Anti-Forensic Techniques and Investigator Counter-Methods

The simplest anti-forensic is to overwrite the data. On Windows, Sysinternals sdelete overwrites a file with a chosen number of zero-and-pattern passes before unlinking it; on Linux, shred and wipe do the equivalent; on cross-platform desktops, BleachBit and CCleaner both ship secure-delete options. DBAN (Darik's Boot and Nuke) wipes whole disks from a bootable USB; Eraser scripts scheduled wipes on Windows. The hardware end of the spectrum is a degausser for spinning HDDs, or a hydraulic shredder for the genuinely paranoid.

SSDs change the picture. NAND flash cells cannot be overwritten in place; the controller writes to free pages and marks the old page as invalid for the garbage collector. A shred pass on an SSD does not overwrite the original physical cells, it writes new cells. TRIM (the ATA command that tells the SSD which logical blocks are no longer in use) ironically helps the destruction side because it lets the controller reclaim and erase the invalidated pages faster than it otherwise would. The ATA Secure Erase command issues a firmware-level wipe that the NIST SP 800-88 Rev 1 standard categorises as "Purge" for SATA SSDs, and that is the cleanest known route to destruction on consumer hardware.

The Indian anchor here is the recurring pattern in seized laptops from financial-fraud cases: the suspect ran CCleaner an hour before the raid, the relevant files are gone, but the Sysmon Process Create entries (if Sysmon was deployed) or the Application event log entries for CCleaner's installer, combined with Volume Shadow Copies from a week earlier, return the deleted content anyway. The deeper file-carving and unallocated-space recovery surface is at Data recovery, file carving and deleted or encrypted content.

Data hiding shifts from destruction to concealment. The four main channels in 2026:

• Steganography in carrier files. LSB image stego replaces the least significant bit of each pixel with one bit of a hidden payload; the image looks identical to the eye but the bits have changed. JPEG stego operates on DCT coefficients in the compressed domain, which makes detection harder because resaving the JPEG does not necessarily destroy the payload. Audio stego works on PCM sample LSBs or on MP3 quantisation tables. The canonical tools remain StegHide, OutGuess, JSteg, F5 and the newer SteganoGAN. Detection is statistical: chi-square tests, RS analysis, sample-pair analysis, and the StegExpose meta-detector are the workhorse routines; StegoVeritas is the standard pipeline that tries every known method against an image.
• Alternate Data Streams on NTFS. The file.txt:hidden syntax writes a second data stream attached to a host file. The host file size is unchanged in Explorer; the streams are readable by dir /R or PowerShell's Get-Item -Stream *. Volatility's dlllist and FTK's NTFS parser surface them; SleuthKit's fls -r lists every ADS on an imaged volume.
• VeraCrypt hidden volumes. A standard VeraCrypt container is one encrypted volume occupying a file or a partition. A hidden volume nests a second encrypted volume in the free space of the first; the first volume's password unlocks a decoy filesystem and the second password unlocks the real one. Without the second password the existence of the second volume is statistically indistinguishable from random free-space entropy. The point is plausible deniability: under coercion or court order, the suspect surrenders only the decoy password.
• Slack space and byte-stuffing. Slack space (the unused bytes between the end of a file and the end of the last allocated cluster) has historically been used by tools like slacker.exe. File system tampering also includes misnamed extensions (renaming a .zip to .dll), header-byte swaps, and inserting payloads in the unused regions of standard file formats (PDF objects, PNG ancillary chunks).

The counter-move pipeline is hash-based signature search for known stego artefacts (the NSRL maintains a hash set), entropy analysis on suspect carrier files (high-entropy regions in a JPEG are a candidate), and StegExpose / StegoVeritas on every recovered image. For ADS, fls -r and dir /R are run on every NTFS volume. For VeraCrypt, the registry MRU under HKCU\Software\VeraCrypt and the prefetch file for VeraCrypt.exe are the giveaways that a container exists somewhere, even when the container itself is not yet located.

The third family targets the timeline itself. Log clearing on Windows is a single command: wevtutil cl Security for the Security log, equivalent for Application, System, PowerShell-Operational, and the analytic logs. Metasploit's clearev meterpreter command does the same from a remote session. On Linux, > /var/log/syslog truncates the file, or journalctl --rotate --vacuum-time=1s rotates and discards the systemd journal. Mac unified logging is harder to clear because the binary tracev3 files are spread across /var/db/diagnostics/ and require root plus knowledge of the file layout.

