Abstract

Despite the complexity of modern forensic tools, digital forensic investigations continue to be a race between cybercriminals who intend to hide evidence of their actions and investigators who intend to uncover them. The actions of these bad actors have led to the creation of the anti-forensics field. This study investigated an attempt to overcome anti-forensics techniques for data hiding. For the purposes of this study, the scope was constrained to file signature obfuscation as an attempt to circumvent data carving tools from identifying and recovering files. Specifically, this study focused on the recovery of Portable Document Format (PDF) files. Existing industry tools are not equipped to identify or recover PDF files which have undergone file signature obfuscation. The proposed data carving algorithm in this study attempted to produce greater efficacy in this area by utilizing content analysis techniques whereby data contained between file headers and trailers are used as a basis for recognition and recovery. The study demonstrated success in the identification and recovery of obfuscated PDF files with a cumulative identification and success rate of 93.36%.