SPECIALIZED TECHNICAL DEVICES AND COUNTER-CRIMINALISTICS (COUNTER-FORENSIC SCIENCE)

ABSTRACT

This article explores the main technical methods used to counter computer forensic analysis. It focuses on three primary approaches: encryption, steganography, and complete data erasure. The article explains how hidden operating systems and hidden volumes within encrypted containers can be used to protect sensitive information. While encryption is generally considered a reliable method, improper use—such as storing encrypted volumes in files—can lead to legal complications.

АННОТАЦИЯ

В этой статье рассматриваются основные технические методы, используемые для противодействия компьютерной криминалистике. Основное внимание уделяется трем основным подходам: шифрованию, стеганографии и полному стиранию данных. В статье объясняется, как скрытые операционные системы и скрытые тома в зашифрованных контейнерах могут использоваться для защиты конфиденциальной информации. Хотя шифрование обычно считается надежным методом, его неправильное использование, например хранение зашифрованных томов в файлах, может привести к юридическим осложнениям.

Keywords: Counter-forensics, Encryption, Steganography, Data wiping, Hidden operating system, DMA attack.

Ключевые слова: контркриминалистика, шифрование, стеганография, стирание данных, скрытая операционная система, атака DMA.

Introduction. In today’s digital age, the protection of sensitive information has become a critical concern for individuals, organizations, and governments alike. As digital forensic techniques continue to advance, so too do the methods used to counter them. Counter-forensics, also known as anti-forensics, refers to the set of techniques and tools designed to prevent, delay, or mislead forensic investigations. These methods aim to safeguard data confidentiality, integrity, and availability by making forensic analysis more difficult or even impossible. This article examines the most common counter-forensic approaches, including encryption, steganography, and data wiping, and discusses their effectiveness, limitations, and potential legal implications [1-2].

In this article, we will examine the measures used to counter forensic analysis. There are three main approaches to countering forensic analysis:

• Protection (encryption);
• Concealment (steganography);
• Erasure (data wiping).

In general, encryption is a reliable method, provided that you encrypt the system, use encrypted volumes stored in files, and follow these recommendations. However, sometimes the use of encrypted volumes stored in files can lead to legal issues.

Research methodology. A hidden operating system is a secondary system whose existence cannot be proven directly. If you enter one password, it will launch one system; if you enter a different password, it will launch another operating system. A hidden volume within an encrypted file container is a secret partition of your file container whose existence also cannot be proven. If you enter one password, you will access the general encrypted volume; if you enter another password, the hidden volume will be opened [3].  One of the goals of anti-computer forensics is to prevent forensic analysis of a device and the subsequent extraction of confidential information. Even if your device is encrypted, forensic specialists have methods of gaining access to it — for example, through a DMA (Direct Memory Access) attack. If a forensic examiner obtains a powered-on but locked device, there is a possibility that they can extract decryption keys from the RAM. These keys can then be used to decrypt the data stored on the device’s encrypted hard drive [4]. The encryption and decryption keys are stored in the device’s RAM once you enter the password at startup, and they typically remain there until the device is powered off. This allows you to encrypt and decrypt data on the fly, often without even realizing that you are working with an encrypted hard drive.

Results and analysis. Anti-forensic methods - are techniques used to hide or destroy digital evidence, making its recovery difficult or impossible for investigators. These methods may be used by cybercriminals to cover their tracks after committing a crime, or by organizations to protect their confidential data. Some of the most common anti-forensic methods include [5]:

Encryption: Encryption converts data into an unreadable format that can only be decrypted using a specific key. This makes it extremely difficult for investigators to recover the encrypted data without the key.

Figure 1. Encryption

Steganography: Steganography is the process of hiding data within another file, such as an image, audio file, or video file. This can be done by embedding the data into unused space within the file or by modifying the file’s header to make it appear as a different type of file. Steganography is often combined with encryption to provide an additional layer of security — the message is encrypted before being hidden, so even if it is detected, it cannot be read without the decryption key.

Figure 2. Steganography

Tunneling: Tunneling allows data to be transmitted over a public network in a confidential and secure manner. This is done by encapsulating the data within another protocol, such as TCP or UDP.

Onion Routing: Onion routing is a type of tunneling that uses multiple layers of encryption to make it extremely difficult to trace the source or destination of the traffic.

Figure 3. Onion Routing

Obfuscation: Obfuscation is the process of making code or data difficult to read or understand. This can be achieved using complex algorithms, jargon, or other techniques.

Figure 4. Obfuscation

Spoofing: Spoofing is the act of hiding the identity of a user or device. This can be done by altering an IP address, MAC address, or other identifiers. Anti-forensic methods can be highly effective for hiding or destroying digital evidence.

Conclusion. Counter-forensics plays a vital role in safeguarding sensitive data and preventing unauthorized access through forensic analysis. Techniques such as encryption, steganography, and data wiping provide valuable methods to protect information from forensic investigators. However, these methods are not without their limitations and potential legal implications. While encryption remains a powerful tool for data protection, advanced attacks like DMA attacks can still compromise the security of encrypted devices. As forensic techniques continue to evolve, so too must the methods for countering them. Understanding these counter-forensic methods is essential for maintaining privacy and security in the digital age, especially in an environment where information is increasingly vulnerable to exploitation.

References:

1. Casey E. Handbook of Computer Crime Investigation: Forensic Tools and Technology. – Elsevier, 2011. – 448 p.
2. Mann S., Moore A. Steganography and Digital Watermarking: Security Techniques for Multimedia and Communications. – Springer, 2012. – 268 p.
3. Lyon G. Computer Forensics: A Pocket Guide. – IT Governance Publishing, 2005. – 80 p.
4. Vacca J.R. Computer Forensics: Cybercriminals, Laws, and Evidence. CRC Press, 2014. – 408.
5. Zobel J. Introduction to Digital Forensics. – Wiley, 2010. – 384 p.