Question

Digital Forensics

1. Many anti-forensic techniques also have purposes which are not for anti-forensics. For each of the following, describe the technique and what would be required to show there was intent to destroy or hide evidence.

a. Encryption
b. Defragmentation
c. Drive Wiping

Answer 1

The solution for the problem is provided below, please comment if any doubts:

1. Encryption
   • Description: Encryption is the encoding of data or secret writing technique. The data is transferred to another form such that only the authorized persons or those who know the encryption credentials can understand the data. There is a encryption algorithm and a key will be there. Both these credentials are required to decrypt the data. Thus the data stored in a device can be keep it in encrypted form so the others will not understand what is it actually.
   • To show there was intent to destroy or hide evidence:
     • The encryption can be used both for security purposes and also to destroy evidence. It is very difficult to detect whether the encryption was for security purposes or to hide evidences.
     • To show that there is an intention to hide evidence, we can rely on the type of encryption. All the encryption techniques are not same and they vary in their nature and implementation.
     • The encryption type used for evidence hiding will be in such a way that, the security will be high and the text can be self destructive by multiple encryption if one tries to crack it. Thus encryption that show high resistance to attack and self destructive encryption suspects the evidence hiding.
2. Defragmentation:
   • Description: It is the technique to combine the fragments of data that distributed in various parts of the memory to make it meaningful. The fragmentation is a memory management process to enhance the efficiency and security of the data and security.
   • To show there was intent to destroy or hide evidence:
     • Defragmentation is a very technique used in computers for memory management and efficient use of resources.
     • To show that the defragmentation was used for destroy evidence is by collecting defragmented data.
     • Validation of data failure and unsupported file contents can suspect a evidence destroy.
3. Drive wiping:
   • Description: It is needed to be done to secure the privacy of individuals. If the disk or computer is sell or transfer to someone. Then data wiping is done to wipe all data from the disk.
   • To show there was intent to destroy or hide evidence:
     • It is the most common and easy method to destroy the evidences and it is easy to suspect such an action.
     • If one wipe the disk even if we don’t want to transfer the disk then there should be evidence destroy activity can be suspected.
     • Also when the contents have no privacy related problems but a disk wiping occurs can also suspect a evidence destroy action.