Week 9 - Anti-Forensics

Question 1

What is Anti-Forensics?

Answer 1

The act of compromosing the availability or usefulness of evidence to the forensics process. This can be encryption, data hiding etc..

Question 2

What is emerging technologies?

Answer 2

New technologies.

Question 3

What are the three general strategies of anti-forensics?

Answer 3

Attack on Data
Attack on Tools
Attack on the Analyst

Question 4

What is an Attack on Data?

Answer 4

When potenital evidence is deleted or tampered with to make it unitelligible or inadmissible in a court of law.

Question 5

What is an attack on Tools?

Answer 5

When weaknesses in current computer forensics tools are exploited to produce ‘bogus’ investigation results.

Question 6

What is an Attack on the Analyst?

Answer 6

When problems are creating for the examiner that inhibit the digital forensics process. E.g. generating a huge amount of information that the examiner has to sift through, or casting doubt on the validity of the analysis or the analyst.

Question 7

TRUE OR FALSE: Analysts may require anonymity.

Answer 7

TRUE.

Question 8

What are some anti-forensics tactics?

Answer 8

Zero foot printing
Data obfuscation
Data hiding

Question 9

What is Zero foot printing?

Answer 9

Attenpting to eliminate residual traces of evidence to prevent the analysis of it as evidence. This includes secure deletion of files using shredding or wiping processes.

Question 10

What is Data obfuscation?

Answer 10

When the nature of data is hidden, e.g. encryption of files, has collisions, modifying metadata or log data, signature analysis attacks.

Question 11

What is Data hiding?

Answer 11

When evidence is hidden out of sight on a disk. This can include steganography, scattering, hiding in slace space, convert channels, or rootkits.

Question 12

What must the attacker know to do zero foot printing?

Answer 12

The need to know:

• What interaction took place between the attacker and the system (Assuming the crime was a cyberattack)
• What actions were logged and how (Local or network based, Login, etc.)
• What the “system artifacts” are, i.e. traces that are voluntarily or involuntarily left on the system

Question 13

What is the main reason for modifying metadata in anti-forensics?

Answer 13

To change the timestamps of certain variables like time created, last modified and accessed. This obscures the actual times the file was interacted with.

Question 14

What is shredding/wiping?

Answer 14

A process that completely and fully eliminates the data of a file so that it can no longer be accessed and is fully deleted from the system.

Question 15

What are the two approaches to detecting wiping/shredding operations?

Answer 15

Wipe-trace search

Data deletion ‘anomaly detection’

Question 16

What are four example of anti-forensic tools developed by Metasploit?

Answer 16

Timestomp
Slacker
SAM Juicer
Transmogrify

Question 17

TRUE OR FALSE: Timestamping for files and logs can be disabled.

Answer 17

TRUE, you can disable the recording of timestamps in windows.