Describe common anti-forensic techniques and how investigators mitigate them.

Anti-forensics refers to techniques used to hinder or mislead forensic investigations by hiding, altering, or destroying evidence. The best answer highlights several common methods: data encryption, secure deletion, timestomping, steganography, and erasing artifacts. Investigators counter these by collecting volatile data while the system is live and by looking across multiple data sources. RAM captures can reveal user activity and running processes that may not be visible once a device is powered off, and cross-source correlation—combining disk images, system logs, network traffic, cloud data, and backups—helps reconstruct what happened even when one avenue of evidence is compromised. Data encryption makes the contents unreadable at rest, but memory analysis and corroborating sources can still expose activity and metadata. Secure deletion aims to erase traces, yet residual artefacts, log entries, and backups can retain clues. Timestomping tries to hide the sequence of events by altering file timestamps, which cross-source data and memory artifacts can reveal. Steganography conceals data within normal files, so steganalysis and metadata examination across multiple files and sources help uncover hidden information. Artifact erasure attempts to wipe traces, but investigators can rely on volatile data, system logs, and other backups to piece together the timeline. In contrast, the other options describe practices that are defensive or routine maintenance (regular updates, antivirus, and backups), general data handling (compression and deduplication), or attacker techniques (social engineering and phishing). They don’t focus on anti-forensic methods or how investigators mitigate them.