Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF014
- Created: 25th May 2024
- Updated: 23rd July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
System Shutdown
A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis.
Prevention
| ID | Name | Description |
|---|---|---|
| PV001 | No Ready System-Level Mitigation | This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system. |
Detection
| ID | Name | Description |
|---|---|---|
| DT016 | Windows System Shutdown, Event Logs | A subject may power off a system to prevent the contents of memory being read. Event ID 41 documents when “The system has rebooted without cleanly shutting down first”. Event ID 1074 documents when “The system has been shutdown properly by a user or process”. This may represent an anti-forensics technique if there is no reasonable explanation for why the system was powered off. |