Eterovic-Soric Brett, Choo Kim-Kwang Raymond, Mubarak Sameera, Ashman Helen
School of Information Technology & Mathematical Sciences, University of South Australia, Adelaide, SA, 5095, Australia.
Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX, 78249-0631, USA.
J Forensic Sci. 2017 Jul;62(4):1054-1070. doi: 10.1111/1556-4029.13393. Epub 2017 Feb 2.
In this paper, we review literature on antiforensics published between 2010 and 2016 and reveal the surprising lack of up-to-date research on this topic. This research aims to contribute to this knowledge gap by investigating different antiforensic techniques for devices running Windows 7, one of the most popular operating systems. An approach which allows for removal or obfuscation of most forensic evidence is then presented. Using the Trojan software DarkComet RAT as a case study, we demonstrate the utility of our approach and that a Trojan Horse infection may be a legitimate possibility, even if there is no evidence of an infection on a seized computer's hard drive. Up-to-date information regarding how forensic artifacts can be compromised will allow relevant stakeholders to make informed decisions when deciding the outcome of legal cases involving digital evidence.
在本文中,我们回顾了2010年至2016年间发表的关于反取证技术的文献,并揭示了令人惊讶的是,关于该主题的最新研究十分匮乏。本研究旨在通过调查针对最流行的操作系统之一Windows 7运行设备的不同反取证技术,来填补这一知识空白。然后提出一种能够去除或模糊大多数取证证据的方法。以木马软件DarkComet RAT为例,我们证明了我们方法的实用性,并且表明即使在扣押计算机的硬盘驱动器上没有感染证据,特洛伊木马感染也可能是一种合理的可能性。有关取证工件如何被破坏的最新信息将使相关利益攸关方在决定涉及数字证据的法律案件结果时能够做出明智的决策。