±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34731
New Yesterday: 2 Visitors: 207

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

anti-forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: anti-forensics

Post Posted: Sun Oct 21, 2018 9:24 am

Some reporters use it when traveling, human rights workers abroad as well as "fun" government agencies. And the latter can sometimes even assist the first two categories in a functioning democratic state where the freedom of press is respected.


From our functioning democratic perspectives, this would be called communications security, information security, or in the matter of "fun government agencies", operational security.

I do not see any AF in here.

I think it all comes back to what we consider the DFIR definition of AF and in further reference to:

Anti forensics cannot be as simple as "uh, child pornography". Three are many levels of gray here.


If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.

It would in fact be pretty simple and straight forward.

But.....we first have to agree on a definition of what AF is within DFIR. Without it, we can only speculate and share personal opinions.  

xandstorm
Member
 
 
  

Re: anti-forensics

Post Posted: Sun Oct 21, 2018 11:25 am

- xandstorm
From our functioning democratic perspectives, this would be called communications security, information security, or in the matter of "fun government agencies", operational security.

I do not see any AF in here.


What part of communications security features wiping data, live boot systems, user training not to leave tracers on the network, deliberate data hiding on media or masking of data to prevent foreign governments from accessing data?

What you are describing is comsec, it pretty much ends just outside the field of encryption. Protecting signals or it's meta from interception is pretty much all it does.


- xandstorm
If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.


Try working as a reporter and tell that to a non democratic foreign government. Legal in your country does not mean legal in another.

Needless to say, i do not agree with your standpoint, i know that people have been died because someone else was careless with digital media.

You should know that there are people who have done work in both forensics and antiforensics for the purposes mentioned above.  

MDCR
Senior Member
 
 
  

Re: anti-forensics

Post Posted: Sun Oct 21, 2018 11:30 am

- xandstorm


If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.


Only if the Law prohibits the destroying, hiding or obfuscating of one's own data in an absolute way, otherwise the gray area remains about the (malicious or not malicious) intent (and how to prove it).

Let's try for the sake of the discussion another (easier to categorize as an attempt to destroy evidence), when the suspect, immediately before his arrest, tries (and succeeds) to smash his phone with a hammer into bits (unrecoverable).

Would prosecution be able to prove this malicious intent?

Or would his defense lawyer be able to convince the Court (or the Jury) that the hammering happened only because of an outburst of rage because the stupid device wasn't working?

Sure, if you find that a device *like* this one:
www.networkworld.com/a...conds.html
was used to wipe a disk and is still "hot" Wink , then it might be easier.
But if - say - the suspect has a pile of wiped disks near the device, it starts to become possible a way out .... Rolling Eyes


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: anti-forensics

Post Posted: Sun Oct 21, 2018 1:38 pm

What part of communications security features wiping data, live boot systems, user training not to leave tracers on the network, deliberate data hiding on media or masking of data to prevent foreign governments from accessing data?


Well, the activities you describe could basically all fall under the umbrella of communications security. Allthough primarily intended to prevent the compromization of the contents of communications by "unlawfull 3rd parties", it is much broader then just "encryption". It is also something a journalist could need from the perspective of source protection. Thus by wiping the call history in his / her own democratic countrly prior to traveling to less fun countries, that would fall under the umbrella(s) of communications security / information security or even operational security.

Once in the less fun country, that same action could definately be seen as AF, depending on their law and legislation.

What you are describing is comsec, it pretty much ends just outside the field of encryption. Protecting signals or it's meta from interception is pretty much all it does.


I am afraid i dont understand what you mean here. comsec is just the abbreviation of communications security.

Try working as a reporter and tell that to a non democratic foreign government. Legal in your country does not mean legal in another.


Exactly my point as describe above, in essence we do agree.

What is considered information security or communications security in 1 country might be seen as AF in another.

That is why we need a definition first.  

xandstorm
Member
 
 
  

Re: anti-forensics

Post Posted: Sun Oct 21, 2018 1:48 pm

Let's try for the sake of the discussion another (easier to categorize as an attempt to destroy evidence), when the suspect, immediately before his arrest, tries (and succeeds) to smash his phone with a hammer into bits (unrecoverable).

Would prosecution be able to prove this malicious intent?


That is a tough one as in most countries, one can not be forced to comply / assist with his / her own prosecution / conviction.

I therefore think that if absolutely nothing could be salvaged from the device it would be very difficult to prove. However, if even the slightest bit of evidence could be salvaged, or incriminating records from let's say an online service provider would be added into the mix, malicious intent would be much easier to prove.

I assume that it could be called AF in essence from the DFIR perspective, allthough i doubt if criminal law would classify it as such as well.

Such an action would probably fall under the same category of a suspect throwing a murder weapon from a bridge that could not be recovered by the authorities.

Unfortunately, i am not legally educated enough to adequately respond to that.

Anyone on this list has any experience with this?  

xandstorm
Member
 
 
  

Re: anti-forensics

Post Posted: Mon Oct 22, 2018 3:02 am

- xandstorm

Such an action would probably fall under the same category of a suspect throwing a murder weapon from a bridge that could not be recovered by the authorities.


Poor bridge. Shocked Wink

Seriously if the object thrown in the river could not be recovered, there is no way to establish that it was a weapon, let alone the weapon used in a murder to kill the victim.

The most the suspect could be charged of is probably illegal dumping, it is when the suspect is seen throwing an object in the river AND an object in that area of the river is recovered AND it results being a murder weapon that you have some (circumstantial) proof, the real proof being of course if on the recovered weapon fingerprints or DNA traces of the suspect are found (or if the weapon belonged to him/her, etc.).

jaclaz

.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: anti-forensics

Post Posted: Mon Oct 22, 2018 7:35 am

- xandstorm
I am afraid i dont understand what you mean here. comsec is just the abbreviation of communications security.


If you had worked on such an agency with a need to protect signals (sent over communications channels, regardless of wireless or through cable) you would know the definition of communications security.

Signed,
Ex military guy.  

MDCR
Senior Member
 
 

Page 3 of 4
Go to page Previous  1, 2, 3, 4  Next