If we visualize evidence as a set of jigsaw pieces, the role of a forensic investigator is to find, collect and analyze them in order to finally put them together and reveal the big
picture, i.e. to reconstruct the course of events. In contrast, the role of his adversary is to take all the necessary measures to put a spoke in the investigator’s wheel. In other
words, the adversary applies anti-forensics, e.g. he can hide or destroy pieces, but also change their appearance.
Moving to the digital world, this thesis presents categories of anti-forensic capable techniques, which can make an investigator’s life harder. The individual techniques are de-
scribed along with their complexity and appropriate countermeasures. Although there are plenty of possible approaches, our survey shows that their distribution and relevance
is currently rather low in the majority of real cases.
The final part is the development of a new technique, where we modify the FAT kernel module in a Linux environment in order to create a protected area that serves as a hiding place for encrypted data.