Anti-Forensics

A subject clears browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

A subject clears operating system logs to hide evidence of their activities.

A subject may delete user accounts to obscure their activities and delete all files associated with that user.

A subject destroys data and files on a system or systems, rendering stored data irrecoverable. This is achieved by overwriting files or data on local and remote drives.

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

A subject encrypts data at rest to prevent a file from being accessed by anyone except those with access to a decryption key.

A subject may attempt to hide artifacts associated with their behaviors to evade or delay detection.

A subject may attempt to modify log files, as opposed to deleting them, to remove evidence of their actions.

A subject may modify keys or key values within the Windows Registry to conceal actions they have conducted related to an infringement.

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

A subject may remove attached disk storage from a system to deny investigators access to the files stored within it.

A subject may use steganography techniques to hide files inside other files or atypical locations to prevent identification.

A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis.

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

A subject (or subjects) deploys tripwires to proactively identify actions taken by digital investigators responding to an infringement. These tripwires can include custom or pre-existing software that detects system or security agent activity indicative of an investigation. They may also involve files embedded with canary tokens, which generate alerts when accessed, notifying the subject of potential investigative actions.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.