The Law of Anti-Forensics Tools

Computer Crime Evidence

Data Security at Risk


Sophisticated hackers use so-called anti-forensics tools to make break-ins harder to detect and harder to trace once they are detected.  The tools wipe out data, change timestamps, misdirect audit trails and scramble network logs so no one can prove what happened or when. Observers have
speculated that anti-forensic tools helped the crooks who stole credit card data from TJX Companies.

In principle, a hacker's goal in using an anti-forensics tool is to avoid prosecution. Yet the outcome of a criminal case against the hacker may ironically be different from what he had in mind. If a hacker is caught using anti-forensics tools, it will be easier to prosecute him and impose stiff punishment.  The use of such tools can, in itself, be evidence of his sinister intent.

Similarly, if a government official were to use anti-forensics tools to hide a misallocation of funds, his misdeed may appear more to be a crime and less a mere clerical mistake.

Historically prosecution of hackers has sometimes been hard if they did not clearly steal anything. The hackers garnered some sympathy by saying they were just snooping around and not trying to harm anyone.  But if a hacker uses anti-forensics tools, any sympathy will evaporate. Use of the tools can show he was trying to cover his tracks.

The CSI Working Group on Web Security Research Law, Inaugural Report, June 11, 2007, suggests a key factor in a computer crime prosecution is whether the defendant tried to hide. It cites the computer crime prosecution of Eric McCarthy, who arguably was just an innocent researcher who found a vulnerability in a USC server. But instead of reporting his finding in a responsible way, he disclosed the vulnerability in a pseudonymous e-mail to the press. His effort to hide his identity contributed to the conclusion that he was guilty.