Sophisticated Anti-Forensic Tactics and How To Spot Them

Investigative research into anti-forensics tactics Kroll experts have observed in ongoing incident response investigations.

Based on Kroll’s experience through thousands of incident response engagements, our experts have observed an uptick in the usage of anti-forensics tactics, techniques and procedures (TTPs) to circumvent internal security teams and their detection solutions. Anti-forensics are often used by adversaries to hide their activity either by the concealment, manipulation or deletion of their movement within a victim’s system or network infrastructure. These techniques can be difficult to spot for cybersecurity analysts without proper training and experience in detection, as anti-forensic TTPs tend to require more vigilance to spot them during an incident response investigation.

This series focuses on the many variants of anti-forensic tradecraft commonly used by threat actors including detecting timestomping, clearing event logs, alternate data streams (ADS) and disabling antivirus. Our experts dive into what each of the anti-forensics TTPs mean and explain the level of impact each can cause for a cybersecurity analyst during an investigation.

Timestomping

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn more

Kroll Artifact Parser And Extractor (KAPE)

Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes. Get more information on KAPE, access training materials or book a live session with a Kroll expert here.

Learn more

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Learn more

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn more

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Learn more

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

Learn more

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Learn more