ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT135
  • Created: 21st July 2025
  • Updated: 21st July 2025
  • Platform: Windows
  • Contributor: The ITM Team

OneDrive SafeDelete.db

Monitor the presence and contents of the OneDrive SafeDelete.db file to identify subject-driven deletion of local files synced via OneDrive cloud storage. This SQLite database is located at: C:\Users\<username>\AppData\Local\Microsoft\OneDrive\settings\Personal\SafeDelete.db
 

The file contains a table named items_sent_to_recycle_bin, with the following notable records:

  • itemName: The name and extension of each deleted file.
  • notificationTime: The epoch timestamp when the file was sent to the Recycle Bin.

 

KAPE has a default Target module to acquire the parent directory of this database called “OneDrive_Metadata”. Use forensic tools or software such as DB Browser (SQLite) to view or extract entries from the items_sent_to_recycle_bin table.

 

This database persists across standard user deletion workflows and may retain entries long after file removal, offering high-value retrospective insight into deletion behaviors. itemName could help guide forensic carving of deleted files from disk images or shadow copies, even if the Recycle Bin has been emptied.

Sections

ID Name Description
AF015File Deletion

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

IF013.001File or Data Deletion

A subject deletes organizational files or data (manually or through tooling) outside authorized workflows, resulting in the loss, concealment, or unavailability of operational assets. This infringement encompasses both targeted deletion (e.g. selected records, logs, or documents) and bulk removal (e.g. recursive deletion of directories or volumes).

 

Unlike Destructive Malware Deployment, which uses self-propagating or malicious code to irreversibly damage systems, this behavior reflects direct user-driven actions or scripts that remove or purge data without employing destructive payloads. Deletions may be conducted via built-in utilities, custom scripts, scheduled tasks, or misuse of administrative tools such as backup managers or version control systems.

 

This activity frequently occurs to:

 

  • Conceal evidence of other infringing actions (e.g. log deletion to frustrate investigation)
  • Sabotage availability of critical information (e.g. deleting shared drives or project directories)
  • Facilitate exfiltration or preparation (e.g. purging redundant files before copying sensitive data)

 

It may also involve secondary actions such as emptying recycle bins, purging shadow copies, disabling version histories, or wiping removable media to obscure the scope of deletion.