International Journal of Trend in Scientific Research and Development (IJTSRD)

Volume 5 Issue 1, November-December 2020 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470

Effective Data Erasure and Anti-Forensics Techniques

Anand V1, Dr. MN Nachappa2
Scholar, 2Academic Head,
1MCA

1,2Department of MCA, School of CS & IT, Jain (Deemed-to-be) University, Bangalore, Karnataka India

ABSTRACT How to cite this paper: Anand V | Dr. MN

Deleting sensitive data after usage is just as important as storing of data in a Nachappa "Effective Data Erasure and
safe location. In the verge of cyber-attacks such as data theft happening, it is Anti-Forensics Techniques" Published in
best to delete or purge or destroy unwanted sensitive data after its use as soon International Journal
as possible. Data stored offline, for example in hard disks are just as prone to of Trend in Scientific
get stolen as the data stored online. For destroying the data to ensure Research and
cybercriminals should not get hold of this, techniques such as Data Wiping and Development (ijtsrd),
Anti-Forensics are used. A study is done on how these techniques can be used ISSN: 2456-6470,
to the advantage of our system and against the cyber criminals. Volume-5 | Issue-1,
December 2020, IJTSRD38043
KEYWORDS: Data, Windows registry, Anti-Forensics, Data Wiping pp.708-711, URL:
www.ijtsrd.com/papers/ijtsrd38043.pdf

Copyright © 2020 by author(s) and

International Journal of Trend in Scientific
Research and Development Journal. This
is an Open Access article distributed
under the terms of
the Creative
Commons Attribution
License (CC BY 4.0)
(http://creativecommons.org/licenses/by/4.0)

1. INTRODUCTION
Data deleted from the hard disk is technically ‘not deleted’, In short, the main types of malicious activities done by cyber
means it is being replaced by free space and new data criminals are listed below and the solutions, techniques will
thereof. The deleted data recovery was there since the be discussed further.
beginning of 90’s itself. And now more advanced methods Recovering deleted data from stolen storage devices.
made data to be recovered more easily. This poses as a Finding open ports to plan attack/hacking.
security threat because their information which is to be gone DDos attack to the specific targeted IP Address
for good for the sake of privacy. A normal non techie user
deletes with assumption that it is gone forever and his 2. BACKGROUND
private information will never be leaked or recovered. 2.1. Data Wiping Algorithms
However, it can be recovered with better hardware, faster The below figure shows comparison for each shredding
processors and efficient software. algorithm.

Wiping the hard disk is one way to purge/destroy the data in

such a way that it never will be recovered. There are many
methods to wipe hard disk space. The other term used as
synonym of wiping data is called shredding. For shredding,
different types of algorithms are used, each of them having
their own advantages and disadvantages, a balance of Speed
of completion of data shredding and the Security which
depicts how hard it is to recover the data.

The latter part that will be discussed will be about various

Anti-Forensics methods used by cyber criminals in order to
prevent them from being exposed and captured by the
police. These techniques can be used against them in such a
way that it will secure the information and security of the
organization. This study will be an extension to the former Figure 1: Comparing Data Wiping Algorithms
part, i.e. Data Wiping method, since that also comes under
the purview of Anti-Forensics. From this figure, we can assume that Gutmann method is
more secure and using this method make the deleted data
less recoverable, however Gutmann method takes more time
and high toll on the system resources such as processor and

