SoK: Understanding Anti-Forensics Concepts and Research Practices Across Forensic Subdomains

Computer Science > Cryptography and Security [Submitted on 7 Apr 2026] SoK: Understanding Anti-Forensics Concepts and Research Practices Across Forensic Subdomains Janine Schneider, Florian Ramming, Maximilian Eichhorn, Gaston Pugliese, Chris Hargreaves, Jan Gruber, Joschua Schilling, Julian Geus, Kevin Mayer, Lea Uhlenbrock, Lena Voigt, Frank Breitinger Anti-forensics includes a growing set of techniques designed to obstruct forensic analysis. While cybercriminals increasingly rely on these methods, they also help researchers identify and remedy weaknesses in forensic tools, advancing the overall robustness of digital forensics. Despite repeated efforts to define it, anti-forensics remains vague and inconsistent in its use. It also poses ethical challenges regarding the appropriateness of research practices and the legitimacy of the field itself. This article presents a systematic analysis of 123 publications on anti-forensics, combining qualitative and quantitative methods. We quantify the main techniques and attack vectors, examine their occurrence in different digital forensic subdomains, and identify typical research methods, motivations, and applications. This work also discusses what these findings mean for future research and proposes directions for building a more coherent and ethically grounded understanding of anti-forensics. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2604.05770 [cs.CR]   (or arXiv:2604.05770v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.05770 Focus to learn more Submission history From: Janine Schneider [view email] [v1] Tue, 7 Apr 2026 12:12:53 UTC (640 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)