Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Decrease Privileges
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF020
- Created: 13th December 2024
- Updated: 13th December 2024
- Platform: Windows
- Contributor: Joshua Phillips
Deletion of Volume Shadow Copy
A subject deletes a shadow copy on a Windows system. This may represent an anti-forensics technique where the intent is to deny access to artifacts of investigative value that may be stored within the shadow copy.
Prevention
| ID | Name | Description |
|---|---|---|
| PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |