Anti-computer Forensics - Trail Obfuscation

Trail Obfuscation

The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools that include “log cleaners, spoofing, misinformation, backbone hopping, zombied accounts, trojan commands.”

One of the more widely known trail obfuscation tools is Timestomp (part of the Metasploit Framework). Timestomp gives the user the ability to modify file metadata pertaining to access, creation and modification times/dates. By using programs such as Timestomp, a user can render any number of files useless in a legal setting by directly calling in to question the files' credibility.

Another well known trail-obfuscation program is Transmogrify (also part of the Metasploit Framework). In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. If a forensic examination program or operating system were to conduct a search for images on a machine, it would simply see a (.doc) file and skip over it.

Read more about this topic:  Anti-computer Forensics

Famous quotes containing the word trail:

    Perhaps of all our untamed quadrupeds, the fox has obtained the widest and most familiar reputation.... His recent tracks still give variety to a winter’s walk. I tread in the steps of the fox that has gone before me by some hours, or which perhaps I have started, with such a tip-toe of expectation as if I were on the trail of the Spirit itself which resides in the wood, and expected soon to catch it in its lair.
    Henry David Thoreau (1817–1862)