Authors: Uju Okoye, Roohana Karim, Abdur Rahman Onik, Ibrahim Baggili
DFRWS USA 2026
Abstract
This Systematization of Knowledge (SoK) analyzes 197 primary studies (2005-2024) to examine how anti-forensics (AF) techniques have evolved, their distribution across platforms, and what forensic artifacts persist after mobile AF activity. We report three key findings. First, AF has matured from traditional data hiding and artifact wiping toward deception-oriented approaches; data fabrication now dominates, and AI-driven anti-forensics (AAF) has emerged but exclusively in multimedia pipelines, with no mobile validation. Second, platform coverage is imbalanced: Windows and Android dominate, while iOS and macOS each appear in only a few studies, and cross-platform validation is rare. Third, mobile AF tends to displaces rather than erase evidence: across 18 studies, 93 residual observations persist in SQLite/WAL, logs, caches, and filesystem metadata, concentrated in app-private (51.6%) and OS-level (29.0%) storage. This SoK contributes a new two-part taxonomy linking AF strategy families (with an AAF extension) to mobile residual evidence by store type and location along with an empirical baseline for cross-platform AF research. The findings underscore the need for standardized benchmarks, expanded iOS coverage, and mobile-focused AAF evaluation to strengthen forensic reliability.