This raises interesting points. Say your average joe computer user, if I examined this I would think something unusual was going on. I "assume" 😯 the average person knows little bout these functions or the benefit of them - certainly not all together i would think - BUT that would need substantial research to substantiate that claim.
Good, then I am (actually my computer usage is) different from (above/more advanced than? ? ) average.
How you determine how much an user (or his/her computer usage) is "average"?
And once determined (in a non controversial and provable way) that the suspect's usage is actually "unusual" where does the border between "unusual" and "anti-forensics" lie?
Rather than thinking 'it was never there', AF marks may actually alert you to something else.
I understand how perceiving the usage of such (let's for the moment continue to call them "anti forensics") techniques as adversarial may prompt the investigator to "dig deeper", but once all the holes have been digged (and nothing has been found) the game is over, and the fact that you lost not only doesn't allow you to assume i cheated, but I should not bear any consequences (unless you can actually prove I cheated).
Or is evidence of absence (vs. absence of evidence) actually reasonable?
https://
In some circumstances it can be safely assumed that if a certain event had occurred, evidence of it could be discovered by qualified investigators. In such circumstances it is perfectly reasonable to take the absence of proof of its occurrence as positive proof of its non-occurrence.
jaclaz
In reference to Jaclaz,
How you determine how much an user (or his/her computer usage) is "average"?
And once determined (in a non controversial and provable way) that the suspect's usage is actually "unusual" where does the border between "unusual" and "anti-forensics" lie?
The border is most likely When the DF examiner can prove solely through a data set examination the deliberate destruction, hiding or obfuscating of data substantiating and / or proving both a criminal event and the suspect's malicious intent.
Again, that is not a DF examiners core expertise as it requires a much broader and not necceassarily just digital investigative approach and additional information then an electronic data examination can usually provide by itself.
A DF examination is just a small, but important, supportive expertise within the investigative process.
My opinion in short the average DF examinator can not!
Saludos.
The border is most likely When the DF examiner can prove solely through a data set examination the deliberate destruction, hiding or obfuscating of data substantiating and / or proving both a criminal event and the suspect's malicious intent.
Yep ) , and everything revolves around the bolded words in the quote, maybe one can prove the destruction, hiding or obfuscating, but proving that it was deliberate is an altogether different issue.
And I would add that someone can deliberately destroy, hide or obfuscate his/her own data[1] for a number of reasons (like as said, privacy, fear of having it stolen, paranoia, etc.) so not only the investigator would need to prove that the destruction/hiding/obfuscating was deliberate, but also that the reason why it happened was to obstruct the investigation.
And of course in the case of actually destroyed data, here is no real way to know if what was deleted and is totally unrecoverable was a compromising recording or a lolcat video (or a duplicate of a downloaded program, or *whatever*).
jaclaz
[1] since the data is his/her own data it is perfectly legal to destroy, hide or obfuscate it, AFAICT.
There are legit uses for anti-forensics and so called privacy enhancing technologies.
Some reporters use it when traveling, human rights workers abroad as well as "fun" government agencies. And the latter can sometimes even assist the first two categories in a functioning democratic state where the freedom of press is respected.
Whenever there is a need to install and run internet capable software, traces can be found elsewhere off the system, and this even if you are using a live system on DVD/USB. Some of those live distributions are not configured properly to be used for privacy, they are set up for convenience and if there is legit hacking from a government agency of that nation, then it can be compromised and accessed by that state. This is regardless of where an individual is on the planet.
Iran for example says that you can never give up your nationality, exposing thousands of dissidents worldwide to government surveillance. Some nations does not give a second thought about hacking dissidents computers in other countries, we've seen this reported from open sources like Citizen Lab. What your democratic government agency is unwilling to do does NOT set the standard globally.
Unless the system is fully wiped, there are also artifacts left on the system. A wiper can rarely wipe itself and as most of us know, there can still be data artifacts left in VSC and similar functionality. Destroying data without destroying everything is hard, but it can be enough to make an investigation hard.
I suggest that everyone wanting to call themselves a good IT-forensics investigator to double down on these tools and learning how they work. Take at least one day of the year to look into this field. Are there any shortcomings? do they fail under certain circumstances?
Anti forensics cannot be as simple as "uh, child pornography". Three are many levels of gray here.
Some reporters use it when traveling, human rights workers abroad as well as "fun" government agencies. And the latter can sometimes even assist the first two categories in a functioning democratic state where the freedom of press is respected.
From our functioning democratic perspectives, this would be called communications security, information security, or in the matter of "fun government agencies", operational security.
I do not see any AF in here.
