The Death of Computer Forensics, Digital Forensics After the Singularity by Cory Altheide

...

Step two is Processing Data in which files are hashed and Signatures are analysed. Technique 3 of AF is file signature masking. File Signatures are recognized by file headers or footers. A file can be “Hollowed Out” and crime can be stored inside Encoded data in middle of binary file. Mitigating File Signature Masking involves the Use of “Fuzzy Hashing” to find potentially stimulating files and to examine all “Recent” lists of mutual apps for inquisitive entries.

Step three is Separating Wheat by Known File Filter (KFF) and Keyword Searches. Technique 4 of AF is Rendering NSRL Useless. For that, Modify all system as well as program files. This involves modifying a string in file and Recalculating and updating the embedded CRCS. Also, Turn off DEP, Data Execution Prevention. For Mitigating Rendering NSRL Useless, first Search and Identify useful files. Technique 5 of AF involves Scrambled MAC Times. For that, randomize every timestamp and BIOS time regularly, and disable time up-to-date in registry.

Step four is Analysing for Relevance. It involves analysing false positives or Good hits, looking at photos, reading documents, analysing spreadsheets, exporting files for the native analysis and Bookmarking useful things. Technique 6 of AF is Restricted Filenames. Even Windows 7 has holdovers, such as Restricted filenames. Use those filenames generously. Mitigating Restricted Filenames involves not exporting files that have native filenames and Exporting by autopen’s name or File ID. Technique 7 of AF is Circular References. Folders have characteristic limit of 255 number of characters on NTFS. Technique 8 of AF is Use of Lotus Notes. There are different tools to handle NSFS as NSF files and .id files give problems most of the times. Mitigating Lotus Notes involves Training yourself on Lotus Notes and Once you know flukes you can steer around them.

Next step is Preparing Report Which Includes thumbnails or snapshots, Write-up procedures and Attached appendices, lists, etc. Final step is Archiving Data by Storing images on central NAS and Shelving HDDS for future use. Technique 9 is hash collisions and Technique 10 is Dummy HDD.

...