Dahbur and Mohammad introduce this paper as a survey of tools and techniques in the emerging field of anti-forensics, together with their classification. The authors explicitly address only computer anti-forensics (CAF), deferring network anti-forensics aspects to future work.
The authors’ position is similar to that in the field of cryptology--to know better cryptography, one needs to know a bit of cryptanalysis and vice versa. They cite a lack of previous work on comprehensive classification of anti-forensics tools and techniques, as they attempt to lay a foundation for the terminology of the anti- side.
They begin by defining the problem space, as well as the relevant and introductory terminology and literature. The work becomes more useful starting with section 3, specifically with the CAF classification review. The authors mention several sets of classification categories from the surveyed literature based on attack targets, (non-)traditional techniques, functionality, and the distinction between anti-forensics (forensic analysis prevention by data hiding) and counter-forensics (direct attack on forensic tools).
In section 4, the authors arrive at the challenges: the struggle to come up with a more standard definition of anti-forensics and the need to improve on the previous section’s classification schemes. They examine the problem from the point of view of constraints found in computer forensics--temporal, financial, and other resources. They also more deeply explore the challenges posed by CAF to an investigation by describing the evolution of the privacy technologies available to users, encryption, compression bombs, cloud computing, steganography, and so forth. Then, the authors proceed with a set of four general recommendations.
After the conclusion, future work, and references, there is a small table in the appendix with a list of tools the authors located; the list seems to be a fraction of what it could be. The paper is Windows-centric in its mention of several tools--almost entirely missing are tools for MacOS X, Linux, and mobile devices. The authors also overlook standard Unix utilities that can change timestamps, for example, touch. The paper is sometimes repetitive or sloppy in its terminology, and the image reproductions are of rather poor quality. Overall, the paper is a poor attempt to address an important topic.