Chapter 2/ Overview of Anti-Forensics

Hcncc, to make life interesting, for the remainder of the book I'm going to

assume the worst-case scenario: We've run up against a veteran investigator

who has mastered his craft, has lots of funding, plenty of mandate from lead¬

ership, and is armed with all of the necessary high-end tools. You know the

type, he's persistent and thorough. He documents meticulously and follows

up on every lead. In his spare time, he purchases used hard drives online just

to see what he can recover. He knows that you're there somewhere, hell he

can sense it, and he's not giving up until he has dragged you out of your little

hidey-hole.

Classifying Forensic Techniques: First Method

The techniques used to perform a forensic invesdgation can be classified

according to where the data being analyzed resides (see Figure 2.1). First and

(.EXE, .DLL, .SYS, etc.) (Pagefi 1 e, Hi ve, DB, .PF, etc.)

Executable

Analysis

Binary File

Analysis

Local Log File

Analysis

Crash Dump

Analysis

File

Analysis

>

Signature

Analysis

File System

Analysis

(FAT, NTFS, UDF, ISO 9660, etc.)

Firmware

Analysis

Memory

Analysis

Volume

Analysis

"V

Local Storage

Analysis

Remote Log

Analysis

Network

Analysis

Figure 2.1

40 I Part I