Hiding or Destroying Command History

A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost.

On Linux-based operating systems different terminal software may store command history in various locations, with the most common being /home/%username%/.bash_history. Using the command history -c will clear the history for the current session, preventing it from being written to .bash_history when the session ends.

On MacOS the Terminal utility will write command history to /Users/%username%/.zsh_history or /Users/%username%/.bash_history based on operating system version.

A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline.

A subject can delete their own PSReadline file without any special permissions.

A subject may attempt to use the Clear-History Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.

A subject modifies the PYTHONHISTORY system environment variable used to designate the .python_history file location to equal /dev/null, resulting in it not being written to disk, denying access to this artifact for investigators.

This can be achieved on a per-session basis using the command PYTHONHISTORY=/dev/null python, or permanently by modifying a shell configuration file (such as ~/.bashrc or ~/.zshrc) to include the line export PYTHONHISTORY=/dev/null.