A survey and research challenges of anti-forensics: Evaluation of game-theoretic models in simulation of forensic agents' behaviour

Digital forensic investigators' aim is identifying, collecting and presenting reliable, accurate, and admissible evidence in court. However, anti-forensics manipulate, obfuscate, hide, and remove the remaining piece of evidence in a compromised system. Anti-forensics interrupt investigation procedures; thus, the investigators require specific defensive strategies (counter-anti-forensics) against antiforensics. This paper mounts a survey to explore existing anti-forensic research, and constitute a taxonomy on behaviour of anti-forensics and another taxonomy on further research tasks of anti-forensics. The knowledge of interactions between forensic agents' (an investigator and an attacker) in a forensic environment helps the investigator to evaluate the existing counter-anti-forensics, and enables him/her to design and develop more advanced counter-anti-forensics. Therefore, in this paper, first, we formulate a set of characteristics to model interactions between the attacker and the investigator (players) in a realistic forensic environment. Next, we propose a game-theoretic approach to model the players' interactions. The attacker uses anti-forensics (i.e. rootkits) and the investigator employs counter-antiforensics (i.e. anti-rootkits). We select and evaluate a set of game-theoretic models and algorithms to simulate the players' interactions. Results of the evaluation show that a gradient play algorithm has satisfactory performance, among the selected game-theoretic models and algorithms to simulate the interactions in the forensic environment. The gradient play algorithm identifies the investigator's most stable and desired strategies after spending 10.0E-4 s and consuming 5.8 KB. (C) 2020 Elsevier Ltd. All rights reserved.