Monday, December 01, 2008


This is probably going to be a short post, because it’s about something I know essentially noting about: anti-forensics, or anti-computer forensics.

According to Wikipedia, one definition of anti-forensics is that it consists of “`[a]ttempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.’”

That’s a good general definition, but my specific concern is with computer anti-forensics, which essentially consists of using software and other methods to alter, conceal and/or create computer evidence in such a manner as to frustrate forensic investigators.

As the Wikipedia entry notes, anti-computer forensics is divided into several categories, one of which is “data hiding.” The techniques used in data hiding are familiar to most of us, I imagine; encryption and steganography are two kinds of data hiding. According to Wikipedia, another category involves the destruction of digital evidence; file wiping and disk degaussing fall into this category.

This post is not about those techniques, for a couple of reasons. One is that they’ve been around for a while, and so are, I think, pretty familiar to most people who work with digital evidence and cybercrime. Another is that they involve putting digital evidence outside the reach of forensic investigators; while that can certainly have a negative impact on a civil or criminal investigation, it is a relatively straightforward process: The evidence either is available or it is not.

The remaining category of anti-forensics is the one that interests me. Wikipedia calls this category “trail obfuscation” because it involves the use of techniques that can alter essential characteristics of digital evidence. The use of these techniques is not, as far as I can tell, something that law and lawyers are really familiar with, which could be, or become, a problem.
As a recent article in the Sedona Conference Journal noted, anti-forensics could pose a problem for the American legal system (at least) because courts and lawyers currently tend to assume that digital evidence is reliable . . . perhaps even more reliable than other kinds of evidence. In 1999, a Missouri appellate court held that certain records “were uniquely reliable because they were computer-generated rather than the result of human entries.” State v. Dunn, 7 S.W.3d 427 (Missouri Court of Appeals 1999). The Tennessee Supreme Court said something similar a year earlier. State v. Hall, 976 S.W.2d 121 (1998).

Though these cases were decided roughly a decade ago, some, including me, think the tendency to assume computer records are particularly reliable still exists, and may even have become more pronounced. The authors of the Sedona Conference Journal article note that the American legal system is, as a result, far too accepting of digital evidence.

That might be changing. I found one reported opinion in which the use of anti-forensics was an issue. The case is a civil case, but that isn’t relevant. The issue of interest in the case is not a legal issue but a practical one.

The opinion issued in Southern New England Telephone Co. v. Global NAPS, Inc., 251 F.R.D. 81 (U.S. District Court for the District of Connecticut 2008). Southern New England Telephone (SNET) sued Global NAPS about some issue involving misrouted traffic and access charges (civil litigation is not my strong suit). As in most civil suits, particularly complex federal civil suits, the parties engaged in discovery – the mutual disclosure of potentially relevant evidence – for a long time. Discovery seems to have gone on for almost two years, according to the district court’s opinion.

In this opinion, the federal district court ruled on SNET’s motion to sanction Global NAPS “for failure to comply with discovery orders.” Southern New England Telephone Co. v. Global NAPS, Inc., supra. The motion was based on a number of allegations about Global NAPS’ lack of cooperation in the discovery process, one of which involved anti-forensics. At one point, SNET hired a forensic analysis company to conduct a “more intensive” forensic analysis of certain of the Global NAPS computers on which evidence relevant to the litigation might be found.
The company found that a data-wiping program – Window Washer – had been used to delete files and then overwrite them. Southern New England Telephone Co. v. Global NAPS, Inc., supra. The court noted that whoever had used Window Washer “did not merely use the program in its default mode, but chose the `wash and bleach’ option, which overwrites deleted files.” Southern New England Telephone Co. v. Global NAPS, Inc., supra. That, though, is not what we’re really concerned with here.

The forensic analysis company – LECG – also found that true anti-forensics software might have been used on the computer files:
In order to determine what, or how many files, have been deleted, LECG relies on `metadata.’ Metadata is a record created for all files containing their name, the date, and where the data is stored on the disk, among other things. Metadata is stored in a database called a Master File Table (`MFT’). Generally, a deleted file maintains its metadata, so it is possible to determine some things about the deleted file even after it has been erased. However, when a deleted file has no metadata, `it is likely that anti-forensics software has been employed by the user to erase the file and clear the MFT data.

LECG determined that, out of 93,560 items in the MFT, nearly 20,000 had no metadata, meaning they had likely been erased using anti-forensic software . . . .
Southern New England Telephone Co. v. Global NAPS, Inc., supra.

Later in the opinion, the federal judge notes that this, in conjunction with other evidence, convinced her that anti-forensic software had been used to destroy and/or alter files that might have been relevant to the litigation. Southern New England Telephone Co. v. Global NAPS, Inc., supra. Since she found the defendants had “willfully” violated the court’s discovery orders, the federal judge entered a default judgment against them (which means the plaintiff won). Southern New England Telephone Co. v. Global NAPS, Inc., supra.

The anti-forensics techniques used in the case were not particularly sophisticated, but I find it interesting because it at least refers to such techniques. I suspect anti-forensics techniques are more likely to become an issue in civil litigation, at least at first, because civil litigants are sometimes able to pour a great deal of resources into the preparation of their cases. When millions (or billions) of dollars are at stake, litigants are likely to be willing to put a lot of money into preparing their cases.

I might be right about that, or I might not (it’s happened). It might also be that the issue of anti-forensics assumes, and maintains, greater significance in the context of civil litigation. The use of computer search protocols, for example, seems to be far more prevalent in civil discovery than in criminal forensics.

I really don’t know where any of this is going, but that won’t stop me from speculating. It seems to me that anti-forensics has the potential to (i) frustrate the conduct of computer forensic examinations by masking or altering digital evidence and/or (ii) give defense attorneys a new device they can use to try to persuade juries that digital evidence is too mutable to be reliable.


Anonymous said...

This would bring up an interesting problem for those companies with serious security concerns who use such tools for legitimate reasons, such as to prevent maliciously minded people from gaining the sensitive information. These tools can have legitimate uses. Would the court automatically award default judgments against companies that wish to secure their deleted data? Simply accusing such a company frivolously will allow you to win because they cannot comply with discovery of legitimately deleted data? We are all entitled to delete our no-longer-needed but sensitive data with confidence that it would not fall into the wrong hands. As a judge (I am a law student and I have not yet read the citation that you gave), I would not have allowed the default without proof first that Global NAPS used the techniques after being served discovery. (Maybe that is what happened, in which case I have no complaint. I will have to read the citation and am commenting prematurely.)
It is interesting that this is a civil case and not a criminal one. What if there were also a pending criminal investigation of Global NAPS for Theft of Services? Could they then be charged then with Obstruction of Justice for destroying evidence?

Susan Brenner said...

You make a very good point about the use of such tools to get rid of data a company (or person, I suppose) no longer needs and wants to destroy.

The analogy here, I suspect, would be to shredding documents: In deciding whether or not a company's shredding documents constitutes obstruction of justice, courts have looked to the circumstances surrounding the shredding. One thing that's been important in that context is whether the shredding was done as part of a routine process of getting rid of old files; it's always helpful if the company has a policy that says it'll purge unneeded data at a set interval, e.g., every 3 years or so. That gives rise to the inference that the shredding was innocuous.

The counterbalancing factor, of course, if is the shredding just happened to start, or occur, about the time the company found it was about to be investigated for criminal activity . . . or, I suppose, for civil litigation.

It's been a while since I read this case, but as I recall the antiforensics were used after discovery had begun (I think it had been going on for a quite a while, actually), which gave rise to an inference that their use was part of an effort to destroy evidence, etc. It was also, if I recall correctly, part of a general pattern of uncooperativeness, according to the court.

Yar said...

The use of anti-forensics software such as file wiping and disk wiping software can be bad for a defendant. One of the most used is evidence eliminator and it leaves a bad taste in the courts mouth. You should probably use full disk encryption and other methods as well to prevent an examination altogether.