Anti-Forensics and Digital Privacy

Digital forensics techniques are legitimately used for the discovery of evidence on a computer system. Frequently, these techniques are used to support a court case related to the evidence. However, law enforcement professionals are not the only people with access to digital forensic tools. Criminals can use forensic tools and techniques to invade a person’s privacy, obtain classified information, or steal someone’s identity.

In this introduction to anti-forensics and digital privacy, we’re going to look at some potential misuses of forensic tools and techniques. We’ll also learn the basic definition of anti-forensics and start to understand how digital forensics and digital privacy interrelate.

Page Contents

Video Lecture
Digital Forensics: The Good and the Bad
Threat Actors
Anti-Forensics and Digital Privacy
Notes and References

Video Lecture

Watch at Internet Archive

Digital Forensics: The Good and the Bad

To understand the reasons for studying anti-forensics and digital privacy, we must first understand a little bit of digital forensics. The field of digital forensics focuses on the discovery of evidence on computer systems, in networks, and on remote cloud services. A typical objective of a digital forensic investigation is to prepare a report on this evidence for presentation in a court of law. However, there are other legitimate reasons for conducting digital forensic investigations, including the review of employee behavior, detection and response to malware, finding the source of intrusions, and recovering data from failing storage devices. At Coastal Carolina University, a study of digital forensics is available in CSCI 434.

In the context of digital forensics, we normally associate forensic tools with the “good guys,”¹ such as the police investigating terrorism and other heinous crimes, network and system administrators safeguarding corporate assets, and data recovery specialists rescuing important data. However, it is critical to understand that the “bad guys” have access to the same tools and skills! These same techniques that can recover evidence or lost data can be misused to steal information and harm individuals and businesses. Our technology is neither intrinsically good nor intrinsically bad: it can simply be used for good or bad purposes.

Who are these “Bad Guys”? While we might immediately think of criminals, the reality is a little more complicated than that. We use an adversarial model to separate the “good guys” from the “bad guys” in a given context. Generally speaking, the “good guys” are on the side of the adversarial model with which we associate, while the “bad guys” are on the other side of the model. Note that this approach does not imply a moral judgment of intrinsic good versus intrinsic evil! It simply separates “us” from “them” (or, when analyzing two opposing parties objectively, one party from the other).

Consider an author of malware that is designed to disrupt a computer system. In most typical security situations, malware authors are the “bad guys,” since our goal as system administrators is to keep malware out of the system. However, what view would we take of a malware author retained by a government to infect systems belonging to an adversarial nation-state? What if the malware effectively prevents the other nation-state from developing weapons of mass destruction? From the perspective of the government creating the malware, the malware author would be one of the “good guys.” However, from the perspective of the nation-state against whom the malware is deployed, the author would be a “bad guy.”

Threat Actors

Since “good” and “bad” imply moral judgments, and which side is which depends on perspective in an adversarial relationship, we need a less pejorative term that enables objective analysis of a given situation. We use the term adversary to describe the opposite side of an adversarial relationship. Whenever an adversary can or does carry out an action that would be detrimental to the other side of the relationship, we call that adversary (or element of the adversary) a threat actor. Common threat actors when considering issues of data privacy include identity thieves, remote attackers, extortionists, governments, and corporations, among others.

Identity thieves are threat actors whose objective is to steal personal information. Stolen personal information can be used to open accounts, claim tax refunds, or engage in other fraudulent activity. The Bureau of Justice Statistics estimated that roughly 10% of Americans age 16 and older were victims of identity theft in the year 2016 alone.² Identity thieves can use forensic tools to extract personal information from discarded or stolen storage devices, network messages, cloud services, and other sources.

Remote attackers, commonly called “hackers,” are threat actors who access systems remotely and without authorization. These threat actors may deface websites, steal corporate secrets, deny services to legitimate users, or engage in other disruptive activities. Remote attackers might use forensic tools and techniques to identify exploitable weaknesses in systems. Once exploited, forensic tools and techniques may be used to locate and access sensitive information on systems that have been compromised.

Extortionists are threat actors who threaten a person or entity with disclosure of sensitive information (or some other negative consequence) to obtain money or gain control. One type of online extortion, called sextortion, occurs whenever a threat actor obtains personal images or sexual information about a victim and threatens misuse of that information as a means of extorting additional sexual material or money from the victim.³ Forensic tools can be used to further all types of extortion by providing a means to acquire the initial sensitive information that is used to initiate the extortion scheme.

Governments are frequently found to be threat actors in the privacy space. While many digital forensics investigations are used to build cases against legitimate criminals who cause harm to others, it is easy to abuse the power to investigate individuals and monitor communications. Innocent individuals and business can be ensnared, whether as bystanders, convenient intermediate targets, or victims of political retribution. National intelligence operations, such as those conducted by the National Security Agency,⁴ routinely capture the personal data of innocent users. Nation-state actors might also be responsible for hacks and intrusions into privately owned systems, whether as practice targets or to establish a foothold inside another country. By way of example, attacks matching known foreign military patterns have been observed against Coastal Carolina University research computing systems.

Corporations are some of the biggest threat actors in the privacy space, as many of them are involved in the collection and warehousing of personal information. Forensic techniques like device fingerprinting may be employed to identify users across devices and connections. Although the official reasons for wholesale data collection are often presented as relatively benign (for advertising purposes), individuals and other businesses whose information has been collected could be threatened by data breaches, inappropriate use of the collected information, or malicious data collection techniques.

Anti-Forensics and Digital Privacy

A major component of this course (CSCI 435, if taken at Coastal Carolina University) is to examine anti-forensic techniques, which have the objective of reducing or eliminating forensically recoverable information. The main idea is to prevent the threat actor from discovering or obtaining data that would be useful for carrying out the privacy threat, either by reducing or eliminating the creation of forensically discoverable artifacts, or by sanitizing the artifacts after creation but before the threat actor has a chance to discover them.

Examples of anti-forensic techniques include:

Ensuring that data are properly and fully deleted prior to disposing of storage devices;
Using encryption to protect data at rest and in transit;
Reducing artifact creation and information leakage in computer operating systems and applications; and
Limiting tracking and surveillance of online activities.

While anti-forensic approaches are an important component of overall digital privacy, there are other important privacy concepts and practices that must be considered for use in both personal and professional practice. These concepts include Personally Identifiable Information (PII), Fair Information Practice Principles (FIPPs), Privacy Impact Assessments, anonymity, and pseudonymity.⁵ Protecting privacy requires understanding risks and implementing policies (and, where possible, laws and regulations) to protect personal information.

Notes and References

I’m using “guys” here using common usage in describing an adversarial relationship. Adversaries in a relationship may be of any gender, if human. However, it is also important to note that adversaries can be autonomous computer systems in some situations and need not be human. ↩
United States Department of Justice. Bureau of Justice Statistics. Victims of Identity Theft, 2016 ↩
Federal Bureau of Investigation. Sextortion ↩
Electronic Frontier Foundation. How the NSA’s Domestic Spying Program Works ↩
Based upon the 2019 Privacy (PRI) Knowledge Units for the NSA/DHS Centers of Academic Excellence – Cyber Defense program. Somewhat frighteningly, this program’s website seems to move around to different Internet servers, and the NSA website still links to an abandoned website (with an invalid security certificate) that used to contain the guidelines. ↩

Introduction to Privacy

Security and Privacy Concepts

The Panopticon

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.