Anti-Forensics - You are doing it wrong (Believe me, I'm an IR consultant)

In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood.

From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent.

Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. Whether you’re an IR consultant, security analyst, or blue teamer, this talk offers actionable knowledge to outsmart adversarial anti-forensics tactics.

We’ll explore practical examples, such as:

Deleting the USN Journal (fsutil usn deletejournal /d C:) and why it’s rarely a perfect solution.
Clearing shellbags to wipe file explorer history but failing to account for deeper registry artifacts.
Time stomping (Get-Item “C:\path\to\file.txt”).CreationTime = “2022-01-01 00:00:00) and how forensic tools detect inconsistencies.
Disabling last access time updates (fsutil behavior set disablelastaccess 1) and its limited effectiveness against comprehensive timeline analysis.
Wiping MFT free space (sdelete -z C:) while ignoring the traces left behind in unstructured data.

We use Python code to show how ‘clean’ evidence cleaning can be done, e.g., if only individual MFT entries are deleted or even if entries in the SRUM database are deleted or manipulated. This means it is not immediately obvious that the data has been manipulated, unlike when everything is deleted.

Talk

Anti-Forensics - You are doing it wrong (Believe me, I'm an IR consultant)

About the Speaker