofing –
 MAC addresses usually cannot be changed, but with technical skills, it is not
impossible.
 With MAC spoofing, cyber attackers use fake MAC addresses.
 This is one of the difficult spoofing methods to counter.
 Spoofing 35

• Other types of spoofing include ARP spoofing, DNS

spoofing, email spoofing, and many more.

• Forensic investigators have many tools and techniques to

identify spoofing, e.g.
 examining email headers in the case of email spoofing
 investigating wireless access point activities in case of MAC
spoofing, and likewise.
 Reading Task for Quiz 3 36

• A survey and research challenges of anti-forensics: Evaluation of game-theoretic models in

simulation of forensic agents’ behaviour
https://www.sciencedirect.com/science/article/pii/S2666281720300925?dgcid=rss_sd_all

• A Survey On Anti-Forensics Techniques

• https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8090341
 References 37

• https://info-savvy.com/anti-forensics-techniques-that-minimize-footprint/

• https://www.anti-forensics.com/

• https://digital-forensics.enterprisesecuritymag.com/cxoinsight/evaluating-
challenges-and-impacts-of-antiforensics--nid-1054-cid-59.html

• https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1145&context=msi
a_etds

• https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9116399
ANY QUESTIONS