Evidence elimination tools and their forensic implications

Forensics Evidence Elimination Tools

The work of Ryan Harris (2005) entitled: Arriving at an Anti-Forensics Consensus: Examining How to Define and Control the Anti-Forensics Problems" states that forensic investigation "...endeavors to use science to uncover the transferred evidence and discern its meaning. The examination requires that the evidence be reliable and accurate to ensure a correct outcome. However, criminals may use anti-forensic methods to work against the process or interfere with the evidence itself." (2005) Harris relates that there are various definitions of anti-forensic tools and "several grouping of anti-forensic methods have been proposed..." (2005) the work of Peron and Legary divided these various types of anti-forensics or forensic elimination tools into four categories including:

destroyed;

hidden;

manipulated; and 4) prevention of creation of evidence. (2005)

Harris notes that the work of Rogers (200) proposed categories of:

data hiding;

2) artifact wiping;

3) trail obfuscation; and 4) attacks against the process and tools." (Harris, 2005)

These categories are noted in the work of Harris (2005) to overlap one another. Harris states that evidence destruction "involves dismantling of evidence or otherwise making it unusual to the investigative process." (2005) This is a method that effectively destroys the evidence. The following figure classifies the common anti-forensic or forensic elimination methods.

Classifications of Common Anti-Forensic/Forensic Elimination Methods

Source: Harris (2005)

Evidence destruction is stated by Harris (2005) to involve "dismantling evidence or otherwise making it unusable to the investigative process. This method partially or completely obliterates the evidence; it is no simply making evidence inaccessible such as evidence hiding or evidence source manipulation."

Hiding of evidence by forensics elimination tools involves either deleting, overwriting, or hiding the files. According to Harris "while hiding evidence is not guaranteed to be successful, it can be highly effective because it depends on the inherent limitations of people. It can rely on the blind spots of the investigator by placing evidence at a location, the investigator would not normally examine. But it can also use the limitations in the physical or digital world." (2005) in computer forensics the files may be placed in "unusual places to exploit limitations of the digital forensics software." (Harris, 2005) There are various forensics tools that may be utilized to locate and identify user information on computers which are marketed by various companies including Timberline Technologies. Some of these tools and their applications are as follows:

CRCMD5 - Mathematically creates a unique signature for contents of files on a device which are used to discover whether the contents of computer files have been changed.

DIBS Forensic Workstation - Complete solution for problems faced by investigator of computer crimes;

FREDDIE - Forensic recovery of evidence deice diminutive interrogation equipment;

EnCASE - Fully integrated forensic application for Windows; and ProDiscover DFT - completely integrated Windows ™ application for the collection, analysis, management and reporting of computer disk evidence. Designed specifically to meet NIST (National Institute of Standards and Technology) standards. (Timberline Technologies, 2005)