Anti-forensics – threats to digital forensics

As much as we would like the tasks involved in digital forensics to be as easy as possible, we do encounter situations that make investigations, and life as a forensics investigator, not so simple and sometimes stressful. People wishing to hide information and cover their tracks, and even those who have malicious intent or actually participate in cybercrimes, often employ various methods to try to foil the attempts of forensic investigators, with the intention of hampering or halting investigations.

In recent times, we've seen several major digital breaches online, especially from 2011 onward. Many of these attacks allegedly came from, or were claimed to be the work of, infamous hacker groups such as LulzSec, Anonymous, Lizard Squad, and many others, including individuals and hacktivists (people who hack for a specific cause or reason and are less concerned about doing time in prison). Some of these hacks and attacks not only brought down several major networks and agencies, but also cost millions in damages, directly and indirectly. As a result, the loss of public confidence in the companies concerned contributed to further increases in damages.

These daring, creative, and public attacks saw the emergence of many other new groups that learned from the mistakes of past breaches of Anonymous and others. Both social media and underground communication channels soon became the easiest forms of communication between like-minded hackers and hacktivists. With the internet and World Wide Web (WWW) becoming easily accessible, this also heralded competition not only between IPs, but also between private companies and corporations, which led to the creation of free wireless hotspots on almost every street with businesses, large or small.

The result of having internet access at just about every coffee shop enabled anyone with a smartphone, tablet, laptop, or other device to acquire almost unauthenticated access to the internet. This gave them access to hacker sites and portals, along with the ability to download tools, upload malware, send infected emails, or even carry out attacks.

The use of Virtual Private Networks (VPNs) also adds to the complexity of digital forensics investigations today. Many VPN providers do not keep logs of users and their activity for more than 7 days, allowing for the network communication logs of some cybercriminals to be deleted sometimes long before the incident has even been reported.

SSDs also employ newer TRIM technology that deletes data much more efficiently that older magnetic disks, as discussed in a later chapter.

Lastly, it has been my personal experience that in an environment without trained forensic personnel and those without any DFIR plans, policies, and implementations, breaches and incidents may go unnoticed for weeks or months at a time, allowing for important volatile evidence and artifacts that may have been stored in the memory (RAM) along with paging and swap files, to be lost once the systems have been restarted.

Encryption

Adding to this scenario is the availability of more user-friendly tools to aid in the masking of Publicly Identifiable Information (PII), or any information that would aid in the discovery of unveiling suspects involved in cybercrimes during forensic investigations. Tools used for encryption of data and anonymity, such as the masking of IP addresses, are readily and easily available to anyone, most of which were—and are—increasingly user friendly.

It should also be noted that many Wi-Fi hotspots themselves can be quite dangerous, as these can easily be set up to intercept personal data, such as login and password information together with PII (such as social security numbers, date-of-birth information, and phone numbers) from any user that may connect to the Wi-Fi and enter such information.

The process of encryption provides confidentiality between communication parties and uses technology in very much the same way we use locks and keys to safeguard our personal and private belongings. For a lock to open, there must be a specific matching key. So, too, in the digital world, data is encrypted or locked using an encryption algorithm and must use either the same key to decrypt or unlock the data. There also exists another scenario where one key may be used to encrypt or lock the data and another used to decrypt the data. A few such very popular encryption tools are TrueCrypt, VeraCrypt, BitLocker, and PGP Tool.

These encryption tools use very high encryption methods that keep data very confidential. The main barrier to forensics may be acquiring the decryption key to decrypt or unlock access to the data.

Important note

PGP Tool and VeraCrypt not only encrypt files but also encrypt folders, partitions, and entire drives!

Online and offline anonymity

Encryption, in particular, can make investigations rather difficult, but there is also the concept of anonymity that adds to the complexity of maintaining an accuracy of the true sources found in investigations. As with encryption, there exist several free and open source tools for all operating system platforms—such as Windows, Mac, Linux, and Android—that attempt and, most often, successfully mask the hiding of someone's digital footprint. This digital footprint usually identifies a device by its IP address and Media Access Control (MAC) address. Without going into the network aspect of things, these two digital addresses can be compared to a person's full name and home address, respectively.

Even though a person's IP address can change according to their private network (home and work) and public network (internet) access, the MAC address remains the same.

However, various tools are also freely available to spoof or fake your IP and MAC addresses for the purpose of privacy and anonymity. Adding to that, users can use a system of routing their data through online servers and devices to make the tracing of the source of the sent data quite difficult. This system is referred to as proxy chaining and does keep some of the user's identity hidden.

A good example of this would be the Tor browser; this uses onion routing and several proxies worldwide to route or pass the data along from proxy to proxy, making the tracing of the source very difficult, but not impossible. You can think of proxy chains as a relay race, but instead of having four people, one passing the baton to the next, the data is passed between hundreds of proxy devices, worldwide. Additionally, some hosting companies offer bulletproof hosting, which allows their users and clients to upload and distribute content that may not be allowed by others, allowing for spamming, different types of pornography, and other content that may not be legal, while offering a certain level of protection to customers' data and records.