Memory Based Anti-Forensic Tools and Techniques

Introduction

The advent of Information Technology and personal computers has transformed significantly our way of living. Most of our day to day activities rely heavily upon the use of electronic devices and digital communications. More people are relying on these technologies to learn, work and entertain. In 2003, USA Census Bureau estimated that sixty-two percent of the households had access to a personal computer while fifty-five percent had access to the internet (Census, 2003). Without doubts digital communications can be considered as one of the greatest inventions of the last century because of its impact and benefits on the society.

On the other hand, digital communications have provided new opportunities for criminals and shaped the ways they commit crime (Shinder, 2002). Criminals are exploiting now digital communications to commit a wide range of crimes such as identity theft, online piracy, financial fraud, terrorism and pornography distribution. Furthermore the incidences of some of types of crimes increased significantly with the introduction of digital communications and personal computers. For example, internet communications have escalated the problem of child pornography by increasing the amount of material available, the efficiency of its distribution and the ease of its accessibility (Wortley, 2004).

According to Bruce Schneier, electronic crime is flourishing because of three main reasons: a). automation, b) action at distance, c) technique propagation (Schneier, 2000).

• a)

  Automation: Software packages are used to perform repetitive tasks and cross reference more and more data.

• b)

  Action at distance: We live in a global digital communication era. Criminals perform electronic crimes in distance and with a high rate of anonymity.

• c)

  Technique Propagation: successful electronic crime techniques and malicious software is propagated easily through the internet.

Law enforcement agencies have started dealing with crimes involving electronic devices and communications since the 1970’s when these technologies were introduced. These were coined as electronic crimes since electronic devices and digital communications were used to commit them; while electronic evidence was defined as information or data of investigative value that is stored or transmitted by electronic devices (Ashcroft, 2001).

Law enforcement investigators initially considered electronic evidence as any other type of evidence; however they realised soon that this was not the case and that the conventional approach was not suitable to collect, preserve and analyze electronic evidence. This is because “conventional evidence lives in an analog world, whereas computer-derived evidence comes from a digital world and the transition between these worlds is not always as smooth as one would hope” (Johansson, 2002).

Computer forensics was then established as a discipline to support law enforcement agencies in their fight against electronic crime. Computer forensics deals with the acquisition, investigation, preservation and presentation of digital evidence in the court of law with the final objective of finding evidence that would lead to prosecution. Computer forensics is also known as cyber forensics since it deals with crimes committed in the cyber world (electronic world). The main areas of searching for evidence are: hard drives, removable devices, volatile memory, deleted or hidden files, password protected files, pornographic material etc.

The most important input of a computer forensic investigation is the digital evidence. Digital evidence can be envisaged as the counterpart of fingerprints or DNA in the digital world. Criminals will attempt to cover the traces of their malicious work by using anti-forensic methods to manipulate and tamper the evidence or interfere directly with the process (Harris, 2006).