Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases β at no additional cost to you.
Chapter 30 β Further Reading
Anti-forensics is an arms race, so study it from both ends: the standards and format references that let you defend a wiping or timestomping finding byte by byte, and the detection tooling that surfaces concealment in practice. Everything below is detection-oriented β understand the mechanism to catch it, never to perform it (the same defensive rule that governs the DataField Cybersecurity and Ethical Hacking volumes).
Foundations (π¬ deeper / format-level)
- Peter Gutmann, "Secure Deletion of Data from Magnetic and Solid-State Memory" (6th USENIX Security Symposium, 1996) β read it with its Epilogue. The source of the 35-pass legend and, in the author's own later correction, its limit: the sequence targeted 1990s MFM/RLL encodings and was never a universal ritual. Pair it with Wright, Kleiman & Sundhar, "Overwriting Hard Drive Data: The Great Wiping Controversy" (ICISS 2008, LNCS 5352) and NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (2014) β together they settle why a single overwrite suffices on modern drives.
- Brian Carrier, File System Forensic Analysis (Addison-Wesley). The canonical NTFS reference behind this chapter's detection core β the two
$DATA` attributes that make alternate data streams possible, the `$STANDARD_INFORMATIONvs.$FILE_NAMEasymmetry that exposes timestomping, and the cluster model that creates slack. - Joachim Metz's
libevtxdocumentation and Andreas Schuster's EVTX research (DFRWS). The byte-level.evtxspecification β theElfFile/ElfChnksignatures, the2A 2A 00 00record header, the monotonic EventRecordIdentifier, and the chunk CRC32s β that turns "the log looks short" into a provable EventRecordID gap and checksum mismatch.
Approachable explanations (everyone)
- 13Cubed (Richard Davis), YouTube β the timestomping,
$UsnJrnl`/`$J, MFT, and alternate-data-streams episodes. Short, rigorous, free walk-throughs of decoding$SI` vs. `$FN, spotting zeroed sub-seconds, and corroborating against the change journal β exactly the detection sequence in this chapter, shown on real records. - Microsoft Learn β Security event 1102, System event 104, and the NTFS streams documentation. The authoritative source for what the "audit log was cleared" / "event log was cleared" records contain (SID, account, time) and for how named
$DATAstreams behave. Cite it; never trust a forum post for an event ID. - SANS DFIR blog and posters ("Hunt Evil," the Windows Forensic Analysis poster). Practitioner write-ups on what survives a log clear, wiping-tool artifact hunting, and the "what should be here that isn't?" mindset this chapter calls reasoning from absence.
In practice (πΎ Recovery Β· π Examiner Β· π‘οΈ IR Β· π Legal)
- π Eric Zimmerman's tools (ericzimmerman.github.io). The field standard for this whole chapter:
MFTECmd(exports$SI` *and* `$FNMACB columns; parses$J`/`$LogFile),PECmd(Prefetch run counts and times),AmcacheParserandRECmd(binary SHA-1s and thePiriform\CCleaner/Eraser keys), andEvtxECmd(1102/104 search and EventRecordID sorting). - π The Sleuth Kit and Sysinternals.
istatshows both timestamp sets side by side;flslists named streams asfile:stream;blkls -sextracts slack forstrings/foremost;icatpulls a stream to identify withfile. Sysinternalsstreams.exeenumerates ADS, andsdeleteis the wipe tool whose own artifacts you learn to find. - π‘οΈ Steganalysis:
zsteg(PNG/BMP),stegdetect,StegExpose, and ML-basedAletheia, behind FridrichβGoljan RS analysis. The statistical detection layer β with the chapter's honest caveat that low-payload, well-implemented steganography can be undetectable, and that you more often catch it by its surroundings (the installed tool, a pristine original to diff) than by cracking the carrier. - π FRCP Rule 37(e), The Sedona Conference Commentary on Legal Holds, and Zubulake v. UBS Warburg. The legal weight of concealment β spoliation, the duty to preserve, and the adverse-inference instruction β and why "they tried to destroy it" can matter more than the thing destroyed.
Reference (this book)
- Appendix A β File Signatures Reference: the magic numbers behind extension/signature-mismatch detection (the
PK\x03\x04ZIP-renamed-.jpgcase). - Appendix B β Python Forensics Toolkit: the entropy scanner and the
$SI`/`$FNcomparator used in the detection pass. - Appendix D β Forensic Artifact Locations and Appendix G β File System Reference: wiping-tool registry keys and Tor state-file paths; the NTFS
$SI`/`$FN, ADS, and slack structures. - Chapter 16 β Windows Forensics, Chapter 21 β Timeline Analysis, and Chapter 29 β Encrypted Device Forensics: the anchor-case artifacts, the timestomping deep-dive, and the entropy/container background.
Do, don't just read
- Plant it, then catch it. On a practice image or a VM you own (Appendix J), attach a named ADS to a document and rename an archive to
.jpg, then prove your owndir /r/Get-Item -Stream *andfilescans find both. The habit you are building is never trusting the file name. - Backdate a file, then expose it. Change a test file's
$SI` times, then catch the forgery with `MFTECmd`'s `$SI-vs-$FN` columns, the zeroed-sub-second tell, and the `$JBasicInfoChangerecord. Decode one record by hand and the asymmetry stops being abstract. - Clear a log and read the confession. On a scratch VM, clear the Security log, then find event 1102 with its SID and timestamp, and confirm EventRecordID continuity afterward. Watching the system announce its own clearing is the chapter's thesis in one experiment.
- Hunt a wiper's own footprints. Run
sdelete(or a cleaner) on a disposable VM, then recover its Prefetch run count, Amcache SHA-1, and registry key β proving the anti-forensic act documented itself.
Next: Chapter 31 β Cloud Forensics: the investigation moves off the endpoint entirely β to data on someone else's servers, where artifacts give way to API logs, provider records, and legal process, and the evidence's very location becomes a jurisdictional question.