H. Jahankhani, A.G. Hessami, and F. Hsu (Eds.): ICGS3 2009, CCIS 45, pp. 145–155, 2009. © Springer-Verlag Berlin Heidelberg 2009 Computer Anti-forensics Methods and Their Impact on Computer Forensic Investigation Przemyslaw Pajek and Elias Pimenidis School of Computing IT and Engineering, University of East London, United Kingdom pajkow@gmail.com, e.pimenidis@uel.ac.uk Abstract. Electronic crime is very difficult to investigate and prosecute, mainly due to the fact that investigators have to build their cases based on artefacts left on computer systems. Nowadays, computer criminals are aware of computer fo- rensics methods and techniques and try to use countermeasure techniques to ef- ficiently impede the investigation processes. In many cases investigation with such countermeasure techniques in place appears to be too expensive, or too time consuming to carry out. Often a case can end up being abandoned and in- vestigators are left with a sense of personal defeat. The methodologies used against the computer forensics processes are collectively called Anti-Forensics. This paper explores the anti forensics problem in various stages of computer fo- rensic investigation from both a theoretical and practical point of view. Keywords: Computer Forensics Investigation, Computer Forensics Tools, Computer Anti-forensics Methods. 1 Introduction Locard’s principle states that when a crime is committed, there is a cross-transfer of evidence between the scene and perpetrator [1]. In the digital world, evidence resides mainly on computer hard drives in the shape of files, logs, or any other artefacts depict- ing pertinent activity. Projecting Locard’s principle into the cyber world an understand- ing of the correlation between such types of evidence, the times when particular events took place and the users who committed those actions can be reached. The main task of computer forensic investigators is to reveal and connect these three facts into one coher- ent statement revealing the whole nature of the particular action. On the contrary, the main aim of computer anti-forensics is to hide or alter electronic evidence so that it can- not be used in legal proceedings or it is too costly and time consuming to retrieve and examine. Computer anti-forensics methodologies vary and can be applied so they can contaminate any stage of the computer investigation process. Whilst most of the tech- niques are used directly against computer forensic tools, some of these methodologies can be used for quite legitimate reasons. Encryption for example can be used to protect company assets; digital watermarking can be used to prevent copyright infringement in