@ IJTSRD | Unique Paper ID – IJTSRD38043 | Volume – 5 | Issue – 1 | November-December 2020 Page 708
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
RAM. Aim is to find a way to run Gutmann algorithm on a education to the employees under the system administrator
low scale as a background service the whole time the PC is and dealing with database management, developing and
working it will shred the slack/free space without utilizing information management.
much of system resources, because it should not affect the
other normal programs of windows. The disadvantage of Thus, some techniques can be implemented on the systems
consumption of time by this algorithm cannot be changed, containing deleted sensitive data with the adequate
however it can be extended. permissions from the upper authority of the organization.
The term Anti Forensics is mostly understood in a negative
For example, if 500 GB of free space takes 24 hours to be way, i.e. Ways in which cyber-criminals erase their activity
shredded it takes large amount of RAM memory of a single so that evidence should not be traced back to them, on the
run. Instead of that if we use a method or technique to shred other hand if we see it in such a manner that those
the same 500 GB free space by limiting resources to the techniques which the perpetrators use can be used against
process, the performance of the computer will not slow them too. Say like “If you want to catch a thief, you need to
down in a noticeable manner. The progress is saved on every think like a thief”. Let us see how the techniques used can be
shutdown and resumed back when pc is turned on. This used against them with the help of two case studies.
method will extend the time to days or even weeks, however
it will not be noticeable since there is always times when pc 4. PROPOSED DESCRIPTION
is turned on idle and very low RAM-Processor consuming In this part of two case studies are considered which
software are used. Little by little, slow and steady the involves anti-forensics and how it can be implemented more
private/confidential/useless data is deleted forever beyond effectively. They can be listed as
recovery. 1. Data wiping without any interruptions – Wiping the free
space/deleted data from slack space by keeping the
2.2. Open Port Vulnerability system in hibernation mode temporarily;
In networks security an open port is a number assigned to 2. Continuous scanning of ports to check forany open
UDP/TCP to receive packets. All the communication and data ports.
exchange are happening through ports. Leaving the port 3. 3-IP spoofing for own computer, when a DDos Attack is
open after use is a dangerous vulnerability, because the suspected.
attackers can insert malware though it and gain access to the 4. Extracting embedded hidden information using
system. steganography.
2.3 DDoS Attack
DoS (Denial-of-Service) attack means sending multiple and In order to perform these operations, system administrator
malicious requests from a device to a privileges are necessary, since it involves changing of
server/system/website just to make it overload and slow registry values. These techniques are recommended only to
down or break the functioning of resources. DDoS be performed only once a year or in 6 months, or whenever
(Distributed Denial-of-Service) is using multiple devices it may deem necessary and not on a regular basis.
including maybe even IOT devices too. A main target now a
days are the online video gamers had to become victims of 5. TECHNIQUES AND EXECUTION
this. The DDoS attacks caused the online gamers systems Step 1: Hibernating the PC
slow down and even crash This is a temporary procedure. By using python scripts,
disable the options of Shutdown, Restart and Sign out. The
reason behind doing this is simple. All these three processes
cause the ongoing processes to stop, and once again these
processes will start from the beginning. The Algorithms such
as Guttman algorithm takes days, maybe even weeks to
complete the operation. It is not practicable to do that in just
a single day.By hibernating the pc after use for the day, every
time, when the PC is turned on, all the background processes
happening in the background will be resumed as it was
running earlier.

Figure 2: DDoS Attack After all the procedures which takes long time to complete,
not only data wiping, but also deep vulnerability Anti-Virus
3. ANTI-FORENSICS Scanning, we can turn back on the Shutdown, Restart and
Anti-Forensics is commonly known as the techniques used Sign-out options. Note that this is just to make sure that no
by cyber criminals to over their malicious activities over one should end those processes in between.
internet or in their own computer offline. Deleting the data
beyond recovery is one of the main examples of Anti- To hide the Shutdown, Restart, Sign out button
Forensics. However according to the situation, the term Anti- In the registry editor go to
Forensics can have other meaning also, in a positive way. By HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyMana
wiping sensitive information, we are preventing the ger\current\device\Start
potential attackers and infiltrators from accessing those. It is
the responsibility of the system administrator to protect Find the keys
each and every bit of data from leaking out. The field of Anti- HideShutDown, HideRestart and HideSignOut
forensics is a considerably less explored field when Change its values from 0 to 1 respectively.
considering to other fields of cyber security, so giving Shutdown, SignOut and Restart buttons are hidden

