The Anti-Forensics Challenge Kamal Dahbur [email pro.docx

The Anti-Forensics Challenge
Kamal Dahbur
[email protected]
Bassil Mohammad
[email protected]
School of Engineering and Computing Sciences
New York Institute of Technology
Amman, Jordan
ABSTRACT
Computer and Network Forensics has emerged as a new field in
IT that is aimed at acquiring and analyzing digital evidence for
the purpose of solving cases that involve the use, or more
accurately misuse, of computer systems. Many scientific
techniques, procedures, and technological tools have been
evolved and effectively applied in this field. On the opposite
side, Anti-Forensics has recently surfaced as a field that aims at
circumventing the efforts and objectives of the field of
computer
and network forensics. The purpose of this paper is to highlight
the challenges introduced by Anti-Forensics, explore the
various
Anti-Forensics mechanisms, tools and techniques, provide a
coherent classification for them, and discuss thoroughly their
effectiveness. Moreover, this paper will highlight the challenges
seen in implementing effective countermeasures against these
techniques. Finally, a set of recommendations are presented
with

further seen research opportunities.
Categories and Subject Descriptors
K.6.1 [Management of Computing and Information
Systems]: Projects and People Management – System Analysis
and Design, System Development.
General Terms
Management, Security, Standardization.
Keywords
Computer Forensics (CF), Computer Anti-Forensics (CAF),
Digital Evidence, Data Hiding.
1. INTRODUCTION
The use of technology is increasingly spreading
covering various aspects of our daily lives. An equal increase, if
not even more, is realized in the methods and techniques created
with the intention to misuse the technologies serving varying
objectives being political, personal or anything else. This has
clearly been reflected in our terminology as well, where new
terms like cyber warfare, cyber security, and cyber crime,
amongst others, were introduced. It is also noticeable that such
attacks are getting increasingly more sophisticated, and are
utilizing novel methodologies and techniques. Fortunately,
these
attacks leave traces on the victim systems that, if successfully
recovered and analyzed, might help identify the offenders and
consequently resolve the case(s) justly and in accordance with
applicable laws. For this purpose, new areas of research
emerged
addressing Network Forensics and Computer Forensics in order
to define the foundation, practices and acceptable frameworks
for scientifically acquiring and analyzing digital evidence in to

be presented in support of filed cases. In response to Forensics
efforts, Anti-Forensics tools and techniques were created with
the main objective of frustrating forensics efforts, and taunting
its credibility and reliability.
This paper attempts to provide a clear definition for Computer
Anti-Forensics and consolidates various aspects of the topic. It
also presents a clear listing of seen challenges and possible
countermeasures that can be used. The lack of clear and
comprehensive classification for existing techniques and
technologies is highlighted and a consolidation of all current
classifications is presented.
Please note that the scope of this paper is limited to Computer-
Forensics. Even though it is a related field, Network-Forensics
is
not discussed in this paper and can be tackled in future work.
Also, this paper is not intended to cover specific Anti-Forensics
tools; however, several tools were mentioned to clarify the
concepts.
After this brief introduction, the remainder of this paper is
organized as follows: section 2 provides a description of the
problem space, introduces computer forensics and computer
anti-forensics, and provides an overview of the current issues
concerning this field; section 3 provides an overview of related
work with emphasis on Anti-Forensics goals and classifications;
section 4 provides detailed discussion of Anti-Forensics
challenges and recommendations; section 5 provides our
conclusion, and suggested future work.
2. THE PROBLEM SPACE
Rapid changes and advances in technology are impacting every
aspect of our lives because of our increased dependence on such
systems to perform many of our daily tasks. The achievements
in the area of computers technology in terms of increased

capabilities of machines, high speeds communication channels,
and reduced costs resulted in making it attainable by the public.
The popularity of the Internet, and consequently the technology
associated with it, has skyrocketed in the last decade (see Table
1 and Figure 1). Internet usage statistics for 2010 clearly show
the huge increase in Internet users who may not necessary be
computer experts or even technology savvy [1].
Permission to make digital or hard copies of all or part of this
work for
personal or classroom use is granted without fee provided that
copies are
not made or distributed for profit or commercial advantage and
that
copies bear this notice and the full citation on the first page. To
copy
otherwise, or republish, to post on servers or to redistribute to
lists,
requires prior specific permission and/or a fee.
ISWSA’11, April 18–20, 2011, Amman, Jordan.
Copyright 2011 ACM 978-1-4503-0474-0/04/2011…$10.00.
WORLD INTERNET USAGE AND POPULATION
STATISTICS
World Regions
Population
(2010 Est.)
Internet Users

Dec. 31, 2000
Internet Users
Latest Data
Growth
2000-2010
Africa 1,013,779,050 4,514,400 110,931,700 2357%
Asia 3,834,792,852 114,304,000 825,094,396 622%
Europe 813,319,511 105,096,093 475,069,448 352%
Middle East 212,336,924 3,284,800 63,240,946 1825%
North America 344,124,450 108,096,800 266,224,500 146%
Latin America/
Caribbean
592,556,972 18,068,919 204,689,836 1033%
Oceania/Australia 34,700,201 7,620,480 21,263,990 179%
WORLD TOTAL 6,845,609,960 360,985,492 1,966,514,816
445%
Table 1. World Internet Usage – 2010 (Reproduced from [1]).
Figure 1. World Internet Usage–2010 (Based on Data from [1])

Unfortunately, some of the technology users will not use it in a
legitimate manner; instead, some users may deliberately misuse
it. Such misuse can result in many harmful consequences
including, but not limited to, major damage to others systems or
prevention of service for legitimate users. Regardless of the
objectives that such “bad guys” might be aiming for from such
misuse (e.g. personal, financial, political or religious purposes),
one common goal for such users is the need to avoid detection
(i.e. source determination). Therefore, these offenders will exert
thought and effort to cover their tracks to avoid any liabilities
or
accountability for their damaging actions. Illegal actions (or
crimes) that involve a computing system, either as a mean to
carry out the attack or as a target, are referred to as
Cybercrimes
[2]. Computer crime or Cybercrime are two terms that are being
used interchangeably to refer to the same thing. A Distributed
Denial of Service attack (DDoS) is a good example for a
computer crime where the computing system is used as a mean
as well as a target. Fortunately, cybercrimes leave fingerprints
that investigators can collect, correlate and analyze to
understand what, why, when and how a crime was committed;
and consequently, and most importantly, build a good case that
can bring the criminals to justice. In this sense, computers can
be
seen as great source of evidence. For this purpose Computer
Forensics (CF) emerged as a major area of interest, research and
development driven by the legislative needs of having scientific
reliable framework, practices, guidelines, and techniques for
forensics activities starting from evidence acquisition,
preservation, analysis, and finally presentation. Computer
Forensics can be defined as the process of scientifically
obtaining, examining and analyzing digital information so that
it

