The invention and use of forensic science in criminal investigations has speeded up justice delivery system. The systems accuracy has also been improved by this technology. Modern forensic science utilizes technologies such as DNA fingerprinting, computerized facial reconstruction, toxicology, forensic anthropology, among many other technologies in crime scene investigation bringing to justice very complex cases that could not have been done if such a technology was unavailable (Andersen, 2006).
However, other persons have devised techniques that make it impossible to carry out comprehensive forensic investigations on a committed crime. These techniques are called anti-forensic tools. Some of these tools include srm, wipe, overwrite, DBAN, Diskzapper, bcwipe, secure IT, CryptoMite, Evidence eliminator, Tracks Eraser Pro, Declassify, Invisible Secrets, BatchPurifier, Mantra, and many other assorted tools. Their use and application has been advanced in the recent days as people become more informed about forensic techniques and how they can be obstructed. This paper examines four of these anti-forensic tools and will look at how they are carried out and how they can be prevented (Andersen, 2006).
Cryptomite is a computer anti-forensics tool. This program is very easy to use and it is easily available online. It has the ability of blocking and locking access to a file in a computer. In order to be able to break it one requires in-depth knowledge about encryption. This software has capabilities of erasing data securely such that it cannot be traced (CryptoMite). It functions effectively with Microsoft Windows. Its ability to integrate effectively with Microsoft Windows makes it easy to use. It can be run automatically. Therefore, any individual who intends to access private information can easily do it using this software (Fisher, n.d.).
2.1 Usages and Merits
This software can only work on a Microsoft Windows platform. This limits its accessibility. However, 83% of computers in the world operate on a windows platform giving it an advantage and increased usage. It is made such that there are several types of encryptions algorithms in it, such as Twofish, Rijndael, CAST 256, SCOP, Blowfish, and Gost. These encryption algorithms can employ a variety of mode orders including CBS, CTS, OFB, and CFB. The software wipe methods are simple (1x), SFS method (35x), delete only method, and the DOD method (3x). This software is therefore very versatile and it gives the user assurance that the intended purpose will be achieved (Fisher, n.d.).
This software has inbuilt capabilities of integrating SMTP and MAPI functions, enabling it to email encrypted files. Its capacities are so enormous especially its encryption capabilities that it can affect on a variety of folders and files while preserving their identity and hierarchy. It has capabilities of hiding an entire hard disk (CryptoMite).
The figure below shows a Cryptomite software interface used for encryption. The test file is selected, right-clicked then encryption is selected allowing encryption to take place.
2.3 Drawbacks or Liabilities
This software is a Microsoft Windows application. Currently there are no versions that can work with other types of operating systems like the Linux, Unix, and any other computer not operating on Windows. There is very little understanding about whether the original file is deleted after it has been encrypted or not. The level of wiping out of the file is not confirmed to be reversible or permanent. Very little information is available about the development of the software (Fisher, n.d.).
2.4 The Language of Development
Currently it is not known the language that was used to develop the software. There are several speculation about the possible language used but it is yet to be confirmed (Fisher, n.d.).
This is an anti-forensic tool that allows the user to hide data. The data is hidden in the NTFS slack space hampering efforts of attempting to recover it. Thompson and Monroe in Lockheed Martin put this idea in place. This highlights the framework from which this software was developed. The software is available in an executable file that works with Windows operating system. The software additional features include password inclusion on a file stored in the slack. The program is designed to hide a single file every time it is executed (Fifarek, n.d.). This program was designed using the C programming language. Initially, this software was a free ware and very easy to access, currently, it is unavailable and very rare. The website that used to distribute this freeware was Metaspoilt and it is no longer available. The link below can be used to download the executable file of Slacker. http://www.jbbrowning.com/sandbox/slacker.zip
3.1 Uses and Merits
This software works with very limited varieties of Windows operating systems. It can only work with Windows 2000 and above however, it does not support Windows 7, Windows 8, Windows Vista and any other latest development of Windows operating system. This software is also limited to NTFS data storage systems. It functions by running through the cmd shell. This requires a user whose computer knowledge is advanced. The user uses “-s” to select the source file flag that will be used for input. The user proceeds by using the image to encode and come up with the location of the date in the slack space. Password use is optional in this software. For the user to get the file back from the slack through command prompt using the ‘-r’ is executed. In this case, the password and the flag are taken as arguments by the software. In order to identify the location of the output file ‘-o’ command is used. This software has not been updated to work with a simplified interface (Fifarek, n.d.).
There are two modes of this software. For effective demonstration, a file must be hidden using other data files like an image. This tool is very straight forward with two hiding and retrieval modes. The ‘-s’ flag is used for hiding while the ‘-r’ flag is used for recovery. Below is a figure highlighting on the arguments and the interface of this tool.
This software is very old and is not supported by current operating systems. The software is not an open source; therefore, it is hard to tell what happens on the background when using the software. It functions only on NTFS systems limiting its capabilities. There is no information available about its circumvention performance (Fifarek, n.d.).
This software was developed in the year 2005 by Vincent Liu and James C. Foster. It is designed to change or delete the NTFS time stamp values of data files (Anti-forensics with timestomp). This eventually leads to confusion in the data records misleading forensic analyst to use wrong data. This is common software and its use can easily be detected by noticing the changes in the data dates (Timestomp, 2010).
4.1 Uses and Merits
This tool has eight values where four of these values are classified under the file name information while the other four are placed under standard information. This software has the capability of changing file names and all the attribute properties of the file (Timestomp, n.d.). It can also be used to copy a file attributes and paste them to another file editing it hence making it difficult to differentiate between files. This software has the ability of enabling the user to predict changes of a files attributes. The software works on Windows and Linux operating systems (Timestomp, 2010).
This tool runs through an executable file. It has to run from the shell. The figures below show some demonstrations of timestomp execution commands.
This software runs through executable file, it can be easily detected if it is used on a computer and the file is not removed. If the file is executed wrongly, it can delete the time stomp notifying the owner of the data that the modifications are done. The software requires advanced computer knowledge in order to be able to use it (Timestomp, 2010).
Methods of Circumvention
It circumvents by adjusting the time stamps of data records leading to inaccessibility of data records (Timestomp, 2010).
This technology creates anonymous communication links. It can be used for hiding identity on the internet without allowing a trace to be effected. It is an anti-forensic tool that works over the internet. It was developed by the US Navy. It utilizes the onion technology to conceal the identity and the location of the user. The ‘Tor Project’ distributes this program. It is a very effective project and is compatible to most operating system (The Tor Project, Inc).
5.1 Usages and Merits
This program is easy to install and use. It can also be run from the USB drive. Its use can be automated or user controlled. This program integrates with several GNU operations to affect its functions. Such functions include turning off the cookies to prevent online host identification.
Language in which the Tool was Developed (The Tor Project, Inc)
This application software was designed using the C programming language. Currently, there are other versions available in python and Java (The Tor Project, Inc).
This program use is very easy once it has been installed. Most of its functions are automatic. The figure below shows the display of the execution process of the program.
Source: (The Tor Project, Inc, n.d.)
It functions by forwarding all the data through another host, this increases overhead of forwarding. It also relies on the benevolence of its nodes, which risks the program from crushing and revealing the identity of the user (The Tor Project, Inc).
This program circumvents through deployment of a malicious Tor end-point, which channels network traffic (The Tor Project, Inc, n.d.).