2005 Digital Forensic Research Workshop (DFRWS) 1
New Orleans, LA
Evaluating Commercial Counter-Forensic Tools
Matthew Geiger
Carnegie Mellon University
Pittsburgh, PA
mgeiger@cmu.edu
Abstract
Digital forensic analysts may find their task complicated by any of more than a dozen
commercial software packages designed to irretrievably erase files and records of
computer activity. These counter-forensic tools have been used to eliminate evidence in
criminal and civil legal proceedings and represent an area of continuing concern for
forensic investigators.
In this paper, we review the performance of six counter-forensic tools and highlight
operational shortfalls that could permit the recovery of significant evidentiary data. In
addition, each tool creates a distinct operational fingerprint that an analyst may use to
identify the application used and, thus, guide the search for residual data. These
operational fingerprints may also help demonstrate the use of a tool in cases where such
action has legal ramifications.
Introduction
Modern computer operating systems and the
applications that run on them generate copious
amounts of data about their users’ activity. These
records increasingly have become valuable sources
of evidence and, concomitantly, the focus of
investigation and legal discovery.
At the same time, user awareness has grown that
“deleting” files does not mean obliterating the
information they contain – an awareness
heightened by a string of headlines, from the 1986
resurrection of erased Iran-Contra records on
Oliver North’s computer to the recovery of files
and e-mail communications in the Enron Corp
investigation. This awareness has spawned
demand for counter-forensic software, which
developers market as guarding users' privacy
and/or protecting them from being penalized for
activity on the computer.
The marketplace for counter-forensic software is
competitive. Referral-driven Web sites, such as
http://www.privacy-software-rev