The usual suspects of deleting browser history and cache files are normally recoverable in one state or another, but I have witnessed a growing trend in the installation of anti-forensic software, or the remnants of it having been installed at some point, as users become smarter.

As an example; MelBek was recently asked to look for something specific on a company owned laptop. When examining the contents of the laptop further, it quickly became apparent that an anti-forensic application had been used to erase data.

When the user had removed the anti-forensics application a trail was left behind, which we were able to use as evidence. This type of residual evidence can be crucial in an investigation, but this should not be where the investigation stops, as there is always the need to consider user error.

I am sure some of us in the forensic world have seen cases where there appears to have been data erased, only to find that the user forgot a folder; or didn't allow enough time for the deletion process; or perhaps the software has a context menu and they need to manually right click and carry out a further action, only they forgot.

I see this quite often and have come to the conclusion that anti-forensic software gives false reassurance to the user and they become complacent. They think it is running constantly, forgetting that it may crash, or neglecting to run it entirely.

Anti-forensic software is readily available for download and some of it does a pretty good job of covering the user's tracks, with a home user there is little you can do to avoid this kind of situation. For organisations this is not the case, it can be avoided by not allowing local administrator access on the workstations or laptops, and by enforcing good security procedures.

I regularly come across PCs with local administrator access being given to the user, normally because of a software requirement, but this kind of network administration can have serious consequences when forensics investigation is needed.

Of course you will not stop the determined user that boots a CD and runs anti-forensic software that way; trying to produce evidence that proves this was the case can be impossible at times, but there are plenty of things that can be done to stay one step ahead.

So are users getting smarter? I think they are; but as long as they remain human they are always vulnerable to making mistakes, and it is the job of the industry to outsmart them.