The Cat-Mouse Game of Digital Forensics

Digital Forensics, Anti-Forensics, and Anti-Anti-Forensics

(A) Digital Forensics

Digital forensics aims to investigate various digital issues of unauthorized access, data breach, theft of intellectual property, unauthorized use of company resources, and so on.

To achieve these aims it is necessary to preserve evidence data in original state, then to image such data for analysis and reporting in a court admissible format.

Digital forensics is mainly on post mortem (after-the-event) investigation; cybersecurity is mainly on detecting and preventing unauthorized access and related issues on confidentiality, integrity and availability of information systems and industrial control systems.

Chain of Custody

For any legal action to even have a chance of success, there must be complete, thorough, and convincing evidence that the digital evidence has been protected through a secure chain-of-custody procedure that tracks who has been involved in handling the digital evidence and where it has been stored.

(B) Anti-Forensics

Data is the primary source of evidence in digital forensics. Thus anti forensics include steps to hide the data, to destroy the data, or to reduce the quantity and quality of evidence data.

1) Steganography – to hide digital evidence

2) Encryption – to scramble digital evidence

3) Windows Rebuild – to mess up digital evidence

4) Hard Disk Theft or Destruction – to remove digital evidence

(C) Anti-Anti-Forensics

1) Discover evidence of anti-forensics

2) Discover hard disk usage and history

3) Restore the quantity and quality of evidence data

(D) Looking Forward

Digital forensics, anti-forensics, and anti-anti-forensics are moving rapidly. The use of disciplined process, tools and personnel is the way for wholesome development in the field.