We live in a digital world where almost everything we do is being monitored by technology. Our locations are being tracked by our mobile devices, CCTV security cameras are on almost every building, and even our banking is mostly done online. Most people, including myself, are concerned with how much of our personal lives is out there. For us, it is rightfully scary, but for criminals it is a nightmare.
Is Anti-Forensics Legal?
The Shorthand Answer:
Anti-forensics generally describes the destruction of data, with the purpose of hiding said data. The legality of this destruction is all dependent on “intent”. If the individual has full legal authority of the data, and has no reason to assume the data could be used against him/her in court, then it is okay to perform anti-forensics. When done under this light, it can be viewed more as a security measure to prevent personal data leakage. However, whenever digital data relevant to a civil/criminal court case is attempted to be, or successfully, destroyed, the acts can be considered as destruction/tampering of evidence.
This is a term used when preventative measures are taken against the ability to successfully recover any digital data on an electronic device. Much like a murderer may try to hide the murder weapon so it cannot be found, criminals sometimes try to hide their computer evidence that shows their previous actions.
Anti-Forensics comes in many forms. It can exist in simple ways such as intentionally deleting documents, files, and downloads, or it can utilize third-part applications that do things like change file timestamps, or even wipe entire hard drives. Any action that prevents forensic techniques from recovering the data can be considered anti-forensic in nature. Some individuals turn to attempted physical destruction of the device. Hit a cell phone with a hammer, throw a hard drive into a lake, the thought process is understandable; destroy the device and evidence cannot be found on it. Fortunately for investigators, evidence is still possible to be recovered from attempted physical destruction. This is because investigators do not need screens or functioning buttons for their work. All they normally need is the drive the data is stored on (Bonus points if there’s cloud backups of the data). Total destruction is definitely possible, but hard drives can even withstand fires and water submersion sometimes.
Digital destruction methods can be just as catastrophic as physical ones. Wiping hard drives and deleting documents are attempts at eliminating all traces of the crime. Just like instances of physical destruction, digital destruction is possible to be recovered under certain circumstances. You can read more specifics on possibilities of recovering deleted data here.
Some forms of anti-forensics don’t even involve the destruction of data. Instead, they focus on the obfuscation of it. Timestamp manipulations for example are a prime example of non-destructive anti-forensics. Timestamps are very important in digital forensics because it presents a timeline of which events happened — and when. There are some situations when investigators are given a strict investigation scope, between very specific dates/times. The incriminating file(s) could be completely missed if the timestamp were to be changed to be out of this scope. For example, investigators may be looking for a file they know was made in December 2018, but the timestamp showing the file’s creation time was changed by the criminal to July of 2017. If restricted by a scope, this obfuscation method could be more effective than an attempt to destroy it.
Encryption is another method of anti-forensics that the average person may not immediately acknowledge. For those of you that do not know, encryption on a basic level uses math to take the read-able data on a hard drive, and jumble it up. This means that only the person with the decryption key (the correct mathematical value) is capable of reading the data. An encrypted message to a person with the decryption key may look like “This is the secret message“, but to someone without the key it could look like “jqwl os rbw fkwldo jakenry“. as you can imagine, this is an effective way to prevent against forensic procedures. But encrypting your hard drive is not illegal, so how can it be considered anti-forensics? Well, neither is smashing your computer. It is also certainly not illegal to throw *cough* drop *cough* your phone into a lake. Although all of these actions can prevent forensics from effectively obtain digital data, they are not crimes without the intent to hide criminal/civil wrongdoings. Destruction of evidence is a serious crime within itself, but if you have no reasonable belief that your data is going to be used in litigation sometime in the future, then you have every right to do with your data what you want –even if that means taking a hammer to it.
In the end it all comes down to ‘mens rea’. If the individual knowingly and intentionally destroyed data so that it could not be retrieved by digital forensic investigators, then it could be used against you. As well explained in the Aaron Hernandez murder case here, the Federal government states:
(c) Whoever corruptly –
(1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding; or
(2) otherwise obstructs, influences, or impedes any official proceeding, or attempts to do so,shall be fined under this title or imprisoned not more than 20 years, or both.
It makes sense why someone may not want to take the chance of their personal data being leaked out into the world. Hackers are stealing private information all the time with malware. If data is kept on a system for a shorter amount of time, there is a lesser chance it can be ex-filtrated. Or perhaps you don’t want to keep that embarrassing video of your singing on your computer anymore. Regardless, anti-forensic methods could technically be rightfully used. However, these acts turn criminal the second the intention is to destroy potential pieces of evidence.