An Introduction to Chaff - An Anti-Forensics Method
by Andrew Ziem
For aircraft, chaff is a physical countermeasure that confuses radar by making it seem like there are additional aircraft in the sky. Chaff protects the aircraft by misdirecting radar-guided missiles.
Likewise, BleachBit Version 3 introduces a basic chaff system that creates files to confuse digital forensics. Think of it also like the metaphor of the needle in the haystack. The needle represents the files you want to keep private, and the chaff is the haystack that makes the needle difficult to find because the forensic investigator has more junk to sift through before finding all the needles.
Does this imply that using BleachBit to delete other data, such as browser history, is counterproductive? No. Use BleachBit to remove any private data you don't want found. However, there may be private data you decide to keep or forgot to clean, and chaff is one of an array of options to protect this private data. Of course, please also consider other options such as encryption!
BleachBit uses a statistical model called Markov chains to learn a document as inspiration and then uses it to generate random text that is difficult for an investigator to fingerprint. At a glance, the chaff files seem to be English, but a closer inspection reveals they are nonsense, so do not spend much time reading them looking for any wisdom.
BleachBit 3.0 comes with two statistical models. The first model was inspired by Hillary Clinton's emails as released by the United States Department of State. Please remember that FBI documents indicate Clinton's IT guy used BleachBit to wipe emails from her private server, and now BleachBit can also do the opposite: generate Clinton's emails.
The second model was inspired by 2600 to yield more interesting keywords that might show up on the forensic investigator's scans.
When making chaff files, either leave them undeleted or delete them without shredding them. Shredding them would remove any trace, which would be counterproductive, but deleting them without shredding can slow down the forensic investigator.
While BleachBit itself does not implement any steganography, a savvy user can consider hiding private data in the seemingly-useless chaff files. Just this possibility implies a thorough digital forensics investigation would require examining the contents of the chaff files rather than whitelisting them.