can be used as evidence in civil, criminal or administrative
cases
[2]. A more formal definition of Computer Forensics is “the
discipline that combines elements of law and computer science
to collect and analyse data from computer systems, networks,
wireless communications, and storage devices in a way that is
admissible as evidence in a court of law” [3].
To hinder the efforts of Computer Forensics, criminals work
doggedly to instigate, develop and promote counter techniques
and methodologies, or what is commonly referred to as Anti-
Forensics. If we adopt the definition of Computer Forensics
(CF) as scientifically obtaining, examining, and analysing
digital
information to be used as evidence in a court of law, then Anti-
Forensics can be defined similarly but in the opposite direction.
In Computer Anti-Forensics (CAF) scientific methods are used
to simply frustrate Forensics efforts at all forensics stages. This
includes preventing, impeding, and/or corrupting the acquiring
of the needed evidence, its examination, its analysis, or its
credibility. In other words, whatever necessary to ensure that
computer evidence cannot get to, or will not be admissible in, a
court of law.
The use of Computer Anti-Forensics tools and techniques is
evident and far away from being an illusion. So, criminals’
reliance on technology to cover their tracks is not a claim, as
clearly reflected in recent researches conducted on reported and
investigated incidents. Based on 2009-2010 Data Breach
Investigations Reports [4][5], investigators found signs of anti-
forensics usage in over one third of cases in 2009 and 2010 with
the most common forms being the same for both years. The
results show that the overall use of anti-forensics remained
relatively flat with slight movement among the techniques
themselves. Figure [2] below shows the types of anti-Forensic
techniques used (data wiping, data hiding and data corruption)

by percentage of breaches. As shown in Figure [2] below, data
wiping is still the most common, because it is supported by
many commercial off-the-shelf products that are available even
as freeware that are easy to install, learn and use; while data
hiding and data corruption remain a distant behind.
Figure 2 Types of Anti-Forensics – 2010 (Reproduced from [5])
It is important to note that the lack of understanding on what
CAF is and what it is capable of may lead to underestimating or
probably overlooking CAF impact on the legitimate efforts of
CF. Therefore, when dealing with computer forensics, it is
important that we address the following questions, among
others, that are related to CAF: Do we really have everything?
Are the collected evidences really what were left behind or they
are only just those intentionally left for us to find? How to
know
if the CF tool used was not misleading us due to certain
weaknesses in the tool itself? Are these CF tools developed
according to proper secure software engineering methodologies?
Are these CF tools immune against attacks? What are the recent
CAF methods and techniques? This paper attempts to provide
some answers to such questions that can assist in developing the
proper understanding for the issue.
3. RELATED WORK, CAF GOALS AND
CLASSIFICATIONS
Even though computer forensics and computer ant-forensics are
tightly related, as if they are two faces of the same coin, the
amount of research they received was not the same. CF received
more focus over the past ten years or so because of its relation
with other areas like data recovery, incident management and

information systems risk assessment. CF is a little bit older, and
therefore more mature than CAF. It has consistent definition,
well defined systematic approach and complete set of leading
best practices and technology.
CAF on the other side, is still a new field, and is expected to get
mature overtime and become closer to CF. In this effort, recent
research papers attempted to introduce several definitions,
various classifications and suggest some solutions and
countermeasures. Some researchers have concentrated more on
the technical aspects of CF and CAF software in terms of
vulnerabilities and coding techniques, while others have
focused
primarily on understanding file systems, hardware capabilities,
and operating systems. A few other researchers chose to address
the issue from an ethical or social angle, such as privacy
concerns. Despite the criticality of CAF, it is hard to find a
comprehensive research that addresses the subject in a holistic
manner by providing a consistent definition, structured
taxonomies, and an inclusive view of CAF.
3.1. CAF Goals
As stated in the previous section, CAF is a collection of tools
and techniques that are intended to frustrate CF tools and CF’s
investigators efforts. This field is growingly receiving more
interest and attention as it continues to expose the limitations of
currently available computer forensics techniques as well as
challenge the presumed reliability of common CF tools. We
believe, along with other researchers, that the advancements in
the CAF field will eventually put the necessary pressure on CF
developers and vendors to be more proactive in identifying
possible vulnerabilities or weaknesses in their products, which
consequently should lead to enhanced and more reliable tools.
CAF can have a broad range of goals including: avoiding
detection of event(s), disrupting the collection of information,

increasing the time an examiner needs to spend on a case,
casting doubt on a forensic report or testimony. In addition,
these goals may also include: forcing the forensic tool to reveal
its presence, using the forensic tool to attack the organization in
which it is running, and leaving no evidence that an anti-
forensic
tool has been run [6].
3.2. CAF Classifications
Several classifications for CAF have been introduced in the
literature. These various taxonomies differ in the criteria used
to
do the classification. The following are the most common
approaches used:
1. Categories Based on the Attacked Target
• Attacking Data: The acquisition of evidentiary data in
the forensics process is a primary goal. In this
category CAFs seek to complicate this step by
wiping, hiding or corrupting evidentiary data.
• Attacking CF Tools: The major focus of this category
is the examination step of the forensics process. The
objective of this category is to make the examination
results questionable, not trustworthy, and/or
misleading by manipulating essential information
like hashes and timestamps.
• Attacking the Investigator: This category is aimed at
exhausting the investigator’s time and resources,
leading eventually to the termination of the
investigation.

2. CAF Techniques vs. Tactics
This categorization makes a clear distinction
between the terms anti-forensics and counter-forensics
[7], even though the two terms have been used
interchangeably by many others as the emphasis is
usually on technology rather than on tactics.
• Counter-Forensics: This category includes all
techniques that target the forensics tools directly to
cause them to crash, erase collected evidence,
and/or break completely (thus disallowing the
investigator from using it). Compression bombs
are good example on this category.
• Anti-Forensics: This category includes all
technology related techniques including
encryption, steganography, and alternate data
streams (ADMs).
3. Traditional vs. Non-Traditional
• Traditional Techniques: This category includes
techniques involving overwriting data,
Cryptography, Steganography, and other data hiding
approaches beside generic data hiding techniques.
• Non-Traditional Techniques: As opposed to
traditional techniques, these techniques are more
creative and impose more risk as they are harder to
detect. These include:
o Memory injections, where all malicious
activities are done on the volatile memory area.
o Anonymous storage, utilizes available web-

based storage to hide data to avoid being found
on local machines.
o Exploitation of CF software bugs, including
Denial of Service (DoS) and Crashers, amongst
others.
4. Categories Based on Functionality
This categorization includes data hiding, data
wiping and obfuscation. Attacks against CF processes
and tools is considered a separate category based on
this scheme
4. CAF CHALLENGES
Because Computer Anti-Forensics (CAF) is a relatively new
discipline, the field faces many challenges that need considered
and addressed. In this section, we have attempted to identify the
most pressing challenges surrounding this area, highlight the
research needed to address such challenges, and attempt to
provide perceptive answers to some the concerns.
4.1. Ambiguity
Aside from having no industry-accepted definition for CAF,
studies in this area view anti-forensics differently; this leads to
not having a clear set of standards or frameworks for this
critical
area. Consequently, misunderstanding may be an unavoidable
end result that could lead to improperly addressing the
associated concerns. The current classification schemes, stated
above, which mostly reflect the author’s viewpoint and probably
background, confirm as well as contribute to the ambiguity in
this field. A classification can only be beneficial if it must has
clear criteria that can assist not only in categorizing the current

known techniques and methodologies but will also enable
proper
understanding and categorization of new ones. The attempt to
distinguish between the two terms, anti-forensics and counter-
forensics based on technology and tactics is a good initiative
but
yet requires more elaboration to avoid any unnecessary
confusions.
To address the definition issue, we suggest to adopt a definition
for CAF that is built from our clear understanding of CF. The
classification issue can be addressed by narrowing the gaps
amongst the different viewpoints in the current classifications
and excluding the odd ones.
4.2. Investigation Constraints
A CF investigation has three main constraints/challenges,
namely: time, cost and resources. Every CF investigation case
should be approached as separate project that requires proper
planning, scoping, budgeting and resources. If these elements
are not properly accounted for, the investigation will eventually
fail, with most efforts up to the point of failure being wasted. In
this regard, CAF techniques and methodologies attempt to
attack
the time, cost and resources constraints of an investigation
project. An investigator may not able to afford the additional
costs or allocate the additional necessary resources. Most
importantly, the time factor might play a critical role in the
investigation as evidentiary data might lose value with time,
and/or allow the suspect(s) the opportunity to cover their tracks
or escape. Most, if not all, CAF techniques and methodologies
(including data wiping, data hiding, and data corruption)
attempt
to exploit this weakness. Therefore, it proper project
management is imperative before and during every CF
investigation.

