This paper presents forensic analysis of anti-forensic file-wiping tools on the Windows platform. The goal is to identify and extract the evidence of the tools used to wipe files and the files wiped by them on the Windows operating system. To achieve this goal, we analyzed the changes made by these tools to metadata structures of Windows file systems during file wiping. We also analyzed Registry keys and .lnk files to collect the evidence. Our experiments used four file-wiping tools (SecureDelete v1.0, Secure Eraser v5.2, PC Shredder v1.1, and Blank and Secure v5.88) to wipe files on three Windows file systems (FAT32, exFAT and NTFS). The results suggest that FAT32 and exFAT file system directory structures and $MFT entries of NTFS file system can confirm the use of wiping tools, identify these tools and provide the remnants of the wiped files. Also, $LogFile and $UsnJrnl files of NTFS file system, and Windows Registry keys provide detailed evidence of wiping tools used and the files wiped by them. We also found that the contents of resident and non-resident alternate data streams, $LogFile and $UsnJrnl files, and Windows Registry keys are not wiped by these tools. Finally, this study makes many recommendations, highlights the limitations of the work and points out the future scope.
Keywords: FAT32 filesystem; NTFS filesystem; anti-forensic tools; computer forensics; exFAT filesystem; file-wiping; filesystem forensics.
© 2021 American Academy of Forensic Sciences.