Anti-forensics is a term used for illegal practices performed to temper the quality and quantity of the existing evidences from a crime scene or to hamper it to the extend that it would be difficult to examine or analyse it further. It could be the deliberated actions of the computer users itself or of the programmers too. Anti-forensics tool users may also be computer users who wish to erase evidence of criminal activity, including counterfeiting, paedophilia, terrorist attacks, and hacking. Users can use anti-forensics software to erase any data that might suggest they could steal important information to enter computer systems without authorisation or obtain passwords and other information.

It includes acts such as purposefully erasing data by replacing it with fresh data or using technologies to prevent forensic analysis. To improve security also, anti-forensic measures can be utilised, such as overwriting and deleting data to prevent unauthorised individuals from reading it. Cybercriminals may take advantage of these strategies to avoid their activities being revealed.

Objectives of Anti-Forensics

1. Preventing the discovery of compromising incidents that have occurred.
2. Interfering with and stopping the process of gathering of data.
3. Extending the amount of time an examiner take to solve a case.
4. Raising questions on forensic report or testimony.
5. Using the forensic tool against the organisation itself.
6. Leaving no trace of the use of an anti-forensic tool.

There are various techniques of anti forensics through which removing of evidence takes place:-

1. VPN(Virtual private network):- When a person connects to web-based services, a virtual private network, or VPN, anonymises them by hiding their originating IP address. It is frequently used by threat actors to conceal their identities, which makes it more difficult to link cyberattacks to a particular organisation or geographic area.
2. Timestomping:- Timestomping conceals a user’s activity by altering the time and date of a file or application’s creation, access, modification, and/or execution. Timestomping is carried out by the changes done in the attributes in the MFT(Master file table). It is considered as the brain of the storage device. It keeps the track of address of the file, their name, time of the creation and privilege of access. Therefore, a threat actor may make it look as if malware was executed earlier or later than it actually was if they employed Timestomping after executing the virus at a specific time and date. Because of this, it becomes more difficult to determine the timeline or order of events during a cyber incident.
3. Data wiping:- Threat actors utilise disc wiping to erase all of the data on the hard disc, leaving no possibility of data recovery. The threat actor does this by running an application that erases all of the disk’s contents. The more applications runs through, more it produces the scrambled data. Eg:- KillDisk.
4. Data Encryption:- Data encryption hauls the access to the important evidence. For instance, if a virtual private network has been set-up, the threat actors will encrypt the network making it difficult for victim to obtain the information as the unmasking of the network will be extremely difficult and quite impossible to take remedial actions.
5. Event logs:- Event logs are files that include a lot of data on activities that happen in an IT environment, like software applications being run, user accounts being logged in, etc. Threat actors have the ability to remove these logs, which makes it more difficult for victim to determine exactly what has been conspired. They accomplish this either manually, if they have remote access to the victim’s infrastructure, or by creating a program that, when run, removes the event logs.
   

Preventative Measures:- It is important to take preventative steps to mitigate the risks before its too late. Some of them are listed below:-

1. Installing firewalls.
2. Access control
3. Regular patching
4. Secure configuration
5. Anti-malware software
6. Staff training and awareness.

Usage of detection tools:- Detection steps in where prevention fails. Detective systems can be quite helpful since they let you spot attacks that get past your defences before they have a chance to cause too much harm. Some of the good detection tools are enlisted here:-

1. SIEM tools(security information and event management)
2. EDR (endpoint detection and response)
3. SOC (security operations centre).