4.3. Integration of Anti-Forensics into Other
Attacks
Recent researches show an increased adoption of CAF
techniques into other typical attacks. The primary purposes of
integrating CAF into other attacks are undetectability and
deletion of evidence. Two major areas for this threatening
integration are Malware and Botnets [8][9]. Malwares and
Botnets when armed with these techniques will make the
investigative efforts labour and time intensive which can lead to
overlooking critical evidence, if not abandoning the entire
investigation.
4.4. Breaking the Forensics Software
CF tools are, of course, created by humans, just like other
software systems. Rushing to release their products to the
market before their competition, companies tend to,
unintentionally, introduce vulnerabilities into their products. In
such cases, software development best practices, which are
intended to ensure the quality of the product, might be
overlooked leading to the end product being exposed to many
known vulnerabilities, such as buffer overflow and code
injection. Because CF software is ultimately used to present
evidence in courts, the existence of such weaknesses is not
tolerable. Hence, all CF software, before being used, must be
subjected to thorough security testing that focuses on robustness
against data hiding and accurate reproduction of evidence.
The Common Vulnerabilities and Exposures (CVE) database is
a great source for getting updates on vulnerabilities in existing
products [10]. Some studies have reported several weaknesses
that may result in crashes during runtime leaving no chance for
interpreting the evidence [11]. Regardless of the fact that some
of these weaknesses are still being disputed [12], it is important

to be aware that these CF tools are not immune to
vulnerabilities, and that CAF tools would most likely take
advantage of such weaknesses. A good example of a common
technique that can cause a CF to fail or crash is the
“Compression Bomb”; where files are compressed hundreds of
times such that when a CF tool tries to decompress, it will use
up so many resources causing the computer or the tool to hang
or crash.
4.5. Privacy Concerns
Increasingly, users are becoming more aware of the fact that
just
deleting a file does not make it really disappear from the
computer and that it can be retrieved by several means. This
awareness is driving the market for software solutions that
provide safe and secure means for files deletion. Such tools are
marketed as “privacy protection” software and claim to have the
ability to completely remove all traces of information
concerning user’s activity on a system, websites, images and
downloaded files. Some of these tools do not only provide
protection through secure deletion; but also offer encryption
and
compression. Moreover, these tools are easy use, and some can
even be downloaded for free. WinZip is a popular tool that
offers encryption, password protection, and compression. Such
tools will most definitely complicate the search for and
acquiring of evidence in any CF investigation because they
make the whole process more time and resources consuming.
Privacy issues in relation to CF have been the subject of
detailed
research in an attempt to define appropriate policies and

procedures that would maintain users’ privacy when excessive
data is acquired for forensics purposes [13].
4.6. Nature of Digital Evidence
CF investigations rely on two main assumptions to be
successful: (1) the data can be acquired and used as evidence,
and (2) the results of the CF tools are authentic, reliable, and
believable. The first assumption highlights the importance of
digital evidence as the basis for any CF investigation; while the
second assumption highlights the critical role of the
trustworthiness of the CF tools in order for the results to stand
solid in courts.
Digital evidence is more challenging than physical evidence
because of its more susceptible to being altered, hidden,
removed, or simply made unreadable. Several techniques can be
utilized to achieve such undesirable objectives that can
complicate the acquisition process of evidentiary digital data,
and thus compromise the first assumption.
CF tools rely on many techniques that can attest to their
trustworthiness, including but limited to: hashing; timestamps;
and signatures during examination, analyses and inspection of
source files. CAF tools can in turn utilize new advances in
technology to break such authentication measures, and thus
comprise the second assumption..
The following is a brief explanation of some of the techniques
that are used to compromise these two assumptions:
• Encryption is used to make the data unreadable. This is one
of the most challenging techniques, as advances in
encryption algorithms and tools empowered it to be applied
on entire hard drive, selected partitions, or specific

directories and files. In all cases, an encryption key is
usually needed to reverse the process and decrypt the
desired data, which is usually unknown to an investigator,
in most cases. To complicate matters, decryption using
brute-force techniques becomes infeasible when long keys
are used. More success in this regard might be achieved
with keyloggers or volatile memory content acquisition.
• Steganography aims at hiding the data, by embedding it
into another digital form, such as images or videos.
Commercial Steganalysis tools, that can detect hidden data,
exist and can be utilized to counter Steganography.
Encryption and Steganography can be combined to obscure
data and make it also unreadable, which can extremely
complicate a CF investigation.
• Secure-Deletion removes the target data completely from
the source system, by overwriting it with random data, and
thus rendering the target data unrecoverable. Fortunately,
most of the available commercial secure-deletion tools tend
to underperform and thus miss some data [14]. More
research is needed in this area to understand the weaknesses
and identify the signatures of such tools. Such information
is needed to detect the operations and minimize the impact
of these tools.
• Hashing is used by CF tools to validate the integrity of
data. A hashing algorithm accepts a variable-size input,
such as a file, and generates a unique fixed-size value that
corresponds to the given input. The generated output is
unique and can be used as a fingerprint for the input file.
Any change in the original file, no matter how minor, will
result in considerable change in the hash value produced by
the hashing algorithm. A key feature in hashing algorithms
is “Irreversibility” where having the hash value in hand will
not allow the recovery of the original input. Another key

feature is “Uniqueness” which basically means that the
hash values of two files will be equal if and only if the files
are absolutely identical. Many hashing algorithms have
developed, and some have been already infiltrated or
cracked. Other algorithms like MD5, MD6, Secure Hashing
Algorithms (SHA), SHA-1, SHA-2, amongst others, are
harder to break. However, all are vulnerable to being
infiltrated as technology and research advance [15].
Research is also necessary in the other direction to enhance
the capabilities of CF tools in this regard and maintain their
credibility.
• Timestamps are associated with files and are critical for the
task of establishing the chain of events during a CF
investigation. The time line for the events is contingent on
the accuracy of timestamps. CAF tools have provided the
capability to modify timestamps of files or logs, which can
mislead an investigation and consequently coerce the
conclusion. Many tools currently exist on the market, some
are even freely available, that make it easy to manipulate
the timestamps, such as Timestamp Modifier and
SKTimeStamp [16].
• File Signatures, also known as Magic Numbers, are
constant known values that exist at the beginning of each
file to identify the file type (e.g. image file, word
document, etc.). Hexadecimal editors, such as WinHex, can
be used to view and inspect these values. Forensics
investigators rely on these values to search for evidence of
certain type. When a file extension is changed, the actual
type file is not changed, and thus the file signature remains
unchanged. ACF tools intentionally change the file
signatures in their attempt to mislead the investigations as
some evidence files are overlooked or dismissed. Complete
listing of file signatures or magic numbers can be found on
the web in [17].

