Anti-Forensics
Account Misuse
Clear Browser Artifacts
Clear Email Artifacts
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Modify Windows Registry
Network Obfuscation
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Stalling
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Virtualization
Windows System Time Modification
- ID: AF026
- Created: 04th August 2025
- Updated: 05th August 2025
- Contributor: The ITM Team
Log Modification
The subject intentionally alters or removes log entries, either at the host, application, or network level, in a deliberate attempt to conceal or misrepresent their actions. This behavior is typically executed to frustrate forensic reconstruction during an investigation and may include deletion of individual log lines, rewriting timestamps, or manipulating source IPs or usernames.
Subjects engaging in this technique may use native administrative tools (e.g., PowerShell, auditpol, journalctl), third-party log scrubbers, or direct file system access to tamper with .evtx, .log, or flat text logs.