Bhat Wasim Ahmad, AlZahrani Ali, Wani Mohamad Ahtisham
Faculty of Computer & Information Systems, Islamic University of Madinah, Saudi Arabia; Department of Computer Sciences, University of Kashmir, India.
Faculty of Computer & Information Systems, Islamic University of Madinah, Saudi Arabia.
Sci Justice. 2021 Mar;61(2):198-203. doi: 10.1016/j.scijus.2020.10.002. Epub 2020 Oct 28.
This paper investigates whether computer forensic tools (CFTs) can extract complete and credible digital evidence from digital crime scenes in the presence of file system anti-forensic (AF) attacks. The study uses a well-established six stage forensic tool testing methodology based on black-box testing principles to carry out experiments that evaluate four leading CFTs for their potential to combat eleven different file system AF attacks. Results suggest that only a few AF attacks are identified by all the evaluated CFTs, while as most of the attacks considered by the study go unnoticed. These AF attacks exploit basic file system features, can be executed using simple tools, and even attack CFTs to accomplish their task. These results imply that evidences collected by CFTs in digital investigations are not complete and credible in the presence of AF attacks. The study suggests that practitioners and academicians should not absolutely rely on CFTs for evidence extraction from a digital crime scene, highlights the implications of doing so, and makes many recommendations in this regard. The study also points towards immediate and aggressive research efforts that are required in the area of computer forensics to address the pitfalls of CFTs.
本文研究了在存在文件系统反取证(AF)攻击的情况下,计算机取证工具(CFT)能否从数字犯罪现场提取完整且可信的数字证据。该研究采用了一种基于黑盒测试原则的成熟的六阶段取证工具测试方法,开展实验以评估四种领先的CFT应对十一种不同文件系统AF攻击的潜力。结果表明,所有评估的CFT仅能识别少数几种AF攻击,而该研究考虑的大多数攻击都未被察觉。这些AF攻击利用基本的文件系统功能,可使用简单工具执行,甚至能攻击CFT以完成其任务。这些结果意味着,在存在AF攻击的情况下,CFT在数字调查中收集的证据并不完整且不可信。该研究表明,从业者和学者不应绝对依赖CFT从数字犯罪现场提取证据,强调了这样做的影响,并在这方面提出了许多建议。该研究还指出,计算机取证领域需要立即开展积极的研究工作,以解决CFT的缺陷。
