Preparation

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject accesses BIOS or UEFI to manipulate the boot order of a target computer to boot from an external device in order to access the target computer's file system without needing to interact or authenticate with the Operating System of the target computer.

A subject observes and/or records the locations of CCTV cameras in a target area.

A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.

Data obfuscation is the act of deliberately obscuring or disguising data to avoid detection and/or hinder forensic analysis. A subject may obscure data in preparation to exfiltrate the data.

A subject stages collected data in a central location or directory prior to exfiltration.

A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.

A subject may target user email to collect sensitive information.

A subject formats an external media device on a target system with a compatible file system which is capable of being written to by the target system.

A subject may search for, or otherwise explore files on a local system to identify sensitive information.

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

A subject conducts a scan of a network to identify additional systems, or services running on those systems.

A subject removes the physical disk of a target system to access the target file system with an external device/system.

A subject attempts to defeat physical security controls to gain access to a secured area to conduct an infringement.

A subject attempts to defeat physical security controls by smuggling an item (potentially an innocent item at first) into a controlled area to facilitate an infringement (such as a smart phone with a camera).

Private browsing, also known as 'incognito mode' among other terms, is a feature in modern web browsers that prevents the storage of browsing history, cookies, and site data on a subject's device. When private browsing is enabled, it ensures any browsing activity conducted during the browser session is not saved to the browser history or cache.

A subject can use private browsing to conceal their actions in a web browser, such as navigating to unauthorized websites, downloading illicit materials, uploading corporate data or conducting covert communications, thus leaving minimal traces of their browsing activities on a device and frustrating forensic recovery efforts.

A subject may read the Windows registry using Registry Viewer or PowerShell to help them gain more information about the system, such as keys related to security controls.

A subject attempts to identify security software or other surveillance software/services on a target system. 

A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

A subject may make a request for software (such as an RDP, SSH or FTP client) or access (such as USB mass storage device access) to be installed or enabled on a target system, to facilitate the infringement.

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

A subject attempts to print a document from a system to identify if this capability is permitted, restricted, or not possible.