Concealing Cybercrimes: The Art of Anti-Forensics

October 16, 2017
Concealing Cybercrimes: The Art of Anti-Forensics
Andrew Staniforth
Andrew Staniforth Non-Resident Fellow - Counter Terrorism & National Security

Two years ago at a Security Summit in New York City attended by Chief Information Security Officers, Ginni Rometty, the IBM Corporation’s Chairman, President and Chief Executive Officer, delivered a stark warning about the threat from cybercrime stating: “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, and every company in the world.”

Today, the cyber security community have largely concurred with the warnings provided by the IBM President, going onto predict that cybercrime damages will cost the world $6 trillion annually by 2021, a rise of $3 trillion on their prediction provided just a year ago. Described by the United States government as being an extraordinary threat to national security, foreign policy and economy stability, President Trump has recently revealed that: “Cyber theft is the fastest growing crime in the United States by far.”

Cyber Challenge

The threat from cybercrime continues to rise at an alarming rate, amplified in part by the continued growth of people using the internet, serving to create an ever-increasing human attack surface for the cybercriminal. As the world goes digital, and we conduct more of our lives online, humans have moved ahead of machines as the top target for cyber criminals. People continue to represent the greatest vulnerability to cyber security, falling victim to cybercrimes through a combination of poor awareness and understanding of how hackers commit their crimes.  Evidence of a lack of even the most basic online security awareness is revealed by the email security provider Mimecast, who report that a staggering 91% of attacks by cyber criminals start through email.  And as Microsoft estimates that by 2020 four billion people will be online – twice as many that are currently online – the number of cybercrimes and victims of hackers’ scams is set to soar.

Investigating cyber criminals is the role and responsibility of an increasing number of specialist cybercrime units being created by Law Enforcement Agencies across the world. While they are all different in their size, scale and scope, they share common challenges in the fight against cybercrime, including keeping pace with their adversaries. Through constant innovation, cybercriminals continue to develop sophisticated ways in which to commit their crimes, and are creating anti-forensic tools, techniques and methods that are becoming a formidable obstacle for the cybercrime forensic investigator.


Criminals conducting their activities online are just as devious as criminals operating offline, and cybercriminals are able to conceal their crimes where they feel it necessary to do so. To thwart police digital forensic investigations, cyber criminals implement counter measures, a practice known as ‘anti-forensics,’ the purpose of which is to either destroy or hide evidential data.

Cyber criminals can use anti-forensic tools and techniques to remove, alter, disrupt, or otherwise interfere with evidence of criminal activities on digital systems. There are a number of techniques that are being used to apply anti-forensics, from the simple anonymous action that can be completed by a false or unknown identity, to the more complex Homographic Attacks, designed to mislead the investigator by using one of two or more words, letters or symbols that have the same spelling but differ in origin, meaning, and sometimes pronunciation.

A major challenge for forensic investigators is deciphering encrypted data through the use of steganography – the art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text) with bits of different, invisible information. This hidden information can be plain text or even images. Steganography sometimes is used when encryption is not permitted, or, more commonly, steganography is used to supplement encryption.  An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.


Anti-forensics makes investigations of digital media more difficult and time-consuming, and thus, more expensive. Of direct relevance to the challenges posed to the efficiency of Law Enforcement Agency investigations is the case of the Federal Bureau of Investigation (FBI) vs. Apple following the terrorist shootings in San Bernardino County in the United States during December 2015.  In the aftermath of the event, in which armed terrorists killed 14 people and injured a further 22, the FBI had to bypass anti-forensic techniques to access the data on an iPhone 5C.

The Apple cell phone had been seized in evidence as part of the post-incident investigation from Syed Rizwan Farook, one of the terrorist shooters who was killed during the attack. The iPhone had been issued to Farook as an employee of the San Bernardino County, California government and was locked with a four-digit password hindering the forensic acquisition process due to built-in anti-forensic techniques that enforce encryption and auto-wiping the device after multiple unsuccessful password attempts.  The legal case which followed, where the FBI attempted to order Apple to help with gaining access to data on the device was complex but eventually, evidence from Farook’s iPhone was acquired that assisted the FBI in piecing together the events that led to the armed terrorist assault.

Next Steps

The delay experienced by the FBI in accessing vital information to progress a live counter-terrorist investigation following the massacre of 14 innocent civilians, clearly exemplifies the need of all stakeholders to gain a more comprehensive multidisciplinary understanding of the impact of anti-forensics on the efficiency of police investigations and the digital forensic community at large.

Measures of preventing and disrupting forensic investigations have now become an emerging and critical area in our digital world. Scientifically valid and lawful forensic investigation of digital evidence by law enforcement agencies seeks to uncover and discern its meaning where the evidence must be reliable, accurate and complete. Digital forensic investigators are faced with new challenges each day as technology develops. Understanding the processes digital investigations follow, is perhaps one of the most important next steps in learning anti-forensic techniques but there remains a lack of academic research pertaining specifically to the domain of anti-forensics. This problem means that the digital forensics community, including the academic sector, must start considering and formulating mitigation strategies towards the growing problem of anti-digital forensics. Any new research initiatives must also be multidisciplinary, with government, academia and the private sector working together to prevent criminals from concealing their cybercrimes through the creation of anti-forensic tools and techniques.