Chapter 30 — Key Takeaways

The big idea

Almost every attempt to hide evidence creates evidence — and the conspicuous, dated absence of an expected artifact is itself a finding. Modern operating systems cache, log, journal, and redundantly record nearly everything, so there is no single place where "the evidence" lives to be deleted. A wiping tool writes its own Prefetch entry; a backdated file is betrayed by the kernel-maintained $FILE_NAME; a cleared Security log writes event 1102 announcing who cleared it; a hidden stream shows up in one dir /r. Anti-forensics rarely beats a thorough examiner — it usually convicts the person who attempted it, and in court the cover-up (spoliation) often weighs more than the act it was meant to conceal. The examiner's two duties: detect the concealment by corroborating across independent artifacts, and never inflate "consistent with wiping" into "they wiped it."

The five families (and what detects each)

Family Technique Detect with
Data destruction wiping, free-space wipe, Secure Erase, crypto-erase entropy anomalies, surviving junk-named MFT meta, tool artifacts
Data hiding ADS, slack, HPA/DCO, signature mismatch dir /r/Get-Item -Stream, blkls -s, hdparm, file
Data transformation encrypted containers, steganography entropy + app artifacts; steganalysis + surroundings
Trail obfuscation timestomping, log clearing/editing $SI` vs `$FN, USN $J, 1102/104, EventRecordID gaps
Counter-attribution Tor, VPNs, Tails install/state files, memory, network correlation

Wiping: one pass is enough, and the tool tells on itself

  • On modern HDDs a single overwrite makes data unrecoverable (Wright/Kleiman/Sundhar 2008; NIST SP 800-88 Rev. 1). The 3-pass DoD and 35-pass Gutmann rituals are obsolete folklore on current media.
  • SSDs need controller-level sanitization (ATA Secure Erase, crypto-scramble); software passes are unnecessary and unreliable because the FTL remaps writes. TRIM mimics wiping but is normal — do not mistake it for sabotage.
  • You usually cannot recover wiped data, but you can detect the wipe: contiguous zeroed (entropy ≈ 0) or random (≈ 8.0) regions, surviving MFT metadata, and the wiping tool's own Prefetch, Amcache, UserAssist, and registry artifacts (CCleaner, Eraser, BleachBit, SDelete).

Timestomping: two clocks, one honest

Attribute Type Set by Trust
$STANDARD_INFORMATION` (`$SI) 0x10 user API (SetFileTime) — Explorer shows it forgeable
$FILE_NAME` (`$FN) 0x30 kernel, hidden from user mode authoritative

Tells: $SI` Created **earlier than** `$FN Created (impossible); zeroed sub-seconds (.0000000) against real fractions; the $SI` MFT-Modified field *leaking* the real stomp time; MFT/USN sequence anomalies; and the USN `$J BasicInfoChange record. Corroborate with independent clocks (LNK, Prefetch, event logs) — when one timestamp contradicts ten, the one is the lie.

Logs, hiding, and the meta-method

  • Logs: clearing the Security log writes 1102 (other logs → 104 in System); surgical .evtx edits break the monotonic EventRecordID sequence and chunk CRC32. You cannot delete the record of deletion without leaving a deletion-shaped hole — on Windows and Linux alike (wtmp, ~/.bash_history, journald FSS).
  • Hiding: alternate data streams (one dir /r), slack space (blkls -s), HPA/DCO (hdparm at acquisition), and extension/signature mismatch (file). Ignore the benign :Zone.Identifier.
  • Absence as a finding: a daily-use machine should have browser history, hundreds of Prefetch files, populated MRUs, a continuous log. When those are missing — and dated — treat it as a hypothesis you test against innocent causes (TRIM, privacy mode, disabled Prefetch), then a finding you can defend only once corroboration converges.

You can now…

  • ☐ Classify the five families of anti-forensics and explain why one overwrite suffices on HDDs while SSDs need controller-level erase.
  • ☐ Detect wiping from entropy anomalies, surviving junk-named MFT metadata, and a wiping tool's own execution artifacts.
  • ☐ Expose timestomping via $SI`/`$FN contradiction, zeroed sub-seconds, USN/MFT sequence anomalies, and corroborating clocks.
  • ☐ Detect log clearing and surgical deletion (1102/104, EventRecordID gaps, chunk CRC) and find hidden data in ADS, slack, HPA/DCO, and mis-extensioned files.
  • ☐ Reason from a dated absence as an affirmative finding while testing innocent explanations and stating every limitation.

Looking ahead

Chapter 31 — Cloud Forensics. The evidence moves off the endpoint to servers you cannot seize, where the artifacts you have learned to read are replaced by API logs, provider records, and legal process — and where location becomes a jurisdictional question. Technology changes; principles don't.

One sentence to carry forward: The attempt to destroy evidence is itself evidence — and the shaped, dated void where data used to be is a fingerprint, provided you test the innocent explanation before you name the guilty one.