Indicators of Anti-Forensics Projects from KITRI's Best of the Best Information Security Program
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

The Indicators of Anti-Forensics (IoAF) project is an effort towards automated anti-forensic trace detection using signature-based methods. Each "version" represents the work of different KITRI Best of the Best groups to advance the idea.

The main IoAF program uses parsing modules to extract file meta-data and Registry key information from a system under investigation. Pre-defined signatures are stored in a SQLite database that is queried for each extracted object.

Signatures are created by using either real-time or snapshot based analysis on a similar system. Objects that are consistently updated by the action of interest are extracted, and further tested (e.g. how the object is updated). If the object is found to consistently correspond to the action of interest - and only the action of interest - it is included as a trace in the signature.

The purpose of the project so far is not to automatically reconstruct activities, but to quickly detect the presence of anti-forensic traces to let investigators know whether they should pay more interest to this device over others (digital forensic triage).

General Schedule

IoAFv1 - Initial proof of concept. Used C# with a number of external programs such as The Sleuth Kit ( to parse various file systems and compare traces with basic signatures of known anti-forensic programs.

IoAFv2 - Version two worked towards improving the speed of the tool for practical use by investigators in the field. A code rewrite was done in C++. Parsing 'modules' were introduced, of which MFT and Registry parsing was completed. The reporting interface was also improved, written in HTML/JS.

IoAFv3 - Version three worked towards expanding the functionality of IoAF to include automatic event reconstruction and timelines of anti-forenisc activtiy.


IoAFv1: Kyoung Jea Park, Jung-Min Park, Eunjin Kim, Chang Geun Cheon

IoAFv2: Moon Seong Kim, JaeYoung Choi, Sang Seob Lee, Eunjin Kim

IoAFv3: 김고은, Cheon Chang Geun, Hwahn Il Lyoo, Hyeon Gyu Jang, 박경재, 김형석

Related Publications

  • James, J. I., Gladyshev, P., & Zhu, Y. (2011). Signature Based Detection of User Events for Post-Mortem Forensic Analysis. Digital Forensics and Cyber Crime, 53, 96-109. doi:10.1007/978-3-642-19513-6_8
  • James, J.I., P. Gladyshev (2014) "Automated Inference of Past Action Instances in Digital Investigations." International Journal of Information Security. Springer. 10.1007/s10207-014-0249-6.


Please fork this project. If you could like to contribute more directly, please contact us. This project is released under a GNU General Public License v3 (