Log Deletion

A subject deletes Linux system logs to obscure or eliminate evidence of an infringement. Linux log files, such as authentication attempts, sudo usage, system errors, and audit trails, serve as critical forensic artifacts during post-incident analysis. These logs are commonly stored in /var/log, and include files such as auth.log, syslog, messages, and secure.

Deletion may occur manually via the rm command, through scripted automation, or by modifying log rotation settings to erase historical activity.

A subject deletes macOS system logs to obscure or eliminate evidence of an infringement. macOS stores a range of log data, including authentication attempts, application launches, process crashes, system events, and security audits, within /private/var/log and through the unified logging system accessible via the log command. Key files may include system.log, install.log, asl.log, and diagnostic logs within DiagnosticMessages and CrashReporter.

Deletion may occur manually via the rm or log erase commands, through scripted automation, or by modifying log rotation settings to erase historical activity.

A subject clears Windows Event logs to conceal evidence of their activities.

Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events.

The logs are stored in C:/WINDOWS/system32/config.

Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.