A Comparative Study of Digital Anti-Forensic Techniques Affecting the Effectiveness of Forensic Data Recovery Software

Main Article Content

Songwut Naksilp
Woratouch Vichuwanich

Abstract

This research aims (1) to examine anti-forensic techniques affecting data recovery software and (2) to compare each anti-forensic technique with impacts on efficiency of forensic data recovery software. The researcher conducted an experiment by utilizing simple and common digital anti-forensic techniques including delete, format and overwrite. After that, three forensic data recovery programs: EnCase Imager, FTK Imager and ProDiscover, were exercised to recover digital evidence and to compare the effectiveness in recovering data of the forensic software from each anti-forensic technique on data storage devices containing NTFS file system on Windows 7 operating system. The research findings revealed that the three forensic programs had similar effectiveness of forensic data recovery as follows.  (1) The anti-forensic technique with commands “Delete” and “Format” without switching modes could recover digital evidence with 100% perfect condition because it was a technique that corrected or destroyed data in MFT Entry without getting involved with raw data in the file. (2) The anti-forensic technique with command “Format” and switching modes as Format Drive: /P: Passes and overwrite could partially recover digital evidence for undestroyed raw data in the file or it was irrecoverable once the raw data in the file was demolished because the raw data in the file was damaged with overwriting. The success of data recovery was accounted for 35%, 50% and 75% from the original file. Therefore, to conclude, success of digital evidence recovery depended on the original raw data in the file.

Article Details

How to Cite
1.
Naksilp S, Vichuwanich W. A Comparative Study of Digital Anti-Forensic Techniques Affecting the Effectiveness of Forensic Data Recovery Software. J Appl Res Sci Tech [Internet]. 2020 Oct. 20 [cited 2024 Dec. 22];19(2):117-31. Available from: https://ph01.tci-thaijo.org/index.php/rmutt-journal/article/view/240604
Section
Research Articles

References

Microsoft Docs. How NTFS Works [Internet]. Redmond, WA: Microsoft Corporation; 2009 [cited 2019 Sep 17]. Available from: https://bit.ly/2RmmbBz

Carrier B. File System Forensic Analysis. New Jersey: Addison-Wesley Professional; 2005.

Painter Z. Silicon Power Blog [Internet]. Taipei: Silicon Power. 2018 [cited 2020 April 15]. Available from: https://bit.ly/3jhEP9c

Shimpi AL. The SSD Anthology: Understanding SSDs and New Drive from OCZ [Internet]. 2009 [cited 2020 April 3]. Available from: https://www.anandtech.com/Show/Index/2738?cPage=4&all=False&sort=0&page=5

NetMarketShare.com [Internet]. Newport Beach, CA: Net Applications; 2017. [updated 2019 Feb 28; cited 2019 Mar 1]. Available from: https://netmarketshare.com/

Lin X. Introductory Computer Forensics: A hands-on Practical Approach. Basel: Springer Nature Switzerland AG; 2018.

Blancco Technology Group. Improper Data Removal & Poor Enforcement of Data Retention Policies Create the ‘Perfect Storm’ for Data Breaches [Internet]. Austin, TX: Blancco; 2016 [cited 2018 Mar 1]. Available from: https://bit.ly/3bUe5JT

Wright C, Kleiman D, Sundhar S. Overwriting Hard Drive Data: The Great Wiping Controversy. ICISS. 2008;4:243-57.

Feenberg D. Can Intelligence Agencies Read Overwritten Data? [Internet]. Cambridge, MA: National Bureau of Economic Research; 2013 [cited 2020 April 15]. Available from: https://www.nber.org/sys-admin/overwritten-data-gutmann.html

Yusof NA, Abdullah S, Senan MF, Abidin NZ, Sahri MB, Binti SN. Data Sanitization Framework for Computer Hard Disk Drive: A Case Study in Malaysia. IJACSA. 2019;10:398-406.

Kissel R, Regenscheid A, Scholl M, Stine K. Guidelines for Media Sanitization [Internet]. Maryland: National Institute of Standards and Technology; 2014 [cited 2020 April 15]. Available from: http://dx.doi.org/10.6028/NIST.SP.800-88r1/.

ศุภชัย หวั่นแสง. การกู้คืนข้อมูลจากซอฟต์แวร์คงสภาพฮาร์ดดิสก์ [วิทยานิพนธ์มหาบัณฑิต]. กรุงเทพมหานคร: มหาวิทยาลัยเทคโนโลยีมหานคร; 2557.

Huang W, Meisheng Y. The Quickly Solving Method of File Recovery in Windows Environment. CSSE. 2008;3:859-62.

แดนเนียล แอลอี. การตรวจพิสูจน์หลักฐานดิจิทัลสำหรับผู้ประกอบวิชาชีพกฎหมาย: เข้าใจพยานหลักฐานดิจิทัลจากขั้นตอนหมาย ถึงห้องพิจารณาคดี. กรุงเทพฯ: ซีเอ็ดยูเคชั่น; 2559.