By David Kalat
For as long as there has been forensics, there has been its inevitable shadow, anti-forensics. Forensic tools enable investigators to uncover incriminating evidence from electronic sources, and anti-forensic tools enable their targets to try to thwart them. Anti-forensics involves any act intended to prevent or impede a proper forensic investigation. It is the digital equivalent of wiping fingerprints off a murder weapon.
Setting aside the anti-forensic properties of encryption, which could be the subject of its own discussion, many anti-forensic tools are wiping utilities. Consider a common scenario—bad guys might want to hide evidence that they had accessed and copied confidential company documents without authorization, filled their laptops with kiddie porn, or had email conversations with terrorists. Simply deleting these incriminating files is cold comfort, since forensic examiners routinely recover deleted files. Then both the original activity and the attempted cover-up become known. This has spawned an entire industry of software products that claim to permanently wipe documents and files that capture user activity.
Bad guys looking to use anti-forensic wiping tools face two inherent problems: the Rake Problem and the Intent Problem.
The Rake Problem
Imagine a person trying to literally cover his or her tracks. The suspect is shuffling along the dirt, dragging a rake behind them to hide footprints. The problem is, while the rake hides the footprints, it leaves behind a distinctive trail.
Wiping utilities may wipe your guilty fingerprints off the digital crime scene, but it leaves behind distinct fingerprints of its own. A commonly encountered example of a wiping utility is “CCleaner.” According to the manufacturer, CCleaner “removes unused files from your system—allowing Windows to run faster and freeing up valuable hard disk space.” It does this in part by destroying the ability to recover deleted files. Along the way, it leaves behind telltale trails: for example, changing deleted file names into a garble of Zs (“StolenFile.docx” becomes “ZZZZZZZZZZ.ZZZZ”). Traces of the program being downloaded, installed, configured, and run are left behind in system files. In many cases, investigators have uncovered these kinds of findings to demonstrate that the suspect had taken affirmative steps to erase evidence, and that in itself became the “gotcha” moment. I was involved in a forensic examination of a client’s former employee accused of stealing company trade secrets. The ex-employee had deployed CCleaner to successfully obliterate scores of files, but he failed to erase an email he sent to himself as a reminder for his last day at work, which read in part “use ccleaner.”
The ability to identify recognizable evidence of the use of wiping utilities shifts the way certain investigations are conducted. In addition to searching for evidence of the original wrongdoing, forensic examiners also look for evidence of data destruction or “spoliation.” Depending on how effective the data destruction has been, it may be that only evidence of spoliation—and not the original act—can be found. But as Richard Nixon could tell you, often it is the cover-up and not the original act that can be your undoing.
The Intent Problem
Wiping software may be useful to solve the Rake Problem, but evidence of the presence and recent use of wiping software is itself often a red flag deserving of closer examination. This is the Problem of Intent.
For example, I helped investigate an employee of a public university who became the center of a high-profile investigation. Within minutes of her being informed that she was suspected as the author of an inflammatory anonymous email, a search was performed on her Mac laptop for the term “permanent delete.” Three minutes after that search was run, the “secure erase” function within Mac’s operating system was launched, set to overwrite deleted files on the computer 35 times. This is not the default setting for the secure erase function, which defaults to a single-pass erase, and running 35 passes would take many hours, if not days. Ten seconds after the secure erase function had been launched, the user aborted it. The conspicuous timing of these actions is a clue that suggests the user’s intentions.
Many wiping utilities, such as DiskWipe, ShredIt, or Eraser, are promoted as privacy or security tools to prevent the recovery of data. These tools can be found by searching phrases like “secure delete files.” Meanwhile, CCleaner is marketed in part as a tool for routine system maintenance, and some users may in fact deploy it for that purpose. Microsoft estimates that approximately 1.5 billion computers in the world run some version of Windows; CCleaner’s manufacturer reports the software has been downloaded one billion times. There are enough copies of CCleaner out there to equip most Windows machines. That being said, modern operating systems manage sophisticated system optimization on their own without the need for third-party tools. CCleaner may not be explicitly marketed as an anti-forensic tool, but it certainly provides that functionality.
Solid State Drives
Here we must throw cold water on this discussion and recognize that the ability to recover deleted files is dependent on not just whether a user ran some kind of wiping utility, but also technological factors sometimes outside the user’s control. Increasingly, computer manufacturers are installing Solid State Drives (SSDs) where hard drives once stood. SSDs are generally faster, more reliable, and more resilient and robust—they also behave very differently when it comes to deleted files. For a variety of technical reasons, SSDs will usually self-erase deleted files almost instantly. For bad guys with devices that run on SSDs instead of hard drives, such as most newer computers, using a wiping utility is often a completely redundant step—the computer’s own drive performs that anti-forensic function all by itself, whether the user even wants it to or not.
All is not lost, however. A tremendous volume of information about user activity is tracked by the operating system, including information about deleted files and other details of interest to investigators. On a Windows system, that information is for the most part logged in the Registry, a database of system configurations and settings. While the computer is in use, the Registry is in a constant flurry of activity. Even seemingly trivial actions may involve hundreds of read/write operations to the Registry.
In these system files, examiners will find most of the forensic artifacts of interest in an investigation—which programs were installed and when were they run, which USB devices were connected and when, which documents were most recently used, which internet sites were visited, and so on.
The Registry cannot be easily viewed by the ordinary user. Experienced users who may know how to access some of its content cannot easily alter it. It is not intended for human use. It is a tool of the machine, by the machine, and for the machine. This is part of what makes it such a powerful evidentiary tool. While a program like CCleaner is running on a live system, the Registry files that document that activity are in use and therefore cannot be wiped by CCleaner. No matter how invasive a wiping utility is used, as long as that tool is running on a live system there will be system files it cannot reach.
