Anti-Forensics
What is Anti-Forensics?
Anti-ForensicsTechniques used by attackers or privacy-conscious actors to obstruct, delay, or defeat digital forensic investigations.
Anti-forensics encompasses any deliberate effort to hide, destroy, or fabricate digital evidence so that investigators cannot reconstruct what happened. Common methods include secure deletion and disk wiping, full-disk encryption, log clearing (wevtutil cl, journalctl rotation), timestomping (manipulating $MFT MACB times), trace obfuscation (process hollowing, in-memory execution), fileless attacks, steganography, log injection, and use of disposable virtual machines. Living-off-the-land binaries reduce attacker artifacts further. Forensic responders counter these techniques with memory forensics, volatile data capture, redundant log shipping to a SIEM, write-once storage, and cross-source corroboration as recommended by NIST SP 800-86.
● Examples
- 01
An intruder wiping Windows event logs with wevtutil to erase logon traces.
- 02
Timestomping a dropped tool so its $MFT timestamps match legitimate system files.
● Frequently asked questions
What is Anti-Forensics?
Techniques used by attackers or privacy-conscious actors to obstruct, delay, or defeat digital forensic investigations. It belongs to the Forensics & IR category of cybersecurity.
What does Anti-Forensics mean?
Techniques used by attackers or privacy-conscious actors to obstruct, delay, or defeat digital forensic investigations.
How do you defend against Anti-Forensics?
Defences for Anti-Forensics typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Anti-Forensics?
Common alternative names include: Counter-forensics, Evidence destruction.