Anti-Forensic Trace Detection in Digital Forensic Triage Investigations

Authors

Kyoung Jea Park, Woosuk University, Samnye-eup, Wanju-gun, Jeollabuk-do, South Korea
Jung-Min Park, Soon Chun Hyang University, Shinchang-myeon, Asan-si, South Korea
Eun-jin Kim, Pukyong National University, Yongso-ro, Nam-gu, Busan, South Korea
Chang Geun Cheon, Hanyang University, Wangsimni-ro, Seongdong-gu, Seoul, South Korea
Joshua I. James, Legal Informatics and Forensic Science Institute, Hallym UniversityFollow

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

Anti-forensics, whether intentionally to disrupt investigations or simply an effort to make a computer system run better, is becoming of increasing concern to digital investigators. This work attempts to assess the problem of anti-forensics techniques commonly deployed in South Korea. Based on identified challenges, a method of signature-based anti-forensic trace detection is proposed for triage purposes that will assist investigators in quickly making decisions about the suspect digital devices before conducting a full investigation. Finally, a prototype anti-forensic trace detection system is given to demonstrate the practicality of the proposed method.

References

Casey, E., Fellows, G., Geiger, M., & Stellatos, G. (2011, November). The growing impact of full disk encryption on digital forensics. Digital Investigation, 8 (2), 129–134. Retrieved from http://linkinghub.elsevier.com/ retrieve/pii/S1742287611000727 doi: 10.1016/j.diin.2011.09.005

Casey, E., Ferraro, M., & Nguyen, L. (2009). Investigation Delayed Is Justice Denied: Proposals for Expediting Forensic Examinations of Digital Evidence. Journal of forensic sciences, 54 (6), 1353–1364. Retrieved from http://www3.interscience.wiley.com/ journal/122599763/abstract doi: 10.1111/j.1556-4029.2009.01150.x

Conrad, S., Dorn, G., & Craiger, P. (2010). Forensic Analysis of a PlayStation 3 Console. In Advances in digital forensics vi (pp. 65–76). Springer Berlin Heidelberg. doi: 10.1007/978-3-642-15506-2\ 5

Garfinkel, S. (2007). Anti-forensics: Techniques, detection and countermeasures. In The 2nd international conference on i-warfare and security (iciw) (pp. 77–84).

Geiger, M. (2005). Evaluating Commercial Counter-Forensic Tools. DFRWS , 1–12. Retrieved from https://www.dfrws.org/ 2005/proceedings/ geiger\ couterforensics.pdf

Geiger, M. (2006). Counter-forensic tools: Analysis and data recovery. 18th FIRST Conference. Retrieved from http:// www.cms.first.org/conference/2006/ papers/geiger-matthew-papers.pdf

Gogolin, G. (2010, October). The Digital Crime Tsunami. Digital Investigation, 7 (1-2), 3–8. Retrieved from http://www.sciencedirect.com/ science/article/B7CW4-50S2DC9-1/2/ 1c6a6a38b9f633ddcd445b2115739ac7http:// linkinghub.elsevier.com/retrieve/ pii/S1742287610000526 doi: 10.1016/j.diin.2010.07.001

Harris, R. (2006, September). Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Digital Investigation, 3 , 44–49. Retrieved from http://linkinghub.elsevier.com/ retrieve/pii/S1742287606000673 doi: 10.1016/j.diin.2006.06.005

James, J. I. J., Gladyshev, P., & Zhu, Y. (2011). Signature Based Detection of User Events for Post-Mortem Forensic Analysis. Digital Forensics and Cyber Crime, 53 , 96–109. Retrieved from http://link.springer.com/chapter/ 10.1007/978-3-642-19513-6\ 8http:// arxiv.org/abs/1302.2395 doi: 10.1007/978-3-642-19513-6\ 8

Kalber, S., Dewald, A., & Freiling, F. C. (2013, March). Forensic Application-Fingerprinting Based on File System Metadata. In 2013 seventh international conference on it security incident management and it forensics (pp. 98–112). IEEE. Retrieved from http://ieeexplore.ieee.org/lpdocs/ epic03/wrapper.htm?arnumber=6568558 doi: 10.1109/IMF.2013.20

Kang, J., Lee, S., & Lee, H. (2013). A Digital Forensic Framework for Automated User Activity Reconstruction. In R. H. Deng & T. Feng (Eds.), Information security practice and experience (pp. 263–277). Springer Berlin Heidelberg. doi: 10.1007/978-3-642-38033-4\ 19

Khan, M. N. A., Chatwin, C. R., & Young, R. C. D. (2007). Extracting Evidence from Filesystem Activity using Bayesian Networks. International journal of Forensic computer science, 1 , 50–63. Retrieved from http://www.ijofcs.org/V02N1-P04 -ExtractingEvidencefromFilesystem.pdf

Koopmans, M. B., & James, J. I. (2013, September). Automated network triage. Digital Investigation, 10 (2), 129–137. Retrieved from http://linkinghub.elsevier.com/ retrieve/pii/S1742287613000273 doi: 10.1016/j.diin.2013.03.002

Rekhis, S., & Boudriga, N. (2010). Formal Digital Investigation of Anti-forensic Attacks. In Fifth international workshop on systematic approaches to digital forensic engineering (pp. 33–44). IEEE Computer Society. doi: http://dx.doi.org/10.1109/SADFE.2010.9

Rogers, M. K. (2005). Ant-Forensics. In Lockheed martin. San Diego, California. Retrieved from http://cyberforensics.purdue.edu/ documents/AntiForensics\ LockheedMartin09152005.pdf

Shaw, A., & Browne, A. (2013, September). A practical and robust approach to coping with large volumes of data submitted for digital forensic examination. Digital Investigation, 10 (2), 116–128. Retrieved from http://linkinghub.elsevier.com/ retrieve/pii/S1742287613000327 doi: 10.1016/j.diin.2013.04.003

Wundram, M., Freiling, F. C., & Moch, C. (2013, March). Anti-forensics: The Next Step in Digital Forensics Tool Testing. In 2013 seventh international conference on it security incident management and it forensics (pp. 83–97). IEEE. Retrieved from http://ieeexplore.ieee.org/lpdocs/ epic03/wrapper.htm?arnumber=6568557 doi: 10.1109/IMF.2013.17

Recommended Citation

Park, Kyoung Jea; Park, Jung-Min; Kim, Eun-jin; Cheon, Chang Geun; and James, Joshua I. (2017) "Anti-Forensic Trace Detection in Digital Forensic Triage Investigations," Journal of Digital Forensics, Security and Law: Vol. 12 , Article 8.
DOI: https://doi.org/10.15394/jdfsl.2017.1421
Available at: https://commons.erau.edu/jdfsl/vol12/iss1/8