Detections
- ID: DT161
- Created: 27th May 2026
- Updated: 27th May 2026
- Contributor: The ITM Team
Slack Legal Holds
Slack Legal Holds allow investigators or authorized legal administrators to preserve Slack messages and files associated with selected custodians during an investigation, dispute, or legal matter. When a legal hold is applied, relevant Slack content can be preserved even where messages or files are later edited or deleted.
This detection is relevant where a subject may attempt anti-forensic activity through message deletion, message modification, file removal, or concealment of communications with collaborators. Slack states that legal holds can preserve messages and files sent by custodians, and that preserved data can be accessed through JSON export or the Discovery API, depending on the organization’s Slack plan and configuration.
Investigators should identify relevant custodians, channels, direct messages, multi-person direct messages, Slack Connect conversations, and file-sharing activity before requesting or applying a legal hold. The investigative timeline should document when the hold was requested, when it was applied, which custodians were included, and whether any relevant content may have been modified or deleted before preservation began.
Slack Legal Holds preserve evidence but do not restrict the subject’s access or prevent continued activity. They should therefore be treated as an evidence preservation mechanism, not a containment control.
Sections
| ID | Name | Description |
|---|---|---|
| AF033 | Message Modification | The subject edits previously sent digital communication records in order to alter, obscure, or remove evidence of prior activity, coordination, intent, or disclosure. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications.
Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, relationships between individuals, and the sequence of actions leading to an infringement. Modifying a message after it has been sent can preserve the appearance of a normal communication thread while changing the evidentiary content available to investigators.
Message modification may occur before, during, or after an infringement. In some cases, subjects edit messages shortly after sending them to remove threatening, coercive, inappropriate, or policy-violating language. In other cases, a subject may transmit sensitive information, credentials, instructions, or confidential data as message text, then modify the message to benign content after it has been read or copied by the intended recipient.
This behavior is especially significant where the communication platform does not retain prior message versions, where edit history is excluded from standard exports, or where preservation controls were not in place at the time of the edit. Even where the original message content cannot be recovered, the act of editing a message may itself become a significant investigative indicator, particularly when correlated with alert timing, recipient activity, data access, or other case events. |
| AF030 | Message Deletion | The subject deletes digital communication records in order to remove evidence of prior activity, coordination, or intent. These records may include messages exchanged through collaboration platforms, internal messaging systems, or external communication applications.
Communication artifacts often provide investigators with critical context surrounding insider events, including planning, intent, and relationships between individuals. Deleting these records can reduce the available evidentiary timeline and hinder reconstruction of events.
Message deletion may occur before, during, or after an infringement. In some cases, subjects remove messages immediately after sending them to eliminate records of inappropriate requests or instructions. In other cases, deletion occurs after an alert, disciplinary action, or investigation has begun.
Because communication platforms often retain administrative logs of message deletion events, the act of deleting messages may itself become a significant investigative indicator. |
| AF030.001 | Deletion of Corporate Communication Messages | The subject deletes messages from organization-managed communication platforms such as enterprise collaboration tools, internal messaging systems, or other corporate communication environments.
These platforms commonly contain operational discussions, requests for information, coordination between staff, or exchanges relating to sensitive work activities. Deleting messages from these systems may remove evidence of policy violations, improper instructions, or coordination with other individuals.
In many enterprise platforms, message deletion events generate administrative audit artifacts. While the message content may no longer be visible to users, deletion activity can often still be identified through platform audit logs, retention systems, or administrative investigation tools. |