As a computer forensics investigator, FTI Consulting’s Bryan Lee examines evidence of corporate employees stealing data, embezzling company funds, committing fraud, and performing a wide range of other nefarious activities. In many of the cases Bryan has investigated, the employee attempts to cover their tracks using various methods such as deleting their internet history. Recently, there has been an upward trend in users altering their computer prior to performing their intended actions.

There are a vast number of techniques users can use to conceal their actions that are well documented on the Internet. While some techniques are quite simple, there are others that can be highly technical, generally written by members of the “blackhat” community. This group of tools and techniques, when employed by a user in a deliberate fashion in order to thwart investigation, is known as anti-forensics.

Anti-forensics methods can include using software to securely delete files, making changes to time stamps on a computer through software or systems built into an operating system, deleting or altering logs, using file, folder, or volume encryption on a drive, and using tools built into bootable flash drives or CDs to alter data.

If an employee uses anti-forensics techniques in an effort to cover up illegal activities before their data is collected in an investigation, the time and cost of the investigation can increase drastically. Bryan and his colleagues have identified a handful of proactive and reactive steps to mitigate anti-forensics efforts and reduce costs stemming from internal investigations.

Read more about anti-forensics, and Bryan’s recommendations on how to address these techniques in his recent Corporate Counsel Magazine article here.