ITM is an open framework - Submit your contributions now.

Anti-Forensics

Clear Browser Artifacts

Clear Command History

Clear Operating System Logs

Delete User Account

Disk Wiping

File Deletion

File Encryption

Hide Artifacts

Log Tampering

Modify Windows Registry

Physical Destruction of Storage Media

Physical Removal of Disk Storage

Steganography

System Shutdown

Timestomping

Tripwires

Uninstalling Software

Use of a Virtual Machine

ID: AF001
Created: 25th May 2024
Updated: 14th June 2024
Platforms: Windows, Linux, MacOS
Contributor: The ITM Team

Clear Command History

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

Subsections

ID	Name	Description
AF001.002	Clear Bash History	A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost. On Linux-based operating systems different terminal software may store command history in various locations, with the most common being `/home/%username%/.bash_history`. Using the command `history -c` will clear the history for the current session, preventing it from being written to `.bash_history` when the session ends. On MacOS the Terminal utility will write command history to `/Users/%username%/.zsh_history` or `/Users/%username%/.bash_history` based on operating system version.
AF001.001	Clear PowerShell History	A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. PowerShell stores command history in the context of a user account. This file is located at `C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline`. A subject can delete their own `PSReadline` file without any special permissions. A subject may attempt to use the `Clear-History` Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.

Prevention

ID	Name	Description
PV001	No Ready System-Level Mitigation	This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Detection

ID	Name	Description
DT054	.bash_history Timestamp Discrepency	The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions. If the file has a Created timestamp, but a user has used a shell utility previously, this may indicate the file was deleted and manually or automatically re-created.
DT001	ConsoleHost_history.txt Created Timestamp Discrepancy	Recent modifications to the `ConsoleHost_history.txt` file located in `C:\Users\%username%\AppData\Roa`ming\Microsoft\Windows\PowerShell\PSReadLine may indicate the file has been deleted and subsequently automatically recreated by the Operating System. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time prior to the “Created” timestamp of the ConsoleHost_history.txt file.
DT002	ConsoleHost_history.txt File Missing	If the `ConsoleHost_history.txt` file located in `C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine`, is missing, this indicates that the file has been deleted. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time.
DT053	Missing .bash_history File	The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions. If the file is missing, this could indicate that it has been deleted, if a user account has used a shell utility previously.