This very interesting story at CSOonline.com traces the growing trend of antiforensics.
Hitting a computer's delete button doesn't remove a file from the machine. It simply hides it by removing its name from directories commonly seen by users. Computer forensics, quite simply, is the science of using hardware and software tools to trace the past activities of a computer to find those files. These engineers perform a long string of related investigative tasks that can be as key to criminal investigations as dusting for prints.
A short and very well-done podcast on forensics can be seen at Business POV. If a picture is worth a thousand words, a video may be worth 10,000. In the podcast, engineers working for the forensics firm of Grant Thornton demonstrate some basic processes. More technical information can be found at the Computer Forensics Expert Witness Network.
The CSOonline.com story is about the next step, antiforensics, which focuses on efforts of the folks doing naughty things to hide their tracks. It's the mouse part of the cat-and-mouse game. Antiforensics is growing not primarily because the tools are becoming more powerful -- though they are -- but because they are becoming easier for non-experts to use. Says the writer:
The hacker's focus has shifted too, from developing destructive payloads to circumventing detection. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation.
The CSOonline.com story does a good job of tracking the intricate world of computer forensics and antiforensics and describes some of the tools that are being created, both by the bad guys and by the good guys who are trying to think along with them.
Understanding antiforensics requires a good understanding of forensics itself. Computer Forensics World has a good Q&A on its home page. Among basic questions (What is computer forensics? What are the common scenarios?), the article describes how an investigation is approached. The answer reveals the complexity of the science.
Not only must engineers get to the truth, but they must do it in such a way that their findings will stand up in court. Investigators must secure the system (so that it can't be monkeyed with during the investigation). They may copy the hard drive before diving in to find and recover files that had been partially deleted or hidden in the electronic nooks and crannies of the machine. They also will investigate the installed systems in the computer (for instance, was it taken over by a bot herder?) and create a detailed report.
Antiforensics isn't the only emerging discipline. This PCWorld.com piece suggests that a subcategory of digital forensics known as network forensics which, as the name implies, gives the same investigative treatment to networks, is gaining attention.