Common anti-forensics techniques represent deliberate methods employed by adversaries to disrupt, obscure, or destroy digital evidence during computer and cyber forensics investigations, challenging investigators to recover and validate artifacts.
These tactics range from data overwriting and timestomping to advanced evasion like steganography and log manipulation, designed to mislead timelines, hide payloads, or render analysis infeasible.
Understanding them equips forensics professionals to detect evasion attempts, employ counter-strategies, and maintain chain of custody integrity against sophisticated threat actors.
Data Destruction and Overwriting
Attackers erase evidence by overwriting storage, making recovery difficult or impossible.
Detection relies on residual magnetic traces or backup remnants; counter with live acquisition pre-wipe.
Timestomping and Metadata Manipulation
Timestomping alters MACB timestamps to break investigative timelines.
Tools modify $Standard_Information (SI) and $File_Name (FN) attributes in NTFS MFT, creating discrepancies detectable via analysis. Linux touch commands reset access times; script kiddies target exFAT for simplicity.
Forensic counters: Cross-validate multiple timestamp sources, check $LogFile journals, use super timelines.
Encryption and Obfuscation
Encryption hides data; obfuscation confuses parsers.
Full-disk encryption (BitLocker, VeraCrypt) locks volumes; file shredders combine with AES. Packers (UPX, Themida) compress/encrypt PE sections, evading signatures. Obfuscated scripts (PowerShell encoded) resist static scanning.
Counters: Memory forensics for keys, behavioral sandboxes for unpacking.
Steganography and Hiding
Detection: Entropy analysis, stegdetect, ADS enumeration (dir /r).
Anti-Analysis and Evasion
Advanced techniques thwart tools and analysts.
Debugger detection (IsDebuggerPresent), VM checks (redpill), sandbox timing delays. Rootkits (DKOM) unlink processes from lists; fileless malware resides in registry streams.
Memory forensics (Volatility malfind) scans injections; behavioral rules flag LOLBins.
Log and Registry Tampering
System records altered to erase footprints.
Event log clearing (wevtutil cl System); registry hives modified offline. Linux logrotate abused; syslog overwritten.
Counters: Forwarded backups, immutable logging, anomaly baselines.
Detection and Counter-Strategies
Holistic approaches overcome evasion.
Baseline normal behaviors; anomaly detection flags outliers. Multiple acquisition layers (live + dead); carve unallocated space. Tool validation and peer review ensure integrity.
In practice, timestomped ransomware detected via prefetch + memory hooks despite wiped logs.
