Purpose: Digital forensic triage for anti-forensic activities
License: GNU GPLv3
Developer(s): KITRI's Best of the Best Information Security Program
The 'Indicators of Anti-Forensics' (IoAF) project is an effort towards automated anti-forensic trace detection using signature-based methods. Each "version" represents the work of different KITRI Best of the Best groups to advance the idea.
The main IoAF program uses parsing modules to extract file meta-data and Registry key information from a system under investigation. Pre-defined signatures are stored in a SQLite database that is queried for each extracted object.
Signatures are created by using either real-time or snapshot based analysis on a similar system. Objects that are consistently updated by the action of interest are extracted, and further tested (e.g. how the object is updated). If the object is found to consistently correspond to the action of interest - and only the action of interest - it is included as a trace in the signature.
The purpose of the project so far is not to automatically reconstruct activities, but to quickly detect the presence of anti-forensic traces to let investigators know whether they should pay more interest to this device over others (digital forensic triage).
- James, J. I., Kim, M. S., Choi, J., Lee, S. S., & Kim, E. (2014). A General Approach to Anti-Forensic Activity Detection. eForensics Magazine, vol.3(5). 30–35. [Link]
- Github Repository: https://github.com/hvva/IoAF