ITM is an open framework - Submit your contributions now.

Anti-Forensics

Deletion of Volume Shadow Copy

Disk Wiping

Disk Content Wiping
Disk Structure Wiping

Hide Artifacts

Hidden File System
Hidden Files and Directories
Hide Emails With Rules

Modify Windows Registry

Delete or Modify Registry Key
Delete or Modify Registry Key Value
Disabling Application Launch Tracking via Registry

Physical Destruction of Storage Media

Physical Destruction of Disk Storage
Physical Destruction of Removable Media

Physical Removal of Disk Storage

Tripwires

Canary Tokens
Endpoint Tripwires
Environment Tripwires

Virtualization

Portable Hypervisors
Snapshots and Rollbacks to Remove Evidence
Use of a Virtual Machine
Use of Windows Subsystem for Linux (WSL)

Windows System Time Modification

ID: AF012.003
Created: 25th May 2024
Updated: 14th June 2024
Contributor: The ITM Team

Hidden File System

A subject may use their own abstracted file system, separate from the standard file system. In doing so, insiders can hide the presence of malicious components and file input/output from security tools.

Insider Threat Matrix™

Anti-Forensics

Clear Browser Artifacts

Clear Command History

Clear Operating System Logs

Decrease Privileges

Delete User Account

Deletion of Volume Shadow Copy

Disk Wiping

File Deletion

File Encryption

Hide Artifacts

Log Tampering

Modify Windows Registry

Physical Destruction of Storage Media

Physical Removal of Disk Storage

Steganography

System Shutdown

Timestomping

Tripwires

Uninstalling Software

Virtualization

Windows System Time Modification

Hidden File System