Altering Computer Evidence

Ever since it has been possible for humans to operate computers, some have used it to perform criminal activities.

Part of a cybercriminal’s gameplay is to cover up or otherwise alter digital evidence in one form or another.

There are many reasons why cybercriminals may try to alter computer evidence; these could be any of the following:

  • Cover their traces
    The most obvious reason is to simply cover up that the fact that an attacker was around and where the attack came from.
  • Shift the blame
    Covering evidence or planting alternative evidence could shift the blame and make it appear as though another attacker, group or country was to blame for the attack.
  • Cover up a wider plan
    Sometimes an attack is simply part of a larger, more coordinated attack. Covering up evidence at this point would be crucial in order to complete the greater plan.

Every time a computer is used, logged into, or attacked locally or remotely, traces of evidence (often called “logs”) are stored which can lead back to identify the operative; potentially showing where they connected from and what group of exact activities they performed (Kassner, 2015).

It is these items of evidence that are so important for cybercriminals to eradicate in order to anonymise themselves from the victim and any authorities.

Computer forensic investigators leverage the ability to sift through these logs (Grimes, 2016) and other points of interest in order to gain information as to the details of an attack.

However, there are times when the attacker may have covered up their tracks by purging the logs (Hoffman, 2016), overwriting disk partition areas with other information or by destroying the disks entirely.

Because a large proportion of attacks take place over the internet, this makes it harder for an attacker in that they have to make sure their tracks are covered at each point they connect through. These points could be their Internet Service Providers (ISPs), common gateways, network points of presence (POPs) or country firewalls.

If this was not properly anonymised or cleared, it would be possible for an investigator to follow the trail right back to its originator.

There are however, anonymous networks such as the Tor Project which exist to allow individuals to pass through a range of global points (Greenberg, 2017) while disguising the originator behind a web of IP addresses and random servers which have each stripped a layer of encryption and bounced the connection further.

This has become common practice for attackers in order to keep their true identity private and remain undisclosed (Dredge, 2013).


Kassner, M. (2015) Don’t let your improper handling of digital evidence sink a cybercrime investigation [Online], Available from: (Accessed on 19th August 2018)

Grimes, R, A. (2016) Why it’s so hard to prosecute cyber criminals [Online], Available from: (Accessed on 19th August 2018)

Hoffman, C. (2016) You Only Need to Wipe a Disk Once to Securely Erase It [Online], Available from: (Accessed on 19th August 2018)

Greenberg, A. (2017) The Grand TOR: How to go anonymous online [Online], Available from: (Accessed on 19th August 2018)

Dredge, S. (2013) What is Tor? A beginner’s guide to the privacy tool [Online], Available from: (Accessed on 19th August 2018)