It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.
He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools.
This sentiment was echoed at the 2005 Blackhat Conference by anti-forensic tool authors, James Foster and Vinnie Liu.
[5] They stated that by exposing these issues, forensic investigators will have to work harder to prove that collected evidence is both accurate and dependable.
Also, counter-forensics has significance for defence against espionage, as recovering information by forensic tools serves the goals of spies equally as well as investigators.
"Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves.
Most encryption programs have the ability to perform a number of additional functions that make digital forensic efforts increasingly difficult.
The widespread availability of software containing these functions has put the field of digital forensics at a great disadvantage.
[2] According to Jeffrey Carr, a 2007 edition of Technical Mujahid (a bi-monthly terrorist publication) outlined the importance of using a steganography program called Secrets of the Mujahideen.
To perform this technique, the user changes a particular sector from good to bad and then data is placed onto that particular cluster.
Disk cleaning utilities are also criticized because they leave signatures that the file system was wiped, which in some cases is unacceptable.
Some of the widely used disk cleaning utilities include DBAN, srm, BCWipe Total WipeOut, KillDisk, PC Inspector and CyberScrubs cyberCide.
Degaussing is rarely used as an anti-forensic method despite the fact that it is an effective means to ensure data has been wiped.
The NIST recommends that "physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding and melting.
Trail obfuscation covers a variety of techniques and tools that include "log cleaners, spoofing, misinformation, backbone hopping, zombied accounts, trojan commands.
[10] Timestomp gives the user the ability to modify file metadata pertaining to access, creation and modification times/dates.
If a forensic examination program or operating system were to conduct a search for images on a machine, it would simply see a (.doc) file and skip over it.
[3] To prevent physical access to data while the computer is powered on (from a grab-and-go theft for instance, as well as seizure from Law Enforcement), there are different solutions that could be implemented: Some of these methods rely on shutting the computer down, while the data might be retained in the RAM from a couple of seconds up to a couple minutes, theoretically allowing for a cold boot attack.
[27] While the study and applications of anti-forensics are generally available to protect users from forensic attacks of their confidential data by their adversaries (eg investigative journalists, human rights defenders, activists, corporate or government espionage), Mac Rogers of Purdue University notes that anti-forensics tools can also be used by criminals.
"[3] Anti-forensic methods rely on several weaknesses in the forensic process including: the human element, dependency on tools, and the physical/logical limitations of computers.