Antiforensics Practices Can Complicate E-Discovery Investigations

With the rise of e-discovery, attorneys have necessarily become acquainted with the inner workings of computer systems. File system metadata is often crucial to proving critical points at trial, and computer forensics has shown itself to be an essential tool for discovering lost files and revealing hidden metadata.

But as the lawyers and investigators grow more sophisticated in their search for information, so do the people wishing to hide their misdeeds and confuse those on their trail.

“Antiforensics” – an approach to computer hacking meant to make detection difficult and proof of detection next to impossible – stands to make life miserable for attorneys and computer forensics experts in the coming years. In practice, antiforensics can involve sophisticated software and methods, but can also include the use of simple hacks and workarounds that can hide files and even change file system metadata.

Much of the antiforensics software out there is readily available and intuitive to operate, making it more and more likely that e-discovery investigations will overlook crucial evidence as a result of antiforensic techniques. The simplification of antiforensic software tools makes up a large part of the reason for the recent upswing in the use of antiforensic practices.

For instance, there are user-friendly tools that can change the timestamp of a file to make it look like the file was created in the future, accessed twenty years ago and never modified. This can cause files to slip through the cracks when e-discovery investigators conduct searches for files created or modified during the relevant time period for the investigation.

Another type of program will separate a file into several pieces, then insert it into the empty space at the end of other files. The extra information shows up as random noise, making it incredibly difficult to reassemble the hidden file – unless you know how the file was split up.

Similarly, data can be inserted into seemingly innocuous file types in order to cover up its existence. Thus, smoking gun email messages could theoretically be hidden inside a JPEG file as a way to transmit them while avoiding detection.

Encryption can also hinder investigations. By partitioning a hard drive and encrypting one of the resulting sections, then partitioning and encrypting again, individuals can hide information very effectively. The information on the second encrypted partition won’t show up to forensic tools, appearing instead as random digital garbage.

While forensic investigators can eventually discover that these techniques have been used, it may come too late to help a case. Moreover, it may be impossible to determine who changed the metadata associated with the file, which could lessen the chances of imposing spoliation sanctions.

The saving grace for e-discovery in the face of antiforensic practices is the fact that most EDD investigations involve massive amounts of data, with no easy way to sift through it. A party seeking to cover up evidence after a litigation hold has commenced would have a difficult time both remembering which files were potentially damaging and locating the files so as to hide them.

Someone engaging in deliberate fraud or other legal transgressions, however, could systematically hide files or alter metadata as they commit their misdeeds to prevent the discovery of incriminating evidence. This means that the most egregious sorts of behaviour could end up becoming the most difficult ones to gather electronically stored information for.

Clearly, as the antiforensic tools and techniques become ever simpler, the life of the e-discovery attorney will grow ever more complex as well.

Electronic Discovery

(Source :


Contact us

(Free initial consultation – no spam)

Contact form (1)

"*" indicates required fields

This field is for validation purposes and should be left unchanged.