• CF Detection is simply the capability of ACF tools to
detect the presences of CF software and their activities or
functionalities. Self-Monitoring, Analysis and Reporting
Technology (SMART) built into most hard drives reports
the total number of power cycles (Power_Cycle_Count),
the total time that a hard drive has been in use
(Power_On_Hours or Power_On_Minutes), a log of high
temperatures that the drive has reached, and other
manufacturer-determined attributes. These counters can be
reliably read by user programs and cannot be reset.
Although the SMART specification implements a
DISABLE command (SMART 96), experimentation
indicates that the few drives that actually implement the
DISABLE command continue to keep track of the time-in-
use and power cycle count and make this information
available after the next power cycle. CAF tools can read
SMART counters to detect attempts at forensic analysis and
alter their behavior accordingly. For example, a dramatic
increase in Power_On_Minutes might indicate that the
computer’s hard drive has been imaged [18].
• Business Needs: Cloud Computing (CC) is a business
model typically suited for small and medium enterprises
(SME) that do not have enough resources to invest in
building their own IT infrastructure. Hence, they tend to
outsource this to third parties who will in turn lease their
infrastructure and probably applications as services. This
new model introduces more challenges to CF investigations
due to mainly the fact that the data is on the cloud (i.e.
hosted somewhere in the Internet space), being transferred
across countries with different regulations, and most
importantly might reside on a machine that hosts other data

instances of other enterprises. In some instances, the data
for the same enterprise might even be stored across
multiple data centres [19][20]. These issues complicate the
CF’s primary functions (i.e. data acquisition, examination,
and analyses) needed to build a good case extremely hard.
4.7 Recommendations
Based on our findings, we see room for improvement in the
field
of ACF that can address some of the issues surrounding this
field. We believe that such recommendations, when adopted
and/or implemented properly, can add value and consolidate the
efforts for advancing this field. Below is a list and brief
explanation of the recommendations:
a) Spend More Efforts to Understand ACF
More efforts should be spent in order to reach an agreed
upon comprehensive definition for ACF that would assist in
getting better understanding of the concepts in the field.
These efforts should also extend to develop acceptable best
practices, procedures and processes that constitute the
proper framework, or standard, that professionals can use
and build onto. ACF classifications also need to be
integrated, clarified, and formulated on well-defined
criteria. Such fundamental foundational efforts would
eventually assist researchers and experts in addressing the
issues and mitigating the associated risks.
Awareness of AFC techniques and their capabilities will
prevent, or at least reduce, their success and consequently
their impact on CF investigations. Knowledge in this area
should encompass both techniques and tactics. Continued
education and research are necessary to stay atop of latest
developments in the field, and be ready with appropriate
countermeasures when and as necessary.

b) Define Laws that Prohibit Unjustified Use of ACF
Existence of strict and clear laws that detail the obligations
and consequences of violations can play a key deterrent
role for the use of these tools in a destructive manner.
When someone knows in advance that having certain ACF
tools on one’s machine might be questioned and possibly
pose some liabilities, one would probably have second
thoughts about installing such tools.
Commercial non-specialized ACF tools, which are more
commonly used, always leave easily detectable fingerprints
and signatures. They sometimes also fail to fulfil their
developers’ promises of deleting all traces of data. This can
later be used as evidence against a suspected criminal and
can lead to an indictment. The proven unjustified use of
ACF tools can be used as supporting incriminatory
evidence in courts in some countries [21].
To address the privacy concerns, such as users needs to
protect personal data like family pictures or videos, an
approved list of authorized software can be compiled with
known fingerprints, signatures and special recovery keys.
Such information, especially recovery keys, would then be
safe-guarded in possession of the proper authorities. It
would strictly be used to reverse the process of AFC tools,
through the appropriate judicial processes.
c) Utilize Weaknesses of ACF Software
In some cases, digital evidence can still be recovered if a
data wiping tool is poorly used or is functioning
improperly. Hence, each AFC software must be carefully
examined and continuously analyzed in order to fully
understand its exact behaviour and determine its
weaknesses and vulnerabilities [14][22]. This can help to
develop the appropriate course of actions given the

different possible scenarios and circumstances. This could
prove to be valuable in saving time and resources during an
investigation.
d) Harden CF Software
CAF and CF thrive on the weaknesses of each other. To
ensure justice CF must always strive to be more advanced
than its counterpart. This can be achieved by conducting
security and penetration tests to verify the software is
immune to external attacks. Also, it is imperative not to
submit to market pressure and demand for tools by rapidly
releasing products without proper validation. The best
practices of software development must not be overlooked
at any rate. When vulnerabilities are identified, proper fixes
and patches must be tested, verified and deployed promptly
in order to avoid zero-day attacks.
5. CONCLUSION AND FUTURE WORK
5.1. Conclusion
Computer Anti-Forensics (CAF) is an important developing area
of technology. Because CAF success means that digital
evidence
will not be admissible in courts, Computer Forensics (CF) must
evaluate its techniques and tactics very carefully. Also, CF
efforts must be integrated and expedited to narrow the current
exiting gap with CAF. It is important to agree on an acceptable
definition and classification for CAF which will assist in
implementing proper countermeasures. Current definitions and
classifications all seem to concentrate on specific aspects of
CAF without truly providing the needed holistic view.
It is very important to realize that CAF is not only about tools
that are used to delete, corrupt, or hide evidence. CAF is a

blend
of techniques and tactics that utilize technological
advancements
in areas like encryption and data overwriting amongst other
techniques to obstruct investigators’ efforts.
Many challenges exist and need to be carefully analyzed and
addressed. In this paper we attempted to identify some of these
challenges and suggested some recommendations that might, if
applied properly, mitigate the risks.
5.2. Future Work
This paper provides solid foundation for future work that can
further elaborate on the various highlighted areas. It suggests a
definition for CAF that is closely aligned with CF and presents
several classifications that we deem acceptable. It also
discusses
several challenges that can be further addressed in future
research. CAF technologies, techniques, and tactics need to
receive more attention in research, especially in the areas that
present debates on hashes, timestamps, and file signatures.
Research opportunities in Computer Forensics, Network
Forensics, and Anti-Forensics can use the work presented in this
paper as a base. Privacy concerns and other issues related to the
forensics field introduce a raw domain that requires serious
consideration and analysis. Cloud computing, virtualization, and
related laws and regulations concerns are topics that can be
considered in future research.
6. REFERENCES
[ 1 ] Corey Thuen, University of Idaho: “Understanding

Counter-Forensics to Ensure a Successful Investigation”.
DOI=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=
10.1.1.138.2196
[ 2 ] Internet Usage Statistics, “The Internet Big Picture,
World Internet Users and Population Stats”. DOI=
http://www.internetworldstats.com/stats.htm
[ 3 ] Bill Nelson, Amelia Phillips, and Steuart, “Guide to
Computer Forensics and Investigations”, pp 2-3, 4
th
Edition.
[ 4 ] US-Computer Emergency Readiness Team, CERT, a
government organization, “Computer Forensics”, 2008.
[ 5 ] Verizon Business, “2009 Data Breach Investigations
Report”. A study conducted by the Verizon RISK Team
in cooperation with the United States Secret Service.
DOI=http://www.verizonbusiness.com/about/news/podca
sts/1008a1a3-111=129947--
Verizon+Business+2009+Data+Breach+Investigations+
Report.xml
[ 6 ] Verizon Business, “2010 Data Breach Investigations
Report”. A study conducted by the Verizon RISK Team
in cooperation with the United States Secret Service.
DOI=http://www.verizonbusiness.com/resources/reports/
rp_2010-data-breach-
report_en_xg.pdf?&src=/worldwide/resources/index.xml
&id=
[ 7 ] Simson Garfinkel, “Anti-Forensics: Techniques,

