Anti-computer forensics (sometimes counter forensics) is a general term for a set of techniques used as countermeasures to forensic analysis.”

Quoted by Dr. Marcus Rogers

Dr. Marcus Rogers quotes “Anti-computer forensics (sometimes counter forensics) is a general term for a set of techniques used as countermeasures to forensic analysis.”

Anti-forensics are the counter-measures taken to frustrate forensic investigation and evade it. The main objective of the anti-forensic technique is to prevent any crime evidence from getting fetched.

Once a crime takes place, then the defense is developed, then a new crime counters the new defense. Hence along with continuous growth in forensics, research and developments in anti-forensics are equally important.

  • Detection of any sort of illegal incident took place to be avoided.
  • Disrupting the information/data collected.
  • Increasing the time duration of the investigation.
  • Information on forensic tools can be revealed.
  • Subverting the forensic tool.
  • Mounting a direct attack against the forensic
  • No trace of anti-forensic tool that has been run can be found.


There are various anti-forensics techniques that can/are used to hamper the evidence for forensics analysis. Some of them are as follows:


Tools for overwriting information that might be the subject of an investigation are the most common approach and most common forms of anti-forensic tools available today. These are easy to write and validate and are distributed with most operating systems. It is user-friendly to use for such criminals.

Modes of operations:

  • The program can overwrite the overall data including media.
  • The program can attempt to overwrite individual files. This task is complicated by journaling file systems: the file itself may be overwritten, but portions may be left in the journal.
  • Such program can overwrite the deleted files. Programs typically do this by creating one or more files on the media and then writing to these files until no free space remains, taking special measures to erase small files.
  1. OVERWRITING DATA: Timeline can be fetched from the attacker’s action on the system he was using at the time of crime took place using various CFT’s from the timestamps. Attacker might hide the tracks of the timestamps instead of deleting the data.
  2. HIDING DATA: Cryptography is very effective at hiding information; encrypted data is however easy to detect. Encrypted data can be decrypted if the key is obtained.

The data or footprint that the attacker has left on the suspected system at the time of the crime is another approach of minimizing it. This may result in a delay or no clue during forensic analysis.

  • Memory injection – Buffer overflow exploits can change the victim’s system behavior by injecting the code and running it. The “Userland Execve” technique allows programs on the victim computer to be loaded and run without the use of the Unix execve() kernel call, allowing the attacker to overcome kernel-based security systems that may deny access to execve() or log its use to a secure logging service.
  • Live CD, Bootable devices & Virtual Machines –
  • Live CDs can work as an operating system distribution that boots and runs from a read-only device. These are basically a window system, Unix/Linux system, web browser, SSH client, etc, and are run with virtual memory disabled.
  • Bootable USB tokens work similar to Live CD’s but the only difference is the device used here i.e. USB. These tokens can typically store information more than CDs and allow data to be saved including encrypted one as well.
  • Operating systems running inside a virtualization program such as VMWare Player, VirtualBox, etc. These systems typically store all of the states associated with the client operating system within a small set of files on the host computer.
  • Anonymous identities & storage –
    • Attackers have long protected their actual identity by making use of anonymous accounts available at Hotmail, Yahoo and Gmail. Recently the amount of storage associated with these accounts has been dramatically increased. Attackers can utilize this storage to avoid the risk of storing attack tools and captured information on their own computers.

If an attacker has access to a CFT or knowledge of how that tool works, the attacker can craft data that will manifest bugs within the CFT. Properly triggered, these bugs can accomplish many anti-forensic goals.


AFTs can change their behavior if they can detect that a CFT is in use. For example, a packer might not decrypt its payload if it realizes that it is running on a disk that has been imaged.


Some approaches can be made to countermeasure the anti-forensic techniques. Issues such as the human element, solely depending on the tools and physical to logical limitation can be focused upon.

  • Human element can most of the time be a difficult problem to be solved. Human elements include forensic examiner experience and educational level. The problem can be avoided by
  • Relying on one or two tools cannot help in solving anti-forensics cases for the investigators or forensic analyst. Using a variety of different tools and techniques will be a better choice.
  • Fetch data from where attackers can’t think of commonly –
    • Log hosts
    • CD-Rs
  • Develop new tools and techniques –
  • Defeat encrypted file systems with keyloggers.
  • Augment network sniffers with traffic analysis


Any modus operandi that used to implicate a computer forensic process can be considered as an anti-forensic. Detection for anti-forensic activities can be done by creating awareness about the anti-forensic techniques to the forensic examiners and investigators. Preventive tools are widely available.

New approaches may include:

•Minimizing or eliminating memory footprints

•Virtual machines

•Direct attacks against computer forensic tools

As we know law enforcement resources are limited, it is necessary to know the use of such tools and techniques to utilize its full potential.

Leave a Reply

Report an incident