Anti-Forensics
Account Misuse
Browser or System Proxy Configuration
Clear Browser Artifacts
Clear Email Artifacts
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Virtualization
Windows System Time Modification
- ID: AF002.002
- Created: 25th May 2024
- Updated: 04th August 2025
- Platform: Linux
- Contributor: The ITM Team
Clear Linux System Logs
A subject deletes Linux system logs to obscure or eliminate evidence of an infringement. Linux log files, such as authentication attempts, sudo usage, system errors, and audit trails, serve as critical forensic artifacts during post-incident analysis. These logs are commonly stored in /var/log, and include files such as auth.log, syslog, messages, and secure.
Deletion may occur manually via the rm command, through scripted automation, or by modifying log rotation settings to erase historical activity.
Prevention
| ID | Name | Description |
|---|---|---|
| PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
| ID | Name | Description |
|---|---|---|
| DT014 | Utilize Cold Storage for Logs | By autonomously collecting log files from a system and transporting them to another system, such as a SIEM collector, they are typically no longer accessible by the subject, preventing them from being able to delete them. These can aid in investigations where a subject has deleted local logs. |