Detections
- ID: DT160
- Created: 27th May 2026
- Updated: 27th May 2026
- Contributor: The ITM Team
Slack Data Retention Settings
Slack data retention settings allow investigators to preserve message history in a way that supports later review of deleted or modified communications. Where configured to retain edits and deletions, Slack can preserve prior message states, enabling investigators to reconstruct communication content that may no longer be visible in the active Slack interface.
This detection is relevant where a subject may attempt anti-forensic activity through message deletion, message modification, or removal of content from channels and direct messages. Slack retention settings can be configured to keep messages while either saving or not saving edits and deletions; investigators should therefore confirm whether the workspace or Enterprise organization was configured to preserve edit and deletion history at the time of the activity.
Investigators should review the applicable workspace, organization, channel, and direct message retention settings, including whether members were permitted to override retention at the conversation level. Where export or Discovery API access is available, retained edit and deletion history may support reconstruction of the subject’s original message content, timing, recipients, and subsequent modification or deletion activity.
Slack data retention settings preserve evidence but do not restrict the subject’s access or prevent continued activity. They should therefore be treated as an evidence preservation and reconstruction mechanism, not a containment control.
Sections
| ID | Name | Description |
|---|---|---|
| AF033 | Message Modification | The subject edits previously sent digital communication records in order to alter, obscure, or remove evidence of prior activity, coordination, intent, or disclosure. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications.
Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, relationships between individuals, and the sequence of actions leading to an infringement. Modifying a message after it has been sent can preserve the appearance of a normal communication thread while changing the evidentiary content available to investigators.
Message modification may occur before, during, or after an infringement. In some cases, subjects edit messages shortly after sending them to remove threatening, coercive, inappropriate, or policy-violating language. In other cases, a subject may transmit sensitive information, credentials, instructions, or confidential data as message text, then modify the message to benign content after it has been read or copied by the intended recipient.
This behavior is especially significant where the communication platform does not retain prior message versions, where edit history is excluded from standard exports, or where preservation controls were not in place at the time of the edit. Even where the original message content cannot be recovered, the act of editing a message may itself become a significant investigative indicator, particularly when correlated with alert timing, recipient activity, data access, or other case events. |
| AF030 | Message Deletion | The subject deletes digital communication records in order to remove evidence of prior activity, coordination, or intent. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications.
Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, and relationships between individuals. Deleting these records can reduce the available evidentiary timeline and hinder reconstruction of events.
Message deletion may occur before, during, or after an infringement. In some cases, subjects remove messages immediately after sending them to eliminate records of inappropriate requests or instructions. In other cases, deletion occurs after an alert, disciplinary action, or investigation has begun.
Because communication platforms often retain administrative logs of message deletion events, the act of deleting messages may itself become a significant investigative indicator. |
| AF030.001 | Deletion of Corporate Communication Messages | The subject deletes messages from organization-managed communication platforms such as enterprise collaboration tools, internal messaging systems, or other corporate communication environments.
These platforms commonly contain operational discussions, requests for information, coordination between staff, or exchanges relating to sensitive work activities. Deleting messages from these systems may remove evidence of policy violations, improper instructions, or coordination with other individuals.
In many enterprise platforms, message deletion events generate administrative audit artifacts. While the message content may no longer be visible to users, deletion activity can often still be identified through platform audit logs, retention systems, or administrative investigation tools. |