@ IJTSRD | Unique Paper ID – IJTSRD38043 | Volume – 5 | Issue – 1 | November-December 2020 Page 709
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
Lastly
After performing Data wiping and other time-consuming
scanning/anti-forensics operations, we have to unhide the
buttons which we hid earlier

To unhide the Shutdown, Restart, Sign out button

In the registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyMana
ger\current\device\Start

Find the keys

HideShutDown, HideRestart and HideSignOut
Figure 3: Shutdown, Restart, Sign Out Hidden Change its values from 1 to respectively.
Shutdown, SignOut and Restart buttons are no longer
Step 2: Perform Data Wiping hidden
We can either use third party application such as Eraser or
CCleaner which has 35 pass Guttman pass or use the inbuilt
data erasure command of Windows “Cipher” using cmd.

By using Eraser

Figure 6: Shutdown, Sign Out and Restart buttons

restored

6. FUTURE SCOPE
Like said earlier, in order to beat a criminal, we may have to
think like the criminal. These Techniques may not be as fully
Figure 4: Guttman 35 passes effective towards the new and upcoming cyber-attacks, but it
surely can be used to integrate when making a bigger
By using Cipher software solely for the purpose of stopping cyber-criminal
cipher /w:D:\ -- Wipes all the free space/deleted contents in activities. We are utilizing the idle time of the computer and
Drive D beyond recovery. securing the data.

Even though tampering of windows registryis not

recommended, for the better security of information in the
organization, these techniques will come in handy.

7. CONCLUSION
Data wiping and Forensics procedures are long and time-
consuming works. It may not be able to complete all in one
Figure 5: Cipher Command in Windows day. Through this project solution by division of work was
seen possible. One every while applying these techniques,
Step 3: Port Scanning the deleted data, which may be sensitive or not will not
A third-party application like Advanced Port Scanner can be reach at the hands of the cybercriminal, and counter
used. If the scan is taking longer time, the System can be measures can be taken for Anti-Forensics.
hibernated. And when it is turned on again, the scan will
continue from the port which till then got completed REFERENCES
[1] (CISA), T. C. (2009). Understanding Denial-of-Service
Attacks. US-CERT.
[2] Gutmann, P. (July 22-25, 1996). Secure Deletion of
Data from Magnetic and Solid-State Memory. Sixth
USENIX Security Symposium Proceedings, San Jose,
California.
[3] How to Choose a Secure Data Destruction Method.
(2006, Jan 6).

Figure 6: Advanced Port Scanner

@ IJTSRD | Unique Paper ID – IJTSRD38043 | Volume – 5 | Issue – 1 | November-December 2020 Page 710
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
[4] Kissel, R., Regenscheid, A., & Scholl, M. (2014). Scan Intrusion and Data Wipe. Retrieved from
Guidelines for Media Sanitization. NIST Special ResearchGate:
Publication 800-88. https://www.researchgate.net/publication/3370109
73_Forensics_and_Anti-
[5] Microsoft Docs. (n.d.). Retrieved from Microsoft:
Forensics_a_Case_Study_with_Port_Scan_Intrusion_an
https://docs.microsoft.com/en-us/windows-
d_Data_Wipe
server/administration/windows-commands/cipher
[8] Roy, S., Bedi, H., & S, S. (n.d.). Game theory-based
[6] Noblett, M. G., Pollitt, M. M., & Presley, L. A. (2000).
defense mechanisms against DDoS attacks on
Recovering and examining computer forensic
TCP/TCP-friendly flows.
evidence. Forensic Science Communications.
[9] Wei, M., Grupp, L., E. Spada, F., & Swanson, S. (n.d.).
[7] Pereira, M., José, D., & Santana,, L. (2019, September).
Reliably Erasing Data From Flash-Based Solid State
Forensics and Anti-Forensics a Case Study with Port
Drives. 13.

@ IJTSRD | Unique Paper ID – IJTSRD38043 | Volume – 5 | Issue – 1 | November-December 2020 Page 711