1. Timestomp surface
   Linux: `touch -r reference_file target_file` copies the reference file's atime and mtime to the target. `touch -a -m -t 202001011200.00 target_file` sets atime and mtime to a fixed value. Windows: PowerShell `(Get-Item file.txt).CreationTime = (Get-Date '2020-01-01')` plus equivalents for LastWriteTime, LastAccessTime.
2. Metasploit timestomp
   `timestomp.exe -m '01/01/2020 12:00:00' file.txt` modifies the $STANDARD_INFORMATION timestamps on NTFS. By design it does not touch $FILE_NAME timestamps, which is the basis of the SI vs FN detection.
3. SetMACE
   Open-source utility that modifies both $STANDARD_INFORMATION and $FILE_NAME on NTFS, closing the SI-vs-FN gap. Counter-detection has to fall back on $UsnJrnl and other off-MFT sources.
4. PowerShell Set-FileTime
   Used post-exfiltration to back-date staged files. Leaves traces in PowerShell Operational log if logging is on; in PowerShell ScriptBlock logging if Script Block Logging policy is enabled.
5. Counter-detection cross-check
   Compare $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Compare both against the $UsnJrnl entries for the file. Compare against Registry-recorded timestamps (UserAssist, BAM, Shellbags). Compare against Prefetch and Volume Shadow Copies. Any mismatch larger than a few seconds is a positive signal of timestomp.

The investigator counter-move on log clearing is to look for the clearing event itself. wevtutil cl produces Event ID 1102 (audit log was cleared) in the Security log; the event is recorded after the clear and survives. clearev from Metasploit produces the same 1102 event because the underlying API call is the same. On Linux, audit subsystem auditd (if enabled) logs the truncate; on systemd journals, the rotate-and-vacuum operation leaves a journal entry in the next-generation journal file. Multi-source correlation also helps: a SIEM ingestion of the same events into Splunk, Sentinel, or Elastic Security holds an immutable copy that the local clear never reached.

The Indian anchor: CDR (call detail record) tampering allegations have appeared in several telecom cases, where defence has argued that prosecution-side records were back-dated or that prosecution-side recordings have inconsistent timestamps. The standard cross-check is the same SI-vs-FN, MFT-vs-USN, file-vs-database cross-check applied to telecom switching records and to the cellular operator's billing system. The live-acquisition discipline that protects the timeline at seizure time is at Digital first responder: order of volatility, seizure and imaging.

Encryption is the densest anti-forensic layer because legal full-disk encryption is also a legitimate security control. BitLocker on Windows, FileVault on macOS, LUKS on Linux, and VeraCrypt across platforms are the standard products. Application-level encryption sits on top: Signal, ProtonMail, Tutanota, end-to-end encrypted backups (iCloud Advanced Data Protection, Google's encrypted backup), and encrypted databases (SQLCipher, MongoDB at-rest encryption). The investigator's options on a powered-off encrypted volume are limited to either the suspect's cooperation, a stored recovery key, or an attack on the key derivation.

Memory anti-forensics is its own family. Direct Kernel Object Manipulation (DKOM) rootkits unlink a process from the kernel's EPROCESS doubly-linked list so that pslist-style tools miss it, while the process keeps running. Volatility's psxview plugin cross-checks pslist, psscan (which walks pool tags rather than the list), thrdproc (which enumerates from thread structures), and a handful of other sources; a process visible in psscan but not in pslist is a DKOM signature. Process hollowing replaces the executable image of a legitimate suspended process with malware code before resuming it, so the process name matches a normal binary but the in-memory image does not match the on-disk PE; malfind, hollowfind and ldrmodules are the Volatility plugins that catch this. DLL injection variants (reflective DLL injection, manual mapping, AtomBombing, process doppelgänging) each leave their own signatures and each has a corresponding Volatility plugin or YARA rule.

Cloud anti-forensics is the newest family. Rapid resource churn (auto-scaling groups that terminate instances on a 15-minute idle threshold), ephemeral compute (Lambda functions that exist only for the duration of an event), and account deletion (an attacker who creates and deletes their own IAM user inside an existing breach window) all degrade the evidentiary surface. Log-deletion via IAM abuse (an attacker who first lands a credential with cloudtrail:StopLogging permission) is the worst case. The counter-moves live in the forensic-readiness layer that is covered at Cloud logging, VM snapshots and cloud incident response: immutable audit destinations, service control policies denying CloudTrail mutations, and aggregated log sinks in separate accounts.