Detection and Countermeasures”, 2
nd
International
Conference in i-Warefare and Security, pp 77, 2007
[ 8 ] W.Matthew Hartley, “Current and Future Threats to
Digital Forensics”, ISSA Journal, August 2007
[ 9 ] Murray Brand, (2007), “Forensics Analysis Avoidance
Techniques of Malware”, Edith Cowan University,
Australia.
[ 10 ] “Security 101: Botnets”. DOI=
http://www.secureworks.com/research/newsletter/2008/0
5/
[ 11 ] Common Vulnerabilities and Exposures (CVE) database,
http://cve.mitre.org/
[ 12 ] Tim Newsham, Chris Palmer, Alex Stamos, “Breaking
Forensics Software: Weaknesses in Critical Evidence
Collection”, iSEC Partners http://www.isecpartners.com,
2007
[ 13 ] Guidance Software: Computer Forensics
Solution
s and
Digital Investigations

(http://www.guidancesoftware.com/)
[ 14 ] S. Srinivasan, “Security and Privacy vs. Computer
Forensics Capabilities”, ISACA Online Journal, 2007
[ 15 ] Matthew Geiger, Carnegie Mellon University,
“Evaluating Commercial Counter-Forensic Tools”,
Digital Forensic Research Workshop (DFRWS), 2005
[ 16 ] Xiaoyun Wang and Hongbo Yu, Shandong University,
China, “How to Break MD5 and Other Hash Functions”,
EUROCRYPT 2005, pp.19-35, May, 2005
[ 17 ] How to Change TimeStamp of a File in Windows. DOI=
http://www.trickyways.com/2009/08/how-to-change-
timestamp-of-a-file-in-windows-file-created-modified-
and-accessed/.
[ 18 ] File Signature Table. DOI=
http://www.garykessler.net/library/file_sigs.html,
[ 19 ] McLeod S, “SMART Anti-Forensics”, DOI=
http://www.forensicfocus.com/smart-anti-forensics, .
[ 20 ] Stephen Biggs and Stilianos, “Cloud Computing

Storms”, International Journal of Intelligent Computing
Research (IJICR), Volume 1, Issue 1, MAR, 2010
[ 21 ] U Gurav, R Shaikh, “Virtualization – A key feature of
cloud computing”, International Conference and
Workshop on Emerging Trends in technology (ICWET
2010), Mumbai, India
[ 22 ] U.S .v .Robert Johnson - Child Pornography Indictment.
DOI=http://news.findlaw.com/hdocs/docs/chldprn/usjhns
n62805ind.pdf
[ 23 ] United States of America v. H. Marc Watzman. DOI=
http://www.justice.gov/usao/iln/.../2003/watzman.pdf
[ 24 ] Mark Whitteker, “Anti-Forensics: Breaking the
Forensics Process”, ISSA Journal, November, 2008
[ 25 ] Gary C. Kessler,“Anti-Forensics and the Digital
Investigator”, Champlain College, USA
[ 26 ] Ryan Harris, “Arriving at an anti-forensics consensus:
examining how to define and control the anti-forensics

problem”, DOI= www.elsevier.com/locate/dinn.
Appendix A: Anti-Forensics Tools
The following is a list of some commercial CAF software
packages available on the market. The tools listed below are
intended as examples; none of these tools were purchased or
tested as part of this paper work.
Category Tool Name
Privacy and Secure Deletion Privacy Expert; SecureClean;
PrivacyProtection; Evidence
Eliminator; Internet Cleaner
File and Disk Encryption TruCrypt, PointSec; Winzip 14
Time stamp Modifiers SKTimeStamp; Timestamp
Modifier; Timestomp
Others The Defiler’s Toolkit – Necrofile
and Klimafile; Metasploit Anti-
Forensic Investigation Arsenal
(known affectionately as MAFIA)

1
Title of the Paper in Full Goes Here
Student Name Here
Walden University
Abstract
Abstracts are not required for all course papers. Please ask
your instructor if you have questions regarding whether an
abstract is required for a particular assignment.
Title of the Paper in Full Goes Here
AAA bbb cccc dddd eeee ffff gggg hhhh iiii jjjj kkkk llll
mmmm nnnn oooo pppp qqqq rrrr sssss tttt uuuu vvvv wwww
xxxx yyyy zzzz. AAA bbb cccc dddd eeee ffff gggg hhhh iiii
jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss tttt uuuu
vvvv wwww xxxx yyyy zzzz. AAA bbb cccc dddd eeee ffff
gggg hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr
sssss tttt uuuu vvvv wwww xxxx yyyy zzzz. AAA bbb cccc
dddd eeee ffff gggg hhhh iiii jjjj kkkk llll mmmm nnnn oooo

pppp qqqq rrrr sssss tttt uuuu vvvv wwww xxxx yyyy zzzz.
xxxx yyyy zzzz.
Level 1 Heading
xxxx yyyy zzzz.
Level 2 Heading

xxxx yyyy zzzz.
Another Level 2 Heading
xxxx yyyy zzzz.
Level 3 heading.AAA bbb cccc dddd eeee ffff gggg hhhh iiii jjjj
kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss tttt uuuu vvvv
wwww xxxx yyyy zzzz. AAA bbb cccc dddd eeee ffff gggg
hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss
tttt uuuu vvvv wwww xxxx yyyy zzzz. AAA bbb cccc dddd
eeee ffff gggg hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp
qqqq rrrr sssss tttt uuuu vvvv wwww xxxx yyyy zzzz. AAA bbb

cccc dddd eeee ffff gggg hhhh iiii jjjj kkkk llll mmmm nnnn
oooo pppp qqqq rrrr sssss tttt uuuu vvvv wwww xxxx yyyy
zzzz.
Level 4 heading. AAA bbb cccc dddd eeee ffff gggg hhhh iiii
jjjj kkkk llll mmmm. AAA bbb cccc dddd eeee ffff gggg hhhh
iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss tttt
uuuu vvvv wwww xxxx yyyy zzzz. AAA bbb cccc dddd eeee
ffff gggg hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq
rrrr sssss tttt uuuu vvvv wwww xxxx yyyy zzzz.
Level 4 heading. AAA bbb cccc dddd eeee ffff gggg hhhh iiii
jjjj kkkk llll mmmm. AAA bbb cccc dddd eeee ffff gggg hhhh
iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss tttt
uuuu vvvv wwww xxxx yyyy zzzz.
Level 3 heading.AAA bbb cccc dddd eeee ffff gggg hhhh iiii jjjj
kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss tttt uuuu vvvv
wwww xxxx yyyy zzzz. AAA bbb cccc dddd eeee ffff gggg
hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp qqqq rrrr sssss
tttt uuuu vvvv wwww xxxx yyyy zzzz. AAA bbb cccc dddd
eeee ffff gggg hhhh iiii jjjj kkkk llll mmmm nnnn oooo pppp
qqqq rrrr sssss tttt uuuu vvvv wwww xxxx yyyy zzzz.
Level 1 Heading

xxxx yyyy zzzz.
References
(Please note that the following references are intended as
examples only.)
Alexander, G., & Bonaparte, N. (2008). My way or the highway
that I built. Ancient Dictators, 25(7), 14-31.
doi:10.8220/CTCE.52.1.23-91
Babar, E. (2007). The art of being a French elephant.
Adventurous Cartoon Animals,19, 4319-4392. Retrieved from
http://www.elephants104.ace.org
Bumstead, D. (2009). The essentials: Sandwiches and sleep.
Journals of Famous Loafers, 5, 565-582.
doi:12.2847/CEDG.39.2.51-71

