What Anti-Forensic Techniques Are There?
Whilst a computer forensic or mobile phone forensic investigation can include all live and deleted data present upon a device, data can be hidden or prevented from being accessible to a forensic investigator. This article includes various ways in which data can be hidden.
Encryption is the use of converting data into a format that cannot be read or deciphered without knowledge of a key or password.
Encryption can be used to prevent the unauthorised access or use of confidential data or files and only opened if the user is aware of the key.
The most popular types of encryption currently are summarised below:
Data Encryption Standard (DES)
The Data Encryption Standard was originally developed by the US Government and believed to be unbreakable. However, increased processing power has rendered the 56-bit standard obsolete, however, it is still used within many products as it only requires limited computer power.
TripleDES is an updated version of DES that was developed by the US Government after the original version was cracked. Effectively, TripleDES runs DES three times in order to make it harder to break.
The data is encrypted and then decrypted and then encrypted again which potentially provides it with a 168 bit key length.
RSA encryption was one of the first public key cryptographic algorithms and uses one way asymmetric encryption within SSH, OpenPGP, SSL/TLS and S/MIME and is normally 1024 or 2048 bits in length.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is the trusted US Government encryption standard that is based upon the Rijndael algorithm that was developed by Joan Daemen and Vincent Rijmen and was selected by the National Institute of Standards and Technology (NIST) to become the successor to DES.
AES uses a symmetric key algorithm and comprises of 128, 192 or 256 bits and requires a significant amount of processing power that it would take billions of years to brute force an AES-128 key.
Twofish encryption lost out to AES in the finals of the NIST competition and works with 128, 196 and 256 bits. It is regarded as the fastest encryption algorithm and is free to use and appears in common types of encryption software such as Veracrypt and OpenPGP.
Symmetric and Asymmetric Algorithms
An asymmetric algorithm uses two different keys to encrypt and decrypt data whereas the symmetric algorithm uses a single key to encrypt and decrypt data.
Stegonography is hiding data within apparently normal files, such as images, so that the hidden data cannot be easily identified.
The file containing the data does not look different to other similar files allowing the data, including messages or other files, to be hidden within it and to go unnoticed.
Tunnelling uses a process named encapsulation to allow private communication to be exchanged over a public network as it repackages the data into a different form allowing the original data to be hidden.
The data packets are sent from public networks commonly using a Virtual Private Network (VPN) that encrypts the data.
Messages are sent within encrypted layers (like layers of an onion) through several network nodes where each layer of encryption is peeled and remains anonymous through the entire message layer.
Obfuscation uses jargon and phrases to communicate in order to make it difficult to understand the actual message being sent.
Spoofing is the use of disguising communication including via email, phone calls and websites in order to gain unauthorised access to a system or data.
IP Spoofing is when the attacker uses a different IP address in order to hide their actual IP in order to send or conduct malicious activity or communication, including spoof emails of DDoS attacks.
MAC Spoofing is the use of fake MAC (media access control) addresses that are unique identifiers that are assigned to a network interface controller (NIC) in their use as a network address.
Email spoofing is the use of email messages that contain a forged sender address that are often used within spam or phishing emails in order to trick the recipient into believing that they had been sent from someone other than the actual sender.
DNS spoofing comprises of the introduction of corrupt Domain Name System data into the resolving cache which causes the name server to return an incorrect record (IP address).
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.