The cold-boot attack against full-disk encryption deserves a specific note. Halderman et al. (2008) demonstrated that DRAM does not lose its contents instantly at power-off; with the chips cooled to roughly -50 degrees Celsius using inverted compressed-air cans, key material remains recoverable for seconds to minutes. A minimal boot environment loaded from external media dumps RAM and the FVEK is extracted offline. In Indian SFSL practice the cold-boot attack is rarely run because it requires a warm, recently-running target and equipment that is not standard in state labs, but the technique remains worth understanding because it is the principal reason live RAM acquisition before shutdown is treated as non-negotiable.

The defence in depth on the investigator side mirrors the defence in depth on the attacker side. Six layers, each independent, each capable of catching what the others miss.

1. Live RAM acquisition first
   Captures encryption keys, decrypted message buffers, hidden process state, recently-typed passwords. The single most valuable counter-move against encryption and memory anti-forensics. Procedure is in the first-responder topic.
2. Immediate dual-hash imaging
   No window for the suspect or a remote attacker to modify the disk between seizure and imaging. The dual-hash record is the chain anchor for everything that follows.
3. Multi-source timestamp correlation
   MFT $STANDARD_INFORMATION vs $FILE_NAME vs $UsnJrnl vs Registry timestamps (UserAssist, BAM, Shellbags) vs Prefetch vs Volume Shadow Copies. Any mismatch is a positive signal of timestomp or trail obfuscation.
4. Slack and unallocated carving
   File carving against signatures (Photorec, Scalpel, Foremost) recovers files that secure-delete passes targeted by name but missed in slack or in cluster regions that wear-levelling spared. Detail at the data recovery topic.
5. Tool footprint detection
   Sysinternals, BleachBit, CCleaner, DBAN, VeraCrypt all leave installer artefacts, registry MRUs, Prefetch entries, and UserAssist counters. The presence of the tool plus the absence of the data is itself evidence.
6. Memory analysis with cross-checks
   Volatility psxview, malfind, hollowfind, ldrmodules, ssdt, callbacks, modscan against modules, and YARA scans across the full dump. Hidden processes and injected code surface here even when the disk side is clean.

Two more techniques sit beside the pipeline. Authenticated journaling is the practice of treating $UsnJrnl as the authoritative event log for an NTFS volume because every create, rename, delete and metadata change is written to it in order. Comparing $UsnJrnl against the current $MFT surfaces anomalies: a file that the MFT says was created yesterday but the USN journal records as renamed three months ago is a timestomp pattern. Volume Shadow Copies (VSS) are the second technique: each VSS snapshot is a read-only point-in-time view of the volume, and any file that the suspect overwrote between snapshots is recoverable from the older snapshot. Windows 10 and 11 keep VSS snapshots conservatively, but the few that exist on a typical seized laptop are gold.

Wear-levelling exploitation on SSDs is the expensive last resort. Because the SSD controller spreads writes across physical NAND cells, the cells holding an "overwritten" logical block can still contain the old data physically; chip-off and direct reading of the NAND with a programmer is the way to recover it. The technique is destructive (the chip is desoldered), expensive (specialist equipment), and rare outside national labs, and it exists in research-grade form.

The legal frame around anti-forensics in India is built on four pillars. BNSS Section 91 (production order), BSA Section 39 (expert opinion on tampering), BSA Section 63 (electronic record admissibility), and the constitutional protection at Article 20(3) against self-incrimination.

The encryption-breaking workflow on the investigator side is a separate sub-discipline. Dictionary attacks with hashcat or John the Ripper run against the suspect's known passwords, leaked-credential corpora (HaveIBeenPwned, RockYou, Indian breach lists), and rule-mutated variants (toggling case, appending numbers, leetspeak). Brute force with rules is the fallback. The faster route is exploiting weak key-derivation: older TrueCrypt versions used PBKDF2 with iteration counts that are now within reach of GPU clusters; certain CVE-specific weaknesses in older BitLocker and FileVault revisions lower the effective key strength. Side-channel attacks (timing, power, electromagnetic) are research-grade and rarely surface in Indian field cases. Cold-boot attacks against warm machines are documented but rarely run.

The notable Indian cases that surface anti-forensic patterns include the 2G spectrum case where encrypted laptops were seized and the unlocking timelines became a contested issue, several CDR-tampering allegations in telecom-related cases where defence questioned timestamp integrity, and the Aarushi Talwar case where browser history and device timestamps were central to the prosecution and defence narratives. The first-responder discipline that prevents anti-forensic windows from opening at seizure time is at Digital first responder: order of volatility, seizure and imaging. The data-recovery counter-moves against destruction techniques are at Data recovery, file carving and deleted or encrypted content. The cloud-side anti-forensic surface is at Cloud logging, VM snapshots and cloud incident response.