An Overview of Anti-Forensics Techniques

   Protecting the sensitive data of a government or data protection in general has become, nowadays, a great challenge that faces the security architects around the world. The Moroccan government faced last year a lot of attacks from different parts. However, the  famous one is the “Leaks” of “Chris Coleman” who shared  some sensitive documents in social media. In order to avoid such attacks, this paper will talk about how governments can use the anti-forensics techniques to protect their own sensitive data. So this paper will focus on the techniques that can complicate the work of the investigator and the methodologies to implement them in order to secure sensitive data of governments. In addition, this paper will suggests some possible solutions like creating private cloud platform in each ministry with HTTPS protocol and powerful routers that can face different attacks in order to protect E-govs by improving securing the ways of sharing files.

  • Data Saturation :

Data saturation is quite a traditional method because it is mainly about collecting devices and many copies of your data. This step will complicate the work of the investigator .

  • File Signature Masking :

The file signature masking is one of the basic steps in anti-forensics. It aims to hide the file signature that determines file’s extension. For instance, if we have a picture ( e.g. .PNG) and a document (e.g. .PDF) and we want to protect them, we can simply use this method. The file signature is always the first 4 bytes of any file. And each file type has its own signature. For instance, JPG Files : ÿØÿà ,ZIP Files: PK , EXE Files: MZ , PNG Files : ‰PNG ,  PDF Files: PDF. As you can see figure below  is a simple .PNG picture ( image.png ) .But, unfortunately, you cannot see the signature, so I advice to reopen it using Notepad. If you did that you will see this window below:


Figure 1 : image.png opened with Notepad

If you changed this signature to other files’ signatures (mentioned before), the investigator will take a lot of time to recognize the appropriate file type.

You can also create an .EXE file and match its signature using Notepad. Next figure is another example to show you that you can easily hide your data in a fake file type.


Figure 2 : program.exe file written using Notepad.

  • Restricted filenames :

Another anti-forensics method is rename your folders or files with one of the restricted names. For example, CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9 are all restricted names in Windows.

These names are restricted because they have a meaning either in MS-DOS or in some other functions. If you named a folder with CON , for example, you will make the investigator’s life harder because he won’t be able to recognize what is wrong with this folder. In addition to that, the special thing with these folders is that you cannot copy, move, create a new folder into them and even if you add more files the size of the folder will be 0 bytes . You can do that by writing this command in Command Prompt “ md \\.\C:\Users\Ahmed\Desktop\con” in Windows CMD.

There are other anti-forensics techniques that we will be tackling in the next articles. I hope you enjoyed the article and it gave you some insights about this interesting topic.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s