Anti-Forensics
Account Misuse
Clear Browser Artifacts
Clear Email Artifacts
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Message Deletion
Modify Windows Registry
Network Obfuscation
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Stalling
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Virtualization
Windows System Time Modification
- ID: AF030
- Created: 15th March 2026
- Updated: 15th March 2026
- Contributor: The ITM Team
Message Deletion
The subject deletes digital communication records in order to remove evidence of prior activity, coordination, or intent. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications.
Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, and relationships between individuals. Deleting these records can reduce the available evidentiary timeline and hinder reconstruction of events.
Message deletion may occur before, during, or after an infringement. In some cases, subjects remove messages immediately after sending them to eliminate records of inappropriate requests or instructions. In other cases, deletion occurs after an alert, disciplinary action, or investigation has begun.
Because communication platforms often retain administrative logs of message deletion events, the act of deleting messages may itself become a significant investigative indicator.
Subsections (2)
| ID | Name | Description |
|---|---|---|
| AF030.001 | Deletion of Corporate Communication Messages | The subject deletes messages from organization-managed communication platforms such as enterprise collaboration tools, internal messaging systems, or other corporate communication environments.
These platforms commonly contain operational discussions, requests for information, coordination between staff, or exchanges relating to sensitive work activities. Deleting messages from these systems may remove evidence of policy violations, improper instructions, or coordination with other individuals.
In many enterprise platforms, message deletion events generate administrative audit artifacts. While the message content may no longer be visible to users, deletion activity can often still be identified through platform audit logs, retention systems, or administrative investigation tools. |
| AF030.002 | Deletion of Non-Corporate Communication Messages | The subject deletes messages from communication platforms that are not owned or administered by the organization. These platforms may include personal messaging services such as SMS, WhatsApp, Signal, Telegram, or other external communication applications.
Subjects may use these channels to conduct conversations outside corporate monitoring systems. Deleting these messages may be an attempt to remove evidence of coordination, disclosure of sensitive information, or communication with external parties.
Because these platforms typically operate outside organizational infrastructure, direct visibility into message activity is often limited. Evidence of deletion may instead emerge through device forensics, recovered artifacts, witness testimony, or references within other communication records. |