Anti-forensics
While it may seem contradictory for me to mention the value of anti-forensics on a site dedicated to providing EnCEe practical help, I cannot stress the value of such information to EnCE candidates and computer forensic examiners in general.
When I think “anti-forensics,” the first thing that comes to mind is someone is trying to hide his tracks. As a computer forensic examiner, I am interested in the exact opposite. But wait, isn’t the exact opposite of “hiding his tracks” finding those tracks?
On some cop shows such as Law & Order you periodically hear an investigator or someone mentioning the value of being able to “think like a criminal.” If we can do the same as computer forensic examiners, we can effect better forensic examinations which, in turn, lead to better results (whether that result is the EnCE practical exam or an actual criminal investigation).
I have recently had the opportunity to speak with the site owner of www.anti-forensics.com. I was previously unaware of this site and I really wish I had found it earlier. The site has excellent coverage of forensic\anti-forensic topics. This includes coverage of topics ranging from secure disk wiping to deleting USB device history to disabling thumbnail caching.
To provide a brief example, suppose that you are conducting a forensic examination of a user’s home computer. On a typical system you would expect to find some photographs and by extension thumbs.db files. Thumbs.db files contain thumbnail versions of photographs that were opened on a computer. The Thumbs.db files will exist in the same directory as the photographs whether the photos have been deleted or not (pay attention EnCE students).
Suppose the system that you are investigating does not have any thumbs.db files on it. Personally, I would find that odd. So you can either conclude that thumbs.db files are not resident on the system and end your analysis there, or you can head over to www.anti-forensics.com and find out why the thumbs.db files may not have been on the system.