Upgrading the Operating System
Every few years, major software manufacturers like Microsoft or Apple push out a new version of their signature operating systems. If you are a Windows user, chances are you have seen the prompts urging you to upgrade to Windows 10. It is an insistent, impatient thing, like a bored child in the back seat, constantly asking “Are we there yet?” Some users upgrade to get new features, and some do it because the digital nagging is effective, but others may have more nefarious motives. Upgrading an operating system can be an effective way to “wipe” a computer of important forensic evidence while simultaneously providing the user with plausible deniability.
Operating system updates are security patches and bug fixes that come along periodically in the life cycle of the operating system. Many users will find these updates are installed automatically with little or no input from the human operator. Operating system upgrades involve completely replacing the existing operating system with a new version, designated with a new version number. Windows 10 is being marketed as such a giant leap forward that Microsoft is skipping the non-existent “Windows 9” altogether.
Unlike with previous upgrades, Microsoft is making Windows 10 available for free (for a limited time). Whereas previous upgrades involved logistical challenges of backing up files to external media, installing the new software from a disk, and then copying the user files back into place, the Windows 10 upgrade process has been engineered to be a user-friendly experience for non-technically minded users.
In the past, users upgrading their systems to Windows 7 or Windows 8 were given options of how much of their personal files and data would be overwritten. This meant that simply by initiating the upgrade, the user revealed something of their state of mind and awareness of what was to be changed. A so-called “clean install” would behave like a wiping utility and obliterate “deleted” data. With Windows 10, the user is no longer given a choice about what to save or delete. There is no option for a “clean install,” short of taking extreme measures requiring technical know-how, good documentation, and the patience of a saint. Instead, Microsoft says the standard Windows 10 upgrade process will preserve the existing user files, system settings, and programs from the previous Windows system when upgrading from Windows 7 or 8. This claim is made on the website, in the initial upgrade prompt menu, and is repeated onscreen during the upgrade process.
This promise may give the illusion that the act of upgrading to Windows 10 has no consequences on the integrity of a user’s data. To the extent that we define “user’s data” narrowly to mean the specific user-created content in allocated files, then the upgrade to Windows 10 does not affect those files. However, a tremendous amount of information about that user’s activity resides in system files, and those system files are necessarily changed when the entire operating system is replaced by a new version.
The “user-friendly” approach to installing a replacement operating system has consequences. The new operating system is downloaded, unpacked, and installed alongside the existing one, and then at a certain point the control is handed over from the old system to the new. As a result, the new system files overwrite some data on the system, wiping out some deleted content that might otherwise have been recoverable. Even more significantly, most of the new system files act as if the date of the new installation is “Day One” for the device, and so archival information about user activity that existed in the old system files is lost.
For example, I recently investigated a laptop that had been upgraded to Windows 10 immediately before it was handed over for examination. Testimony in the case had established that the laptop had been used to access and download various sensitive company documents from different cloud storage providers, and other evidence indicated that multiple USB devices had been used to move files to and from the computer. The newly minted system files, though, showed a computer that appeared not to have been used at all. Most of the evidence concerning activity that occurred prior to the upgrade to Windows 10 had been whisked away, leaving only the evidence of what happened after the upgrade. Information about the user’s cloud storage usage, USB devices, and the use of wiping utilities had been stored in Registry files and other system files. When the operating system was replaced, those old system files were discarded and replaced by new ones. The upgrade cleaned not just the user’s tracks, but also the rake tracks.
This in turn implicates the Problem of Intent. Users who switch to Windows 10 may claim they are merely following Microsoft’s (urgent) recommendations and taking advantage of the latest technology when it is still free. No, I wasn’t trying to hide evidence of my crimes, your honor, I was just doing what Bill Gates told me to.
Microsoft is aggressively pushing its customer base to switch to the new operating system. At a technology conference on April 29, 2015 (months before the official launch of the new operating system), Microsoft spokespeople announced that the company expects to see one billion users of Windows 10 within two to three years. In other words, they expect two of every three Windows users to make the switch. In the first two years of Windows 8’s release, only 200 million users made the leap; 500 million copies of Windows 7 were sold in its first two years. With such an ambitious sales target, no wonder the upgrade notifications are so insistent.
Anecdotally, it would appear that the use of operating system upgrades as an anti-forensic step is on the rise. It makes logical sense that fraudsters would use OS upgrades as a smokescreen: by replacing the system files with fresh copies, the upgrade helps avoid the Rake Problem; and by achieving anti-forensic effects through the use of manufacturer-recommended procedures, it can create some cover to help with the Intent Problem. Fraudsters may hope to hide their cake and eat it, too.
 David Goldman (2015), “1 billion Windows 10 PCs by 2017? Yes, really.” CNN Money, available at: http://money.cnn.com/2015/06/24/technology/windows-microsoft-sales/
 Microsoft | Community (2013), “Question: What happens to your files if you upgrade from windows7 to Windows8,” available at: http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/what-happens-to-your-files-if-you-upgrade-from/1b4976bc-e17d-4d06-b7d3-7c84de23be33?db=5&auth=1
 Alex Wilhelm (2015), “Microsoft Expects 1 Billion Windows 10 Devices In 2-3 Years,” TechCrunch, available at: http://techcrunch.com/2015/04/29/microsoft-expects-1-billion-windows-10-devices-in-2-3-years/#.op59qmz:UWNy
 Gregg Keizer (2014), “Microsoft claims 200M Windows 8 licenses sold, but how many are in use?” ComputerWorld, available at: http://www.computerworld.com/article/2487826/microsoft-windows/microsoft-claims-200m-windows-8-licenses-sold–but-how-many-are-in-use-.html