This issue, we take a look at the general categories of anti-digital forensics.

Hiding Data (Cryptography, and Low-tech Methods)
Cryptography (from the Greek kryptos for "hidden, secret," and grápho for "I write") is the practice and study of encoding messages (information and data) such that only the sender and receiver have the means to understand the messages. Cryptography is considered a part of mathematics and computer science. Historically, cryptography referred to encryption, which is the process for converting plaintext into ciphertext. Decryption is the reverse of encryption, namely converting the ciphertext back to plaintext. Modern cryptography concerns itself with the confidentiality and integrity of information and its authentication and non-repudiation. Since the availability of powerful desktop and laptop computers, it has diversified to encompass techniques to secure telephone conversations, network protocols, e-mails, software, digital property, ATM cards, computer passwords, ecommerce transactions, message integrity checking, and digital signatures.

There are many cryptography standards in use today. They include the Data Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES), RSA, hash standards (MD5 and SHA variants), digital signature standards (Digital Signature Algorithm—DSA), and wireless standards (WEP,WPA,WPA2,A5/1 andA5/2). Encryption uses ciphers (a pair of algorithms) and a secret key (generally a parameter known only to the communicants) to encrypt messages. The key is needed to decrypt the message. In many ways, cryptography can be considered as one of, if not the, ultimate ADF technique. It can be used at the application level, file system level, or the disk level. For instance, many applications allow users to password protect and/or encrypt individual files. Additionally, tools are readily available to encrypt entire file systems or disks. When this occurs, forensic analysis becomes extremely difficult, if not impossible.

The counterpart of cryptography is cryptanalysis (the methodology and techniques used to obtain the encrypted information without having the key). Cryptanalysis tries to exploit weakness in the cryptographic method that was used to encrypt the information. In theory, most ciphers can eventually be broken through brute force computer attack if enough computational processing is put to the task. However, the amount of computational processing necessary is unknown since it may be exponentially dependent upon the actual size of the key. As such, cryptanalysis is generally going to be far beyond the resources of most examiners. Therefore, unless the key is known or is able to be obtained or broken, it will not be possible to decrypt the encrypted message. Examiners often detect encrypted data during forensic examinations. Many encryption methods and techniques leave specific flags, headers, or other type signatures. The frustration for examiners is not being able to decrypt the information for its potential probative value.

Low-tech methods by design are not very sophisticated and concern hiding data or information in locations or in a manner such that it is not readily apparent to an examiner. Although most methods are rather simple, they can be highly effective. For instance, a recovered deleted text document, when viewed, may display visible text which appears benign. However, if the incriminating text in the document was changed to a white font color after it was typed, it will not be seen. Another example concerns embedding incriminating evidence generated in one application into another application. It is a simple task to place text beneath a .jpg in a presentation or to embed a .jpg into a spreadsheet. Similarly, very long file names with hidden characters can make those files essentially invisible to an operating system. With the use of keywords, forensic analysis software often provides an examiner with thousands of files to be examined for probative value. However, does the examiner have the time to look for probative data that may be hidden with the use of low-tech methods? Probably not.