I think it all comes back to what we consider the DFIR definition of AF and in further reference to
Anti forensics cannot be as simple as "uh, child pornography". Three are many levels of gray here.
If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.
It would in fact be pretty simple and straight forward.
But…..we first have to agree on a definition of what AF is within DFIR. Without it, we can only speculate and share personal opinions.
From our functioning democratic perspectives, this would be called communications security, information security, or in the matter of "fun government agencies", operational security.
I do not see any AF in here.
What part of communications security features wiping data, live boot systems, user training not to leave tracers on the network, deliberate data hiding on media or masking of data to prevent foreign governments from accessing data?
What you are describing is comsec, it pretty much ends just outside the field of encryption. Protecting signals or it's meta from interception is pretty much all it does.
If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.
Try working as a reporter and tell that to a non democratic foreign government. Legal in your country does not mean legal in another.
Needless to say, i do not agree with your standpoint, i know that people have been died because someone else was careless with digital media.
You should know that there are people who have done work in both forensics and antiforensics for the purposes mentioned above.
If the destroying, hiding or obfuscating of data related to criminal and / or civil wrongdoing, within the applicapble legislation of course, and with the objective of malicious intent, there would be no grey area at all.
Only if the Law prohibits the destroying, hiding or obfuscating of one's own data in an absolute way, otherwise the gray area remains about the (malicious or not malicious) intent (and how to prove it).
Let's try for the sake of the discussion another (easier to categorize as an attempt to destroy evidence), when the suspect, immediately before his arrest, tries (and succeeds) to smash his phone with a hammer into bits (unrecoverable).
Would prosecution be able to prove this malicious intent?
Or would his defense lawyer be able to convince the Court (or the Jury) that the hammering happened only because of an outburst of rage because the stupid device wasn't working?
Sure, if you find that a device *like* this one
https://
was used to wipe a disk and is still "hot" wink , then it might be easier.
But if - say - the suspect has a pile of wiped disks near the device, it starts to become possible a way out …. roll
jaclaz
What part of communications security features wiping data, live boot systems, user training not to leave tracers on the network, deliberate data hiding on media or masking of data to prevent foreign governments from accessing data?
Well, the activities you describe could basically all fall under the umbrella of communications security. Allthough primarily intended to prevent the compromization of the contents of communications by "unlawfull 3rd parties", it is much broader then just "encryption". It is also something a journalist could need from the perspective of source protection. Thus by wiping the call history in his / her own democratic countrly prior to traveling to less fun countries, that would fall under the umbrella(s) of communications security / information security or even operational security.
Once in the less fun country, that same action could definately be seen as AF, depending on their law and legislation.
What you are describing is comsec, it pretty much ends just outside the field of encryption. Protecting signals or it's meta from interception is pretty much all it does.
I am afraid i dont understand what you mean here. comsec is just the abbreviation of communications security.
Try working as a reporter and tell that to a non democratic foreign government. Legal in your country does not mean legal in another.
Exactly my point as describe above, in essence we do agree.
What is considered information security or communications security in 1 country might be seen as AF in another.
That is why we need a definition first.
Let's try for the sake of the discussion another (easier to categorize as an attempt to destroy evidence), when the suspect, immediately before his arrest, tries (and succeeds) to smash his phone with a hammer into bits (unrecoverable).
Would prosecution be able to prove this malicious intent?
That is a tough one as in most countries, one can not be forced to comply / assist with his / her own prosecution / conviction.
I therefore think that if absolutely nothing could be salvaged from the device it would be very difficult to prove. However, if even the slightest bit of evidence could be salvaged, or incriminating records from let's say an online service provider would be added into the mix, malicious intent would be much easier to prove.
I assume that it could be called AF in essence from the DFIR perspective, allthough i doubt if criminal law would classify it as such as well.
Such an action would probably fall under the same category of a suspect throwing a murder weapon from a bridge that could not be recovered by the authorities.
Unfortunately, i am not legally educated enough to adequately respond to that.
Anyone on this list has any experience with this?
Such an action would probably fall under the same category of a suspect throwing a murder weapon from a bridge that could not be recovered by the authorities.
Poor bridge. 😯 wink
Seriously if the object thrown in the river could not be recovered, there is no way to establish that it was a weapon, let alone the weapon used in a murder to kill the victim.
The most the suspect could be charged of is probably illegal dumping, it is when the suspect is seen throwing an object in the river AND an object in that area of the river is recovered AND it results being a murder weapon that you have some (circumstantial) proof, the real proof being of course if on the recovered weapon fingerprints or DNA traces of the suspect are found (or if the weapon belonged to him/her, etc.).
jaclaz
.