2.3 AF Strategies

Original Media First

Disposable

Copy

Figure 2.3

Non-Local Data

During either phase of the forensic analysis, if the requisite network logs

have been archived, the investigator can gather together all of the packets

that were sent to and from the machine being scrutinized. If system-level log

data has been forwarded to a central location, this also might be a good op¬

portunity to collect this information for analysis. This can be used to paint a

picture of who was communicating with the machine and why. Network taps

are probably the best way to capture this data.�

2.3 AF Strategies_

Anti-forensics aims to defeat forensic analysis by altering how data is stored

and managed. The following general strategies (see Table 2.1) will recur

throughout the hook as we discuss different tactics. This AF framework is an

amalgam of ideas originally presented by The Grugq'" and Marc Rogers."

9. http;//taoseciirity.blogspot.com/2009/01 /why-network-taps.html.

10. The Grugq, ''Defeating Forensic Analysis on Unix," Phrack, Issue 59, 2002.

11. Marc Rogers, "Anti-Forensics" (presented at Lockheed Martin, San Diego, September 15,

2005).

Parti I 45