Anti-Forensics?

The typical role of a forensic examiner is to find exculpatory information as designated by a discovery order.   It is common to receive a list of terms that are of interest to the attorney, and then the search begins.  But what happens when you need to find what isn’t there anymore ?

More importantly, why isn’t it there anymore ?

According to the Ohio Revised Code

2921.12 Tampering with evidence.

(A) No person, knowing that an official proceeding or investigation is in progress, or is about to be or likely to be instituted, shall do any of the following:

(1) Alter, destroy, conceal, or remove any record, document, or thing, with purpose to impair its value or availability as evidence in such proceeding or investigation;

(2) Make, present, or use any record, document, or thing, knowing it to be false and with purpose to mislead a public official who is or may be engaged in such proceeding or investigation, or with purpose to corrupt the outcome of any such proceeding or investigation.

Now why I am telling you, an attorney, that which you know so well?  Because there are a lot of ways to hide things that you may not be familiar with.

There are also quite a few ways to casually (or not so casually) destroy potential evidence.

I have been a forensic examiner for many years, and I have used many tools during that time to assist me in my job.  As the profession of computer forensics has become more widely known, it is no surprise that a group of tools would be created to thwart the efforts of the would-be examiner.  These tools, though seldom advertised as such, are known as “anti-forensics”.  Their very job is to destroy or obfuscate information so that it would be of no use in a legal proceeding.

This is a two-edged sword.  Whereas I have no problem with people using software designed to destroy information for the purpose of thwarting identity thieves, or protecting themselves from people that might be involved in industrial espionage, it is obviously a crime to use these methods, software, or hardware devices to alter or destroy information sought by the court.

Though ignorance of the law is not an officially accepted reason (for almost anything), it would be better to remove the specter of ignorance from a custodian’s claims by being specific in an order designed to elicit information

Litigation Hold (AKA “preservation orders” or “hold orders”), are designed to inform a party that they are to preserve any and all information regarding a potential discovery order.  Generally, the  Court Order is written in such a broad fashion as to cover any potentially discoverable information. What it never includes (at least as far as we have seen), is a prohibition from employing any software, hardware, or method,  that is “anti-forensic” in nature.  This is an important concern, because many potential Custodians employ their own software in a corporate environment which is designed to obfuscate their actions.  This software may be in use outside of the purview of the corporate IT department, and as such would fall outside the scope of a corporate retention policy.

Typical examples of common packages in use would be :

  • Window Washer
  • CCleaner
  • FileShredder

Software that is less common, but very powerful would be :

  • Tracks Erase Pro
  • Declasfy
  • Evidence Eliminator

By specifying the prohibition of any tools which could obfuscate or destroy data in the preservation order, you give yourself more tools should a case of spoliation occur, and you also aid the Custodian in understanding what is and what is not permissible.

Advanced forensic analysis is often able to uncover the use of such methods, however the investigator must be familiar with the “footprints” that these products often leave.  If you were to walk into a room where a couch was recently removed, there would be imprints on the carpet where the couch was.  In much the same way, when we are examining a hard drive, we are not only looking for what is there, we are also looking for the remnants of what USED to be there.

–Many thanks to my editor, Mark Kruse

twitterredditlinkedinmailtwitterredditlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *