Counter-Forensic Tools: Analysis and Data Recovery

Among the challenges faced by forensic analysts are a range of commercial 'disk scrubbers', software packages designed to irretrievably erase files and records of computer activity. These counter-forensic tools have been used to eliminate evidence in criminal and civil legal proceedings and represent an area of continuing concern for forensic investigators.

This paper details the analysis of 13 commercial counter-forensic tools, examining operational shortfalls that can permit the recovery of significant evidentiary data. The research also isolates filesystem fingerprints generated when these tools are used, which can identify the tool, demonstrate its actual use and, in many cases, provide insight into the extent and time of its use.

The result is an indexed resource for forensic analysts, covering 19 tools and tool versions, that can help identify traces of disk-scrubbing activity and guide the search for residual data. In addition, a new forensic utility, named Aperio, is presented. It employs a signature library to automate the hunt for traces of counter-forensic tool use. Aperio can search filesystems presented as images or devices, and provides a detailed audit report of its findings. Together these resources may assist in establishing the usage of counter-forensic tools where such activity has legal implications.