DFIR Training Blog



Anti-Forensic/Counter-Forensic Tools and thensome

datawiping I want to expand a little on David Cowen’s Daily Blog #442: Anti Forensic Tools in the Wild , in regards to terminology I prefer to use.

Like David said, we encounter data wiping in cases on occasion, sometimes on many occasions. Specifically, I mean the cases where the suspect/custodian has intentionally wiped files to prevent recovery by folks like us. Sometimes it works. Sometimes it doesn’t. 

When I state in a report or give testimony that someone used anti/counter forensic software, I explain that the person intentionally used software (or hardware) in a manner to thwart forensic recovery or obstruct the investigation and analysis. I am specific when calling out “anti” or “counter” forensics activity, based on several factors.

Name of the software

One of the factors is the name of the software used to wipe the data. Dave’s list has a few good ones. “Evidence Eliminator” is a prime example of a software tool that gives you the intended purpose of the software. In this example, eliminate evidence . By itself, the name of a tool should not be the only measure of its use, but certainly a consideration.

Use of the software

The other factor I consider is the use of the software.  When the name of the software clearly states it’s intended purpose (“Evidence Eliminator”) and the use of the software implies the intention of the user, then it’s easy to say that anti/counter-forensics was employed. One case I had found the custodian installed Ccleaner after a preservation order, ran Ccleaner multiple times using all types of settings, then uninstalled Ccleaner the day before providing the computer for analysis. Clear intention based on the type of software (and name), its use, and the circumstance.

However, when the software/hardware used has an intended purpose other than anti/counter-forensics, the user’s intentions need to show a bit more. For example, a command prompt is an innocent application; except when used to format a drive containing evidence or to delete evidence files.  A person who formats an external drive using a command prompt (or DiskPart) after a preservation order, then denies deleting any files, clearly was employing anti/counter-forensics measures using an application not designed for malicious purposes. In this example, you can call DiskPart an anti/counter-forensic tool in this specific use of the tool. This is like a hammer used to build a house and also used as a dangerous weapon. The use and intention matter most, regardless of the type of tool used.

I like the easy cases of data wiping software used after a preservation order was served. The evidence may be gone, but showing the use of the software after the fact certainly makes for a better case anyway. I also like the more difficult cases where legitimate software has been used for bad purposes. This takes a little more time to show intention, but there is no difference between using Evidence Eliminator or a Command Prompt when the intention and result are the same. Both are anti/counter-forensics use of software regardless of the intended purpose of the software.

As far as the “anti” and “counter” forensics, I don’t really see a difference in the terminology, but you may prefer one over the other.  Both are clear, in that they both refer to anything that someone has done to make your job more difficult. Some malware sorta works the same way. Legitimate software used for malicous purposes. 

By the way, the best anti/counter-forensics method that I have found is something I call the “ Lake Washington Defense ”.  One case matter that I had, the custodian kept throwing the devices into Lake Washington, or rather, “the laptop fell out of the boat” type of excuses. In those cases, the data is gone…like really gone. I testified that the 'lost' items were apparently anti-forensic methods employed to prevent forensic recovery of any data :)

Written by :Brett Shavers

{rscomments option="com_rsblog" id="36"}