Hansel, G., & Gretel, D. (1973). Candied houses and unfriendly
occupants. Thousand Oaks, CA: Fairy Tale Publishing.
Hera, J. (2008). Why Paris was wrong. Journal of Greek
Goddess Sore Spots, 20(4), 19-21. doi: 15.555/GGE.64.1.76-82
Laureate Education, Inc. (Producer). (2007). How to cite a
video: The city is always Baltimore [DVD]. Baltimore, MD:
Author.
Laureate Education, Inc. (Producer). (2010). Name of program
[Video webcast]. Retrieved from http://www.courseurl.com
Sinatra, F. (2008). Zing! Went the strings of my heart. Making
Good Songs Great, 18(3), 31-22. Retrieved from
http://articlesextollingrecordingsofyore.192/fs.com
Smasfaldi, H., Wareumph, I., Aeoli, Q., Rickies, F., Furoush,
P., Aaegrade, V., … Fiiel, B. (2005). The art of correcting
surname mispronunciation. New York, NY: Supportive
Publisher Press. Retrieved from
http://www.onewaytociteelectronicbooksperAPA7.02.com
White, S., & Red, R. (2001). Stop and smell the what now?
Floral arranging for beginners (Research Report No. 40-921).
Retrieved from University of Wooded Glen, Center for
Aesthetic Improvements in Fairy Tales website:

http://www.uwg.caift/~40_921.pdf
contributed articles
march 2010 | vol. 53 | no. 3 | communications of the acm
121
doi: 10.1145/1666420.1666452
by fabio arduini and Vincenzo morabito
Since the September 11 th attackS on the World
Trade Center,8 tsunami disaster, and hurricane
Katrina, there has been renewed interest in emergency
planning in both the private and public sectors. In
particular, as managers realize the size of potential
exposure to unmanaged risk, insuring “business
continuity” (BC) is becoming a key task within all
industrial and financial sectors (Figure 1).
Aside from terrorism and natural disasters, two
main reasons for developing the BC approach in the

finance sector have been identified as unique to it:
regulations and business specificities.
Regulatory norms are key factors for all financial
sectors in every country. Every organization is required
to comply with federal/national law in addition to
national and international governing bodies. Referring
to business decisions, more and more organizations
recognize that Business Continuity could be and
should be strategic for the good of the business. The
finance sector is, as a matter of fact, a sector in which
the development of information technology (IT) and
information systems (IS) have had a dramatic effect
upon competitiveness. In this sector, organizations
have become dependent upon tech-
nologies that they do not fully compre-
hend. In fact, banking industry IT and
IS are considered production not sup-
port technologies. As such, IT and IS
have supported massive changes in the
ways in which business is conducted
with consumers at the retail level. In-
novations in direct banking would have
been unthinkable without appropriate

IS. As a consequence business continu-
ity planning at banks is essential as the
industry develops in order to safeguard
consumers and to comply with interna-
tional regulatory norms. Furthermore,
in the banking industry, BC planning
is important and at the same time dif-
ferent from other industries, for three
other specific reasons as highlighted
by the Bank of Japan in 2003:
Maintaining the economic activity of ˲
residents in disaster areas2 by enabling
the continuation of financial services
during and after disasters, thereby sus-
taining business activities in the dam-
aged area;
Preventing widespread payment and ˲
settlement disorder2 or preventing sys-
temic risks, by bounding the inability
of financial institutions in a disaster
area to execute payment transactions;
Reduce managerial risks ˲ 2 for example,

by limiting the difficulties for banks
to take profit opportunities and lower
their customer reputation.
Business specificities, rather than
regulatory considerations, should be
the primary drivers of all processes.
Even if European (EU) and US markets
differ, BC is closing the gap. Progres-
sive EU market consolidation neces-
sitates common rules and is forcing
major institutions to share common
knowledge both on organizational and
technological issues.
The financial sector sees business
continuity not only as a technical or
risk management issue, but as a driver
towards any discussion on mergers
and acquisitions; the ability to manage
BC should also be considered a strate-
gic weapon to reduce the acquisition
timeframe and shorten the data center
business

continuity and
the banking
industry
122 communications of the acm | march 2010 | vol. 53 |
no. 3
differences in preparing and imple-
menting strategies that enhance busi-
ness process security. Two approaches
seem to be prevalent. Firstly, there are
those disaster recovery (DR) strate-
gies that are internally and hardware-
focused9 and secondly, there are those
strategies that treat the issues of IT and
IS security within a wider internal-ex-
ternal, hardware-software framework.
The latter deals with IS as an integrat-
ing business function rather than as a
stand-alone operation. We have labeled
this second type of business continuity

approach (BCA).
As a consequence, we define BCA as
a framework of disciplines, processes,
and techniques aiming to provide
continuous operation for “essential
business functions” under all circum-
stances.
More specifically, business continu-
ity planning (BCP) can be defined as “a
collection of procedures and informa-
tion” that have been “developed, com-
piled and maintained” and are “ready
to use - in the event of an emergency
or disaster.”6 BCP has been addressed
by different contributions to the litera-
ture. Noteworthy studies include Julia
Allen’s contribution on Cert’s Octave
methoda1 the activities of the Business
Continuity Institute (BCI) in defining
certification standards and practice
guidelines, the EDS white paper on
Business Continuity Management4 and

merge, often considered one of the top
issues in quick wins and information
and communication technology (ICT)
budget savings.
business continuity concepts
The evolution of IT and IS have chal-
lenged the traditional ways of conduct-
ing business within the finance sector.
These changes have largely represented
improvements to business processes
and efficiency but are not without their
flaws, in as much as business disrup-
tion can occur due to IT and IS sources.
The greater complexity of new IT and IS
operating environments requires that
organizations continually reassess how
best they may keep abreast of changes
and exploit those for organizational ad-
vantage. In particular, this paper seeks
to investigate how companies in the fi-
nancial sector understand and manage
their business continuity problems.
BC has become one of the most im-

portant issues in the banking industry.
Furthermore, there still appears to be
some discrepancy as to the formal defi-
nitions of what precisely constitutes a
disaster and there are difficulties in as-
sessing the size of claims in the crises
and disaster areas.
One definition of what constitutes
a disaster is an incident that leads to
the formal invocation of contingency/
continuity plans or any incident which
leads to a loss of revenue; in other
words it is any accidental, natural or
malicious event which threatens or dis-
rupts normal operations or services, for
as long a time as to significantly cause
the failure of the enterprise. It follows
then that when referring to the size of
claims in the area of organizational cri-
ses and disasters, the degree to which
a company has been affected by such
interruptions is the defining factor.
The definition of these concepts is

important because 80% of those orga-
nizations which face a significant crisis
without either a contingency/recovery
or a business continuity plan, fail to
survive a further year (Business Con-
tinuity Institute estimate). Moreover,
the BCI believes that only a small num-
ber of organizations have disaster and
recovery plans and, of those, few have
been renewed to reflect the changing
nature of the organization.
In observing Italian banking indus-
try practices, there seems to be major
finally, referring to banking, Business
Continuity Planning at Financial Insti-
tutions by the Bank of Japan.2 This last
study illustrates the process and activi-
ties for successful business continuity
planning in three steps:
1. Formulating a framework for robust
project management, where banks
should:

a. develop basic policy and guidelines
for BC planning (basic policy);
b. Develop a study firm-wide aspects
(firm-wide control section);
c. Implement appropriate progress
control (project management pro-
cedures)
2. Identifying assumptions and condi-
tions for business continuity plan-
ning, where banks should:
a. Recognize and identify the poten-
tial threats, analyze the frequency
of potential threats and identify
the specific scenarios with mate-
rial risk (Disaster scenarios);
b. Focus on continuing prioritized
critical operations (Critical opera-
tions);

c. Target times for the resumption of
operations (Recovery time objec-
tives);
3. Introducing action plans, where
banks should:
a. Study specific measures for busi-
ness continuity planning (BC
measures);
b. acquire and maintain back-up
data (Robust back-up data);
c. Determine the managerial re-
sources and infrastructure avail-
ability capacity required (Procure-
ment of managerial resources);
figure 1. 2004 top business priorities in industrial and financial
sectors (source Gartner)
a The Operationally Critical Threat, Asset, and Vulnerability
Evaluation Method of CERT. CERT is a center of Internet
security expertise, located at the Software Engineering

Institute, a federally funded research and development
center operated by Carnegie Mellon University.
123
d. Determine strong time con-
straints, a contact list and a means
of communication on emergency
decisions (Decision-making pro-
cedures and communication ar-
rangements);
e. Realize practical operational pro-
cedures for each department and
level (Practical manual)
4. Implement a test/training program
on a regular basis (Testing and re-
viewing).

business continuity aspects
The business continuity approach has
three fundamental aspects that can be
viewed in a systemic way: technology,
people and process.
Firstly, technology refers to the re-
covery of mission-critical data and
applications contained in the disas-
ter recovery plan (DRP). It establishes
technical and organizational measures
in order to face events or incidents with
potentially huge impact that in a worst
case scenario could lead to the unavail-
ability of data centers. Its development
ought to ensure IT emergency proce-
dures intervene and protect the data in
question at company facilities. In the
past, this was, whenever it even existed,
the only part of the BCP.
Secondly, people refers to the recov-
ery of the employees and physical work-
space. In particular, BCP teams should
be drawn from a variety of company

departments including those from per-
sonnel, marketing and internal consul-
tants. Also the managers of these teams
should possess general skill and they
should be partially drawn from busi-
ness areas other than IT departments.
Nowadays this is perceived as essential
to real survival with more emphasis on
human assets and value rather than on
those hardware and software resources
that in most cases are probably protect-
ed by backup systems.
Finally, the term process here refers
to the development of a strategy for the
deployment, testing and maintenance
of the plan. All BCP should be regularly
updated and modified in order to take
into consideration the latest kinds of
threats, both physical as well as tech-
nological.
Whereas a simple DR approach aims
at salvaging those facilities that are sal-

vageable, a BCP approach should have
different foci. One of these ought to be
treating IT and IS security with a wider
internal-external, hardware-software
framework where all processes are nei-
ther in-house nor subcontracted-out
but are a mix of the two so as to be an
integrating business function rather
than a stand alone operation. From
this point of view the BCP constitutes
a dual approach where management
and technology function together.
In addition, the BCP as a global ap-
proach must also consider all existing
relationships, thus giving value to cli-
ents and suppliers considering the to-
tal value chain for business and to pro-
tect business both in-house and out.
The BCP proper incorporates the di-
saster recovery (DR) approach but rejects
its exclusive focus upon facilities. It de-
fines the process as essentially business-
wide and one which enables competitive

and/or organizational advantages.
it focus Versus business
focus as a starting Point
The starting point for planning pro-
cesses that an organization will use as
its BCP must include an assessment of
the likely impact different types of ‘in-
cidents’ will/would make on the busi-
ness. As far as financial companies are
concerned, IT focus is critical since, as
mentioned, new technologies continue
to become more and more integral to
on going financial activities. In addition
to assessing the likely impact upon the
entire organization, banks must con-
sider the likely effects upon their differ-
ent business areas. The “vulnerability
& business impact matrix” (Figure 2) is
a tool that can be used to summarize
the inter-linkages between the various
information system services, their vul-
nerability and the impact on business
activities. It is useful in different ways.

To start, the BC approach doesn’t fo-
cus solely upon IT problems but rather
uses a business-wide approach. Given
the strategic focus of BCP, an under-
standing of the relationships between
value-creating activities is a key deter-
minant of the effectiveness of any such
process. In this way we can define cor-
rect BC perimeter (Figure 2) by trying to
extract the maximum value from BCP
within a context of bounded rationality
and limited resources. What the BCP
teams in these organizations have done
is focus upon how resources were uti-
lized and how they were added to value-
creation rather than merely being “sup-
port activity” which consumes financial
resources unproductively. In addition,
the convergence of customer with client
technologies also demands that those
managing the BCP process are aware of
the need to “... expand the contingency
role to not merely looking inward but
actually looking out.” Such a dual focus
uncovers the linkages between customer

and client which create competitive ad-
vantage. Indeed, in cases where clients’
business fundamentally depends upon
information exchange, for instance
many banks today provide online equity
brokerage services, it might be argued
that there is a ‘virtual value chain’ which
the BCP team protects thereby provid-
ing the ‘market-space’ for value creation
to take place. Finally, another benefit is
that vulnerability and business impact
can aid the prioritization of particular
key areas.
figure 2. Vulnerability & business impact matrix
124 communications of the acm | march 2010 | vol. 53 |
no. 3
player, yet their functions are just as
vital to achieving the overall objectives

of the football team. The value chain
provides an opportunity to examine
the connection between the exciting
and the hum drum links that deliver
customer value. The evolution of crisis
preparations from the IT focused di-
saster recovery (DR) solutions towards
the BC approach reflects a growing un-
derstanding that business continuity
depends upon the maintenance of all
elements which provide organizational
efficiency-effectiveness and customer
value, whether directly or indirectly.
Prevention focus of
business continuity
A final key characteristic of the BC ap-
proach concerns its primary role in
prevention. A number of authors have
identified that the potential for crises
is normal for organizations.7,11 Crisis
avoidance requires a strategic approach
and requires a good understanding of
both the organization’s operating pro-
cesses, systems and the environment

in which it operates.
In the BC approach, a practice orga-
nization should develop a BCP culture
to eliminate the barriers to the develop-
ment of crisis prevention strategies. In
particular, these organizations should
recognize that incidents, such as the
New York terrorist attach or the City of
London bombings are merely triggered
by external technical causes and that
their effects are largely determined by
internal factors that were within the
control of their organizations. In these
cases a cluster of crises should be iden-
new and obsolete technologies
Today’s approach to BCP is focused on
well-structured process management and
business-driven paradigms. Even if some
technology systems seem to be “business
as usual,” some considerations must be
made to avoid any misleading conjecture
from an analytical side.

When considering large institutions
with systemic impact- not only on their
own but on clients businesses as well-
two key objectives need to be consid-
ered when facing an event. These have
been named RPO (Recovery Point Ob-
jective) and RTO (Recovery Time Ob-
jective) as shown in Figure 3. RPO deals
with how far in the past you have to go
to resume a consistent situation; RTO
considers how long it takes to resume a
standard or regular situation. The defi-
nitions of RPO and RTO can change ac-
cording to data center organization and
how high a level a company wants to its
own security and continuity to be.
For instance a dual site recovery sys-
tem organization must consider and
evaluate three points of view (Figure
3). These are: application’s availability,
BC process and data perspective.
Data are first impacted (RTO) before
the crisis event (CE) due to the closest

“consistent point” from which to re-
start. The crisis opening (CO) or decla-
ration occurs after the crisis event (CE).
“RTO_s,” or computing environ-
ment restored point, considers the
length of time the computing environ-
ment needs in order to be restored (for
example, when servers, network etc.
are once again available); “RTO_rc,” or
mission critical application restarted
point, indicates the “critical or vital ap-
plications” (in rank order) are working
once again; “RTO_r,” or applications
and data restored point, is the point
from which all applications and data
are restored, but (and it is a big but)
“RTO_end,” or previous environment
restored point, is the true end point
when the previous environment is fully
restored (all BC solutions are properly
working). Of the utmost importance
is that during the period between
“RTO_r” and “RTO_end” a second di-
saster event could be fatal!

Natural risks are also increasing in
scope and frequency, both in terms of
floods (central Europe 2002) and hurri-
canes (U.S. 2005), thus the coining of an
actual geographical recovery distance,
today considered more than 500 miles.
Such distance is forcing businesses and
institutions alike to consider a new tech-
nological approach and to undertake
critical discussion on synchronous-asyn-
chronous data replication: their intervals
and quality. Therefore, more complex
analysis about RPO and RTO is required.
However the most important issue,
from a business point of view when
faced with an imminent and unfore-
seen disaster, is how to reduce restore
or restart time, trying to shrink this win-
dow to mere seconds or less. New push-
ing technologies (SATA – Serial ATA
and MAID – Massive Arrays Inexpen-
sive Disk) are beginning to make some

progress in reducing the time problem.
business focus Versus
Value chain focus
The business area selected by the “vul-
nerability and business impact analy-
sis matrix” should be treated in accor-
dance with the value chain and value
system. In addition to assessing the
likely disaster impact upon IT depart-
ments, organizations should consider
disaster impacts over all company de-
partments and their likely effects upon
customers. Organizations should avoid
the so-called Soccer Star Syndrome.6
In drawing an analogy with the football
industry, one recognizes that greater
management attention is often focused
on the playing field rather than the un-
glamorous, but very necessary, locker
room and stadium management sup-
port activities. Defenders and goalkeep-
ers, let alone the stadium manager, do
not get paid at the same level as the star

figure 3. rPo & rto
125
tified. Such clusters should be catego-
rized along the axis of internal-external
and human/social-technical/economic
causes and effects. By adopting a strate-
gic approach, decisions could be made
about the extent of exposure in particu-
lar product markets or geographical
sites. An ongoing change management
program could contribute to real com-
mitment from middle managers who,
from our first investigation, emerged
as key determinants of the success of
the BC approach.
management support
and sponsorship

BCP success requires the commitment
of middle managers. Hence manag-
ers need to avoid considering BCP as
a costly, administrative inconvenience
that diverts time away from money-
making activities. All organizational
levels should be aware of the fact that
BCP was developed in partnership be-
tween the BCP team and front line op-
eratives. As a result, strategic business
units should own BCP plans. In addi-
tion, CEO involvement is key in rallying
support for the BCP process.
Two other key elements support
the BC approach. Firstly, there is the
recognition that responsibility for the
process rests with business managers
and this is reinforced through a formal
appraisal and other reward systems.
Secondly, peer pressure is deemed im-
portant in getting laggards to assume
responsibility and so affect a more re-
ceptive culture.

Finally, BCP teams need to regard
BCP as a process rather than as a spe-
cific end-point.
conclusion
Although the risk of terrorism and
regulations are identified as two key
factors for developing a business con-
tinuity perspective, we see that orga-
nizations need to adopt the BC ap-
proach for strategic reasons. The trend
to adopt a BC approach is also a proxy
for organizational change in terms of
culture, structure and communica-
tions. The BC approach is increasingly
viewed as a driver to generate competi-
tive advantage in the form of resilient
information systems and as an impor-
tant marketing characteristic to attract
and maintain customers.
Referring to organizational change
and culture, the BC approach should
be a business-wide approach and not

an IT-focused one. It needs supportive
measures to be introduced to encour-
age managers to adhere to the BC idea.
Management as a whole should also be
confident that the BC approach is an
ongoing process and not only an end
point that remains static upon comple-
tion. It requires changes of key assump-
tions and values within the organiza-
tional structure and culture that lead to
a real cultural and organizational shift.
This has implications for the role that
the BC approach has to play within the
strategic management processes of the
organization as well as within the levels
of strategic risk that an organization
may wish to undertake in its efforts to
secure a sustainable competitive or so
called first mover advantage.
References
1. Allen J.H. CERT® Guide to System and Network
Security Practices. Addison Wesley Professional, 2001.
2. Bank of Japan, Business Continuity Planning at

Financial Institutions, July 2003. http://www.boj.or.jp/
en/type/release/zuiji/kako03/fsk0307a.htm
3. Cerullo V. and Cerullo, J. Business continuity planning:
A comprehensive approach. Informtion System
Management Journal, Summer 2004.
4. Decker A. Business continuity management: A model
for survival. EDS White Paper, 2004.
5. Dhillon, G. The challenge of managing information
security. In International Journal of Information
Management 1, 1(2004), 243–244.
6. Elliott D. and Swartz E. Just waiting for the next big
bang: Business continuity planning in the uk finance
sector. Journal of Applied Management Studies 8, 1
(1999), 45-60.
7. Greiner, L. Evolution and revolution as organisations
grow. In Harvard Business Review (July/August)
reprinted in Asch, D. & Bowman, C. (Eds) (1989)
Readings in Strategic Management (London,
Macmillan), 373-387.

8. Lam, W. Ensuring business continuity. IT Professional
4, 3 (2002), 19 - 25
9. Lewis, W. and Watson, R.T. Pickren A. An empirical
assessment of IT disaster risk. Comm. ACM 46, 9
(2003), 201-206.
10. McAdams, A.C. Security and risk management:
A fundamental business issue. Information
Management Journal 38, 4 (2004), 36–44.
11. Pauchant, T.C. and Mitroff, I. Crisis prone versus crisis
avoiding organisations: is your company’s culture its
own worst enemy in creating crises?. Industrial Crisis
Quarterly 2, 4 (1998), 53-63.
12. Quirchmayr, G. Survivability and business continuity
management. In Proceedings of the 2nd Workshop on
Australasian Information Security, Data Mining and
Web Intelligence, and Software Internationalisation.
ACSW Frontiers (2004).
Vincenzo Morabito ([email protected])
is assistant professor of Organization and Information

System at the Bocconi University in Milan where he
teaches management information system, information
management and organization. He is also Director of the
Master of Management Information System System at
the Bocconi University.
Fabio Arduini ([email protected]) is
responsible for IT architecture and Business Continuity
for defining the technological and business continuity
statements for the Group according to the ICT
department.
© 2010 ACM 0001-0782/10/0300 $10.00

The Anti-Forensics Challenge Kamal Dahbur [email pro.docx

Recommended

Recommended

More Related Content

Similar to The Anti-Forensics Challenge Kamal Dahbur [email pro.docx

Similar to The Anti-Forensics Challenge Kamal Dahbur [email pro.docx (20)

More from mehek4

More from mehek4 (20)

Recently uploaded

Recently uploaded (20)

The Anti-Forensics Challenge Kamal Dahbur [email pro.docx