Abstract: In modern network attacks, attackers often use various anti-forensics techniques to conceal their tracks. The harm of data erasure in anti-forensics technology is significant. Attackers can use this attack to delete or destroy data, thereby destroying attack evidence and disrupting the forensics process. Due to the concealment of the erasure activity itself, it is difficult to detect. This paper proposes an anti-forensics check module (AFCM) using causal relationship based traceability technology. The model generates an alert traceability graph based on alert information, and calculates anomaly scores for each path in the graph through attack behavior characteristics. Through further filtering and aggregation calculations, the attack path is ultimately generated. The experimental results show that this model can effectively achieve traceability tracking of anti-forensics erasure activities and improve the identification between anti data erasure attack activities and normal activities.

Key words: anti-forensics, attack traceability, causal relationship, network security, data wiping