ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AR5
  • Created: 22nd May 2024
  • Updated: 23rd July 2024

Anti-Forensics

The actions undertaken by a subject after infringement to frustrate any subsequent investigation.

Sections

ID Name Description
AF004Clear Browser Artifacts

A subject clears browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF001Clear Command History

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

AF002Clear Operating System Logs

A subject clears operating system logs to hide evidence of their activities.

AF013Delete User Account

A subject may delete user accounts to obscure their activities and delete all files associated with that user.

AF006Disk Wiping

A subject destroys data and files on a system or systems, rendering stored data irrecoverable. This is achieved by overwriting files or data on local and remote drives.

AF015File Deletion

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

AF005File Encryption

A subject encrypts data at rest to prevent a file from being accessed by anyone except those with access to a decryption key.

AF012Hide Artifacts

A subject may attempt to hide artifacts associated with their behaviors to evade or delay detection.

AF009Log Tampering

A subject may attempt to modify log files, as opposed to deleting them, to remove evidence of their actions.

AF007Modify Windows Registry

A subject may modify keys or key values within the Windows Registry to conceal actions they have conducted related to an infringement.

AF011Physical Destruction of Storage Media

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

AF010Physical Removal of Disk Storage

A subject may remove attached disk storage from a system to deny investigators access to the files stored within it.

AF008Steganography

A subject may use steganography techniques to hide files inside other files or atypical locations to prevent identification.

AF014System Shutdown

A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis.

AF003Timestomping

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

 

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

 

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

AF018Tripwires

A subject (or subjects) deploys tripwires to proactively identify actions taken by digital investigators responding to an infringement. These tripwires can include custom or pre-existing software that detects system or security agent activity indicative of an investigation. They may also involve files embedded with canary tokens, which generate alerts when accessed, notifying the subject of potential investigative actions.

AF016Uninstalling Software

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

AF017Use of a Virtual Machine

The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.