Anti-Forensics Techniques

• Data hiding in file system Structures
Data hiding is one in all the anti-forensic techniques utilized by attackers to form knowledge inaccessible. NTFS-based exhausting disks contain unhealthy clusters during a data file as $BadClus and also the MFT entry eight represents these bad clusters. $BadClus could be a sparse file, that permits attackers to cover unlimited information further as portion a lot of clusters to $BadClus to cover a lot of information.

• Trail Obfuscation
Trail Obfuscation is one in every of the anti-forensic techniques that attackers use to mislead, complicate, disorient, sidetrack, and/or distract the rhetorical examination method. the method involves totally different techniques and tools, such as:

• Log cleaners
• Spoofing
• Misinformation
• Backbone hopping
• Zombie accounts
• Trojan commands

 In this method, the attackers delete or modify information of some vital files so as to confuse the incident res-ponders. They modify header data and file extensions exploitation varied roles. Timestamp, that is a component of the Metasploit Framework, is one in every of the path obfuscation tool that attackers use to switch, edit, and delete the date and time of a information and build it useless for the incident answer-er transfigure is another tool accustomed perform path obfuscation.

Using the Time-stomp application, one will modification the changed date and time stamp fully, thereby unsupported the validity of the document and deceptive the investigation method.

Overwriting Data/Metadata:

Intruders use various programs to write information on a memory device, creating it tough or not possible to recover. These programs will write information, metadata, or each to avert forensics investigation method. Overwriting programs add 4 modes :

•  Overwrite entire media
•  Overwrite individual files
•  Overwrite deleted files on the media
•  Overwriting information will be accomplished by using disk sanitizes

Overwriting Metadata:

Metadata refers to the data that stores details of knowledge. It plays a vital role within the comp. Her forensics investigation method by providing details like time of creation, names of the systems used for creation and modification, author name, time and date of modification, names of the users UN agency had changed the file and different details.

Incident res-ponders will produce a timeline of attackers' actions by organizing the file's timestamps and different details in ordered order.

• Encryption

Encryption is that the method of translating the information into a secret code in order that solely the licensed personnel will access it. it's an efficient thanks to secure the info. To browse the encrypted file, users need a secret key or a countersign that may rewrite the file. Therefore, most attackers use coding technique mutually of the most effective anti-forensic technique.

Data coding is one of the usually used techniques to defeat rhetorical investigation method and involves coding of codes, files, folders, and typically complete exhausting disks. Intruders use sturdy coding algorithms to encipher information of investigatory price, that renders it just about unclear while not the selected key. Some algorithms avert the investigation processes by acting extra functions as well as use of a key file, full-volume coding, and plausible deniability.

• Encrypted Network Protocols

Attackers use the encrypted network protocols to protect the identification of the network traffic in addition as its content from forensic examination. Few cryptographic encapsulation protocols like SSL and SSH will solely shield the content of the traffic. However, to protect against the traffic analysis, attackers should also anonymize themselves whenever possible .

Attackers use virtual routers like, the Onion routing approach, that provides multiple layers of protection. Onion routing is that the technique used for secret communication over a network. This network encapsulates messages in layers of coding, similar to the layers of an onion and employs a worldwide volunteer network of routers that serve to anonymize the supply and destination of communications. Therefore, tracing this sort of communication and attributing it to a supply is incredibly tough for incident res-ponders.

• Buffer Overflow against forensic Tools

In the buffer overflow exploit attack, the .attackers use buffer overflows as entry to a distant system to inject and run the code within the address house of a running program, thereby with success fixing the victim program's behavior. Usually, attackers use buffer overflows to access the remote system, once that they transfer attack tools,  that get saved within the target machine's hard disk.

• Detecting Forensic Tool Activities

Attackers are absolutely awake to the PC forensic tools that incident res-ponders use to search out and analyze proof from a victim's 'computer or network. Therefore, they struggle to include rhetorical tools and method identification programs into the system or malware they're using. These programs act intelligently and alter behavior on detective work the CFT.