According to Wikipedia, one definition of anti-forensics is that it consists of “`[a]ttempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.’”
That’s a good general definition, but my specific concern is with computer anti-forensics, which essentially consists of using software and other methods to alter, conceal and/or create computer evidence in such a manner as to frustrate forensic investigators.
As the Wikipedia entry notes, anti-computer forensics is divided into several categories, one of which is “data hiding.” The techniques used in data hiding are familiar to most of us, I imagine; encryption and steganography are two kinds of data hiding. According to Wikipedia, another category involves the destruction of digital evidence; file wiping and disk degaussing fall into this category.
This post is not about those techniques, for a couple of reasons. One is that they’ve been around for a while, and so are, I think, pretty familiar to most people who work with digital evidence and cybercrime. Another is that they involve putting digital evidence outside the reach of forensic investigators; while that can certainly have a negative impact on a civil or criminal investigation, it is a relatively straightforward process: The evidence either is available or it is not.
The remaining category of anti-forensics is the one that interests me. Wikipedia calls this category “trail obfuscation” because it involves the use of techniques that can alter essential characteristics of digital evidence. The use of these techniques is not, as far as I can tell, something that law and lawyers are really familiar with, which could be, or become, a problem.
As a recent article in the Sedona Conference Journal noted, anti-forensics could pose a problem for the American legal system (at least) because courts and lawyers currently tend to assume that digital evidence is reliable . . . perhaps even more reliable than other kinds of evidence. In 1999, a Missouri appellate court held that certain records “were uniquely reliable because they were computer-generated rather than the result of human entries.” State v. Dunn, 7 S.W.3d 427 (Missouri Court of Appeals 1999). The Tennessee Supreme Court said something similar a year earlier. State v. Hall, 976 S.W.2d 121 (1998).
Though these cases were decided roughly a decade ago, some, including me, think the tendency to assume computer records are particularly reliable still exists, and may even have become more pronounced. The authors of the Sedona Conference Journal article note that the American legal system is, as a result, far too accepting of digital evidence.
That might be changing. I found one reported opinion in which the use of anti-forensics was an issue. The case is a civil case, but that isn’t relevant. The issue of interest in the case is not a legal issue but a practical one.
The opinion issued in Southern New England Telephone Co. v. Global NAPS, Inc., 251 F.R.D. 81 (U.S. District Court for the District of Connecticut 2008). Southern New England Telephone (SNET) sued Global NAPS about some issue involving misrouted traffic and access charges (civil litigation is not my strong suit). As in most civil suits, particularly complex federal civil suits, the parties engaged in discovery – the mutual disclosure of potentially relevant evidence – for a long time. Discovery seems to have gone on for almost two years, according to the district court’s opinion.
In this opinion, the federal district court ruled on SNET’s motion to sanction Global NAPS “for failure to comply with discovery orders.” Southern New England Telephone Co. v. Global NAPS, Inc., supra. The motion was based on a number of allegations about Global NAPS’ lack of cooperation in the discovery process, one of which involved anti-forensics. At one point, SNET hired a forensic analysis company to conduct a “more intensive” forensic analysis of certain of the Global NAPS computers on which evidence relevant to the litigation might be found.
The company found that a data-wiping program – Window Washer – had been used to delete files and then overwrite them. Southern New England Telephone Co. v. Global NAPS, Inc., supra. The court noted that whoever had used Window Washer “did not merely use the program in its default mode, but chose the `wash and bleach’ option, which overwrites deleted files.” Southern New England Telephone Co. v. Global NAPS, Inc., supra. That, though, is not what we’re really concerned with here.
The forensic analysis company – LECG – also found that true anti-forensics software might have been used on the computer files:
In order to determine what, or how many files, have been deleted, LECG relies on `metadata.’ Metadata is a record created for all files containing their name, the date, and where the data is stored on the disk, among other things. Metadata is stored in a database called a Master File Table (`MFT’). Generally, a deleted file maintains its metadata, so it is possible to determine some things about the deleted file even after it has been erased. However, when a deleted file has no metadata, `it is likely that anti-forensics software has been employed by the user to erase the file and clear the MFT data.Southern New England Telephone Co. v. Global NAPS, Inc., supra.
LECG determined that, out of 93,560 items in the MFT, nearly 20,000 had no metadata, meaning they had likely been erased using anti-forensic software . . . .
Later in the opinion, the federal judge notes that this, in conjunction with other evidence, convinced her that anti-forensic software had been used to destroy and/or alter files that might have been relevant to the litigation. Southern New England Telephone Co. v. Global NAPS, Inc., supra. Since she found the defendants had “willfully” violated the court’s discovery orders, the federal judge entered a default judgment against them (which means the plaintiff won). Southern New England Telephone Co. v. Global NAPS, Inc., supra.
The anti-forensics techniques used in the case were not particularly sophisticated, but I find it interesting because it at least refers to such techniques. I suspect anti-forensics techniques are more likely to become an issue in civil litigation, at least at first, because civil litigants are sometimes able to pour a great deal of resources into the preparation of their cases. When millions (or billions) of dollars are at stake, litigants are likely to be willing to put a lot of money into preparing their cases.
I might be right about that, or I might not (it’s happened). It might also be that the issue of anti-forensics assumes, and maintains, greater significance in the context of civil litigation. The use of computer search protocols, for example, seems to be far more prevalent in civil discovery than in criminal forensics.
I really don’t know where any of this is going, but that won’t stop me from speculating. It seems to me that anti-forensics has the potential to (i) frustrate the conduct of computer forensic examinations by masking or altering digital evidence and/or (ii) give defense attorneys a new device they can use to try to persuade juries that digital evidence is too mutable to be reliable.