Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Decrease Privileges
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF015
- Created: 31st May 2024
- Updated: 08th June 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
File Deletion
A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.
Prevention
ID | Name | Description |
---|---|---|
PV001 | No Ready System-Level Mitigation | This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system. |
Detection
ID | Name | Description |
---|---|---|
DT037 | auditd File Access | Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.
Below is an example auditd rule to detect file access:
To review audit logs related to this rule, we can use ausearch ( |
DT036 | Windows Jump Lists | Windows Jump Lists are a feature that provides quick access to recently or frequently used files. |
DT026 | Windows LNK Files | LNK files or Shortcut files are stored in the location These files are automatically created when a user account accesses a file through Windows Explorer. This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path. |
DT027 | Windows Prefetch | In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution. Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists. |
DT038 | Windows Recycle Bin | On Windows 10, we can find the Recycle Bin directory for all users located at Files that begin with Files that begin with If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image. |
DT032 | Windows Thumbcache | Thumbnail Cache, a feature introduced in Windows operating systems starting with Windows Vista, enhances the user experience by caching thumbnail images of files. This functionality, when enabled, speeds up and makes loading these images more efficient in various views, such as File Explorer, by generating preview images or thumbnails for various multimedia files. This artifact can provide evidence of the presence of files even if they have been deleted. |