Anti-Forensics: Covering Your Tracks
Sophisticated attackers don't just achieve their objectives - they erase evidence of their presence. Anti-forensics techniques make incident response difficult and attribution nearly impossible. Understanding these techniques is essential for both attackers and defenders.
Anti-forensics is a cat-and-mouse game. Every technique here has countermeasures. Forensic tools evolve to detect tampering, and attackers evolve to evade detection. See Forensics & IR for the defensive perspective.
Why Anti-Forensics Matters
┌─────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE LEFT BEHIND │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ FILESYSTEM LOGS MEMORY │
│ ────────── ──── ────── │
│ • Malware files • Event Logs • Process artifacts │
│ • Tools downloaded • PowerShell logs • Network connections│
│ • Timestamps (MACE) • Sysmon events • Injected code │
│ • Prefetch files • Auth logs • Credentials │
│ • Jump lists • Firewall logs • Command history │
│ • USB history • Proxy logs │
│ • Browser history • AV logs │
│ • $MFT entries • Cloud audit logs │
│ │
│ REGISTRY NETWORK │
│ ──────── ─────── │
│ • Run keys • PCAP captures │
│ • Services • NetFlow data │
│ • MRU lists • DNS queries │
│ • USB devices • Firewall logs │
│ • UserAssist • Proxy cache │
│ │
│ ALL OF THIS → Points back to the attacker │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Timestomping
Every file on NTFS has four timestamps (MACE): Modified, Accessed, Created, Entry Modified. Forensic timelines rely on these. Timestomping changes them to blend with legitimate files.
Windows Timestamps
# View current timestamps
Get-Item C:\Windows\Temp\malware.exe | Select-Object *Time*
# Timestomp to match legitimate system file
$legit = Get-Item C:\Windows\System32\notepad.exe
$malware = Get-Item C:\Windows\Temp\malware.exe
$malware.CreationTime = $legit.CreationTime
$malware.LastWriteTime = $legit.LastWriteTime
$malware.LastAccessTime = $legit.LastAccessTime
# Using PowerShell to set specific timestamps
$file = Get-Item C:\malicious.exe
$file.CreationTime = "01/15/2020 10:30:00"
$file.LastWriteTime = "01/15/2020 10:30:00"
$file.LastAccessTime = "01/15/2020 10:30:00"Linux Timestamps
# View timestamps
stat /tmp/malware
# Change modification and access time
touch -t 202001151030.00 /tmp/malware
# Match timestamps from another file
touch -r /bin/ls /tmp/malware
# Change only access time
touch -a -t 202001151030.00 /tmp/malware
# Change only modification time
touch -m -t 202001151030.00 /tmp/malwareNTFS stores timestamps in two places: $STANDARD_INFORMATION (easily modified) and $FILE_NAME attribute in $MFT (harder to modify). Forensic tools compare both - mismatches indicate timestomping. Tools like MFTECmd and Sleuth Kit detect this.
Log Manipulation
Logs are the primary evidence source for incident responders. Attackers target them for deletion, modification, or corruption.
Windows Event Logs
# Clear all security logs (requires admin)
wevtutil cl Security
# Clear specific log
wevtutil cl "Windows PowerShell"
wevtutil cl Microsoft-Windows-Sysmon/Operational
# Clear all logs at once
Get-EventLog -LogName * | ForEach-Object { Clear-EventLog $_.Log }
# More stealthy: Disable logging temporarily
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
# Stop Windows Event Log service (noisy)
Stop-Service -Name EventLog -Force
# Delete specific events (requires special tools)
# Event logs are .evtx files in C:\Windows\System32\winevt\Logs\Linux Logs
# Clear auth log
cat /dev/null > /var/log/auth.log
echo "" > /var/log/auth.log
# Remove specific entries (your IP)
sed -i '/192.168.1.100/d' /var/log/auth.log
# Clear bash history
history -c
cat /dev/null > ~/.bash_history
unset HISTFILE
# Prevent history logging for session
export HISTSIZE=0
export HISTFILESIZE=0
# Clear multiple logs
for log in /var/log/*.log; do cat /dev/null > "$log"; done
# Shred logs (overwrite before delete)
shred -vfz -n 5 /var/log/auth.logAdvanced Log Tampering
| Technique | