Title: Anti-forensic Tool Use and their Impact on Digital Forensic Investigations: a South African Perspective

Year of Publication: Dec - 2014
Page Numbers: 7-20
Authors: Jean-Paul Van Belle, Richard de Beer and Adrie Stander
Conference Name: The International Conference in Information Security and Digital Forensics (ISDF2014)
- Greece

Abstract:


Digital evidence is becoming an integral part of most cases presented to court. From computers, to mobile phones, ATMs and surveillance cameras, our daily life is so inextricably entwined with technology that it is difficult to find court cases where technology plays no part. Thus the responsibility placed on a Digital Forensics (DF) practitioner to present usable evidence to a court is increasing fast. However, potential criminals have equally compelling reasons to prevent DF practitioners from getting their hands on information of probative value and use tools and methods known as Anti-Forensics (AF). The purpose of this study is to identify the abilities of DF practitioners to identify the impact that AF has on their active investigations. We created a research model that attempts to identify all the factors and constructs that impact the AF phenomenon. This model was then used to develop a survey instrument to gather empirical data from South African DFs. We found that whilst South African DF practitioners perceive DF as having an impact on their investigations, they also perceive electronic evidence as forming only part of the evidence presented to court, and that some usable evidence will generally remain. Unfortunately, we found also that most DF practitioners in South Africa are well versed only in the more commonly known AF techniques whilst not rating their abilities on more complex techniques well. Finally, most DF practitioners appear not to actively attempt to identify AF techniques as part of their investigations. This combined with a lack of understanding of more complex AF techniques could leave South African DF practitioners exposed by missing important evidence due to lack of technical proficiency. The research and its findings should be of benefit to academia and practicing DF investigators with a view to assisting them better prepare for the onslaught of AF.