Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases β€” at no additional cost to you.

Chapter 30 β€” Further Reading

Anti-forensics is an arms race, so study it from both ends: the standards and format references that let you defend a wiping or timestomping finding byte by byte, and the detection tooling that surfaces concealment in practice. Everything below is detection-oriented β€” understand the mechanism to catch it, never to perform it (the same defensive rule that governs the DataField Cybersecurity and Ethical Hacking volumes).

Foundations (πŸ”¬ deeper / format-level)

  • Peter Gutmann, "Secure Deletion of Data from Magnetic and Solid-State Memory" (6th USENIX Security Symposium, 1996) β€” read it with its Epilogue. The source of the 35-pass legend and, in the author's own later correction, its limit: the sequence targeted 1990s MFM/RLL encodings and was never a universal ritual. Pair it with Wright, Kleiman & Sundhar, "Overwriting Hard Drive Data: The Great Wiping Controversy" (ICISS 2008, LNCS 5352) and NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (2014) β€” together they settle why a single overwrite suffices on modern drives.
  • Brian Carrier, File System Forensic Analysis (Addison-Wesley). The canonical NTFS reference behind this chapter's detection core β€” the two $DATA` attributes that make alternate data streams possible, the `$STANDARD_INFORMATION vs. $FILE_NAME asymmetry that exposes timestomping, and the cluster model that creates slack.
  • Joachim Metz's libevtx documentation and Andreas Schuster's EVTX research (DFRWS). The byte-level .evtx specification β€” the ElfFile/ElfChnk signatures, the 2A 2A 00 00 record header, the monotonic EventRecordIdentifier, and the chunk CRC32s β€” that turns "the log looks short" into a provable EventRecordID gap and checksum mismatch.

Approachable explanations (everyone)

  • 13Cubed (Richard Davis), YouTube β€” the timestomping, $UsnJrnl`/`$J, MFT, and alternate-data-streams episodes. Short, rigorous, free walk-throughs of decoding $SI` vs. `$FN, spotting zeroed sub-seconds, and corroborating against the change journal β€” exactly the detection sequence in this chapter, shown on real records.
  • Microsoft Learn β€” Security event 1102, System event 104, and the NTFS streams documentation. The authoritative source for what the "audit log was cleared" / "event log was cleared" records contain (SID, account, time) and for how named $DATA streams behave. Cite it; never trust a forum post for an event ID.
  • SANS DFIR blog and posters ("Hunt Evil," the Windows Forensic Analysis poster). Practitioner write-ups on what survives a log clear, wiping-tool artifact hunting, and the "what should be here that isn't?" mindset this chapter calls reasoning from absence.
  • πŸ” Eric Zimmerman's tools (ericzimmerman.github.io). The field standard for this whole chapter: MFTECmd (exports $SI` *and* `$FN MACB columns; parses $J`/`$LogFile), PECmd (Prefetch run counts and times), AmcacheParser and RECmd (binary SHA-1s and the Piriform\CCleaner/Eraser keys), and EvtxECmd (1102/104 search and EventRecordID sorting).
  • πŸ” The Sleuth Kit and Sysinternals. istat shows both timestamp sets side by side; fls lists named streams as file:stream; blkls -s extracts slack for strings/foremost; icat pulls a stream to identify with file. Sysinternals streams.exe enumerates ADS, and sdelete is the wipe tool whose own artifacts you learn to find.
  • πŸ›‘οΈ Steganalysis: zsteg (PNG/BMP), stegdetect, StegExpose, and ML-based Aletheia, behind Fridrich–Goljan RS analysis. The statistical detection layer β€” with the chapter's honest caveat that low-payload, well-implemented steganography can be undetectable, and that you more often catch it by its surroundings (the installed tool, a pristine original to diff) than by cracking the carrier.
  • πŸ“œ FRCP Rule 37(e), The Sedona Conference Commentary on Legal Holds, and Zubulake v. UBS Warburg. The legal weight of concealment β€” spoliation, the duty to preserve, and the adverse-inference instruction β€” and why "they tried to destroy it" can matter more than the thing destroyed.

Reference (this book)

Do, don't just read

  • Plant it, then catch it. On a practice image or a VM you own (Appendix J), attach a named ADS to a document and rename an archive to .jpg, then prove your own dir /r / Get-Item -Stream * and file scans find both. The habit you are building is never trusting the file name.
  • Backdate a file, then expose it. Change a test file's $SI` times, then catch the forgery with `MFTECmd`'s `$SI-vs-$FN` columns, the zeroed-sub-second tell, and the `$J BasicInfoChange record. Decode one record by hand and the asymmetry stops being abstract.
  • Clear a log and read the confession. On a scratch VM, clear the Security log, then find event 1102 with its SID and timestamp, and confirm EventRecordID continuity afterward. Watching the system announce its own clearing is the chapter's thesis in one experiment.
  • Hunt a wiper's own footprints. Run sdelete (or a cleaner) on a disposable VM, then recover its Prefetch run count, Amcache SHA-1, and registry key β€” proving the anti-forensic act documented itself.

Next: Chapter 31 β€” Cloud Forensics: the investigation moves off the endpoint entirely β€” to data on someone else's servers, where artifacts give way to API logs, provider records, and legal process, and the evidence's very location becomes a jurisdictional question.