Encryption, Anti Forensics and Forensics
Anti-forensics refers to methods whereby one can hide the actual data from being interpreted. Encryption is one method that is used to convert readable data into non-comprehensible data. Thus, encryption can be said to be anti-forensics or reverse forensics. Plenty of methods exist that help you encrypt your data and files so that unauthorized people cannot read and understand it.
Computer forensics, on the other hand, means recovering data – encrypted or otherwise – and convert it into a readable format. Decryption can be said to be forensics but is just a part of forensics. Computer forensics employ many more methods such as tracing the data, recovering it using different tools and making it readable. There may be missing links in the data so tracing and joining the broken links are also a part of computer forensics.
A single tool cannot help in complete forensics. I never came across a software that can dig out all the data and convert it into an output that can be presented as an evidence. It takes different tools for different purposes. Some forensic tools offer you the flexibility to add your own tools by programming so that you can get the desired effects. Such tools are normally termed as frameworks. They are basically a platform where you can further develop tools for forensic uses.
Of all the forensic tools, open source tools are better as they often give you more power whereby you can create your own tools for better analysis of data. There are several open source forensic software available in the market. Open source is free and its code is accessible to everyone. Forensics performed using open source software has a greater effect in courts as one can easily determine if the software actually does what it claims to do. The following are some of the most used open source forensics programs.
Digital Forensics Framework
Digital forensics framework contains several investigative tools and also offers a framework to further develop your own applications for investigating purposes. The framework is written in Python and C++ language so users having command over these languages can create their own applications for anti-forensics purpose.
As of now, the Digital Forensics Framework (DFF) contains tools for analyzing and recovering digital items of any kind – images, text, encrypted messages, and more. Of course, for decoding the encrypted files, you will have to combine the software with some kind of decrypting software so that it is made readable. But between recovering and decoding the encrypted text, you should be able to identify the method used to encrypt the artifact in question. One can also build an application to integrate it with DFF so that it checks out different encryption methods and offers you with comprehensible material.
The tools run in both Unix and Windows environments. For a link to download the DFF, please see the references section at the bottom of this article.
Advanced Forensic Format Library (Afflib)
Afflib is a set of forensic tools that helps you retrieve and store data in three distinct formats for use with other open source forensic tools. The tools can read storage media of all kinds to retrieve data and store it in a table format without having to lose the data integrity.
The best part about using Afflib is that it does not need the user to employ a file proprietary format. The disadvantage of using a proprietary format is that one may lose metadata while converting it into a different file format.
The three file types created are of type AFF, AFD, and AFM. Out of these, the AFF format is understood by many another forensics tools. The tools generally scan a disk and compress them into images with a table form. Also, the metadata is stored separately as raw files so that any other forensics tool can access them. These raw files can be encrypted with a random key so that the contents remain confidential.
A network forensic analysis tool for Windows, Network Miner works in the background to check out packets coming out from a host server. It employs packet sniffing to dig out data such as operating system on the host, hostnames, open ports, sessions and more. It does not put any additional burden on the network and works silently. It can also parse certain kind of files for off-line analysis.
Note that the main function of Network Miner is to collect data about the host and not about the traffic on the network. It is host centric rather than packet centric. This means that the data is grouped per host on the network irrespective of the type of data being sent out by the hosts. The information collected for different hosts can include the type of data passing through the host servers.
DFF Website, https://www.digital-forensic.org/home-en.html
AFFLIB Website, https://afflib.org
Network Miner, https://networkminer.sourceforge.net