Anti-Forensics

A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.

By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries.

While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.

Technical Method

Both browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:

• Declaring a proxy server IP address or hostname (e.g., 198.51.100.7)
• Assigning a port (e.g., 8080, 3128)
• Specifying bypass rules for local or internal traffic (e.g., localhost, *.corp)

Once defined, the behavior is as follows:

• Outbound Traffic Routing: All HTTP and HTTPS traffic is redirected through the proxy server, often using tunneling methods (e.g., HTTP CONNECT).
• DNS Resolution Shift: The proxy, not the local device, resolves domain names—bypassing internal DNS logging and threat intelligence correlation.
• Destination Obfuscation: To enterprise firewalls, CASBs, and Secure Web Gateways, the endpoint appears to connect only to the proxy—not to actual external services.
• Encrypted Traffic Concealment: If the proxy does not participate in the organization’s SSL inspection chain, encrypted traffic remains opaque and unlogged.
• System-Level Impact: When configured at the OS level, the proxy may affect all applications—not just browsers—expanding the anti-forensic footprint to tools such as command-line utilities, development environments, or exfiltration scripts.

Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.

This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts.

A subject clears browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

A subject clears operating system logs to hide evidence of their activities.

A subject uses a mechanism to decrease or remove the privileges assigned to a user account under their control. This may represent an anti-forensics technique where the subject attempts to obscure previously held privileges that could associate them with activity relating to an infringement.

A subject may delete user accounts to obscure their activities and delete all files associated with that user.

A subject deletes a shadow copy on a Windows system. This may represent an anti-forensics technique where the intent is to deny access to artifacts of investigative value that may be stored within the shadow copy.

A subject destroys data and files on a system or systems, rendering stored data irrecoverable. This is achieved by overwriting files or data on local and remote drives.

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

A subject encrypts data at rest to prevent a file from being accessed by anyone except those with access to a decryption key.

A subject may attempt to hide artifacts associated with their behaviors to evade or delay detection.

A subject may attempt to modify log files, as opposed to deleting them, to remove evidence of their actions.

A subject may modify keys or key values within the Windows Registry to conceal actions they have conducted related to an infringement.

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

A subject may remove attached disk storage from a system to deny investigators access to the files stored within it.

A subject may use steganography methods to attempt to discretely exfiltrate data.

Steganography is the practice of concealing information within other, seemingly innocuous data to prevent detection. Unlike encryption, which obscures the content of a message, steganography hides the very existence of the message. This technique can be employed by insiders to exfiltrate sensitive data without raising suspicion.

Common Steganographic Techniques:

• Images: Data is embedded in image files (e.g., JPEG, BMP) by modifying least significant bits (LSB) of pixel values, maintaining visual integrity.
• Audio/Video: Hidden payloads are encoded within audio or video data streams, leveraging high data density for concealment.
• Text: Information is embedded through subtle alterations, such as extra spaces, character substitutions, or font variations.

A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis.

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

A subject (or subjects) deploys tripwires to proactively identify actions taken by digital investigators responding to an infringement. These tripwires can include custom or pre-existing software that detects system or security agent activity indicative of an investigation. They may also involve files embedded with canary tokens, which generate alerts when accessed, notifying the subject of potential investigative actions.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries.

This strategy allows the subject to:

• Contain incriminating tools, logs, or staged data entirely within a VM.
• Avoid leaving artifacts on the host system's registry, file system, or memory.
• Leverage disposable VMs to execute high-risk actions and erase evidence through snapshot rollback or VM deletion.
• Evade host-based endpoint detection and response (EDR) tools that lack introspection into virtualized environments.
• Run guest OSes in stealth configurations (e.g., nested VMs, portable hypervisors) to further frustrate attribution and recovery efforts.

The subject modifies the Windows system time in an attempt to obscure the timestamps of any system artifacts that may provide value to investigators.