Internet privacy and security course
Aa font
AA font size
About translation
Previous Next
Counter forensics (anti-computer forensics)

Chapter 68

Counter forensics (anti-computer forensics)

In this section we will look at the measures to counter forensic analysis. More specifically, this chapter provides a bird’s eye view of tasks and solutions.

There are three main ways to counter forensic analysis:

  • Protection (encryption)
  • Hiding (steganography)
  • Erasure

We focus on encryption and steganography in separate chapters, and before you start learning about counter-forensics techniques, you should already know how to encrypt your hard drive, how to create encrypted file-hosted volumes, know about the methods of defeating them and, of course, be aware of the techniques for disguising encrypted file containers. Even better if you know about the methods of creating strong passwords, specifically the part where we give you the recommendations on how to protect yourself from forensic analysis.

Overall encryption is a reliable method provided you encrypt a system, use encrypted file-hosted volumes inside it and follow these recommendations. But sometimes the use of encrypted file-hosted volumes can lead to legal issues. We have already mentioned a few such cases in this course, and just recently we’ve heard about another precedent related to the user’s refusal to give up the password to his phone.

A Florida man William Montanez was on the road and pulled over by the local police for not properly yielding. Who doesn’t get traffic stops, but during the search the police also found 4,5 grams of weed, THC oil and a concealed handgun.

But it’s not the police, guns and drugs that put Montanez in the media spotlight – it’s the two iPhones found in his car. After the police saw a text message that read “OMG did they find it” on the screen, they asked Montanez to unlock his phone, a request he denied because he’d suddenly forgotten his code like many of us would have if we found ourselves in his shoes.

Though Montanez’s decision is justified considering the situation he was in, the judge thought otherwise. The court demanded he should unlock his phone, and after Montanez denied, the judge found him in civil contempt and threw him in jail. Allegedly, Montanez is hiding the evidence on his phone that may lead to drug trafficking charges. Allegedly…

After hearing such stories, you may start thinking that forensic analysis can threaten only drug dealers and criminals. But you may remember that your laptops and phones are often searched when you are crossing the borders of different countries, and your refusal to yield to such requests will lead to serious problems for you.

So far it is the Chinese authorities that have taken the most disturbing measures when it comes to forensic analysis. There the police can perform a forensic analysis of mobile phones rights in the street. You may be taking a stroll, and suddenly get pulled over, your phone – retrieved to be subjected to a forensic analysis. If you are asking yourself, how will the police know your password? Well, you will be more than willing to give it up of your own accord (It’s China, right?).

Then your phone is connected to a laptop, all its contents are uploaded and then analyzed with the help of forensic software. The police would be especially interested in correspondence, videos, photos, user activity on social networks, call and text message history, downloaded applications. As you see, the threat of forensic analysis is much closer than you can imagine.

If there’s one takeaway from the William Montanez story, it should be the following: you need to use stenography and erasure. Not let’s move to stenography: when it comes to counter-forensics, we should mainly focus on hidden operating systems and secret compartment.

A hidden operating system is a second system, whose existence is impossible to prove directly. If you enter one password, you will run one system, if you enter another password, this will run a different operating system. A hidden compartment in an encrypted file-hosted volume is a secret section of your file container whose existence is impossible to prove: if you enter one password, you will get a common encrypted file-hosted volume; if you enter a different password, this will unlock the secret compartment. You can learn how to create a hidden operating system and encrypted file-hosted volumes with a hidden compartment with the help of TrueCrypt and VeraCrypt – in our course.

You may become interested in all kinds of covering up files and encrypted file-hosted volumes, like hiding one and the same document in a picture or create a hidden folder, but while these methods can protect you from a curious wife, a forensic expert will have no trouble locating such files or folders. He will show even more dedication when he finds out you keep stenography software on your computer.

One of the goals of anti-computer forensics is to prevent a forensic analysis of a device and subsequent retrieval of sensitive information. Even if your device is encrypted, forensic experts have methods of gaining access to it, for instance, through a DMA attack. If a forensic expert obtains a turned on but locked device, there is a chance that he will be able to retrieve decryption keys from RAM. He will then use it to decrypt the information on the encrypted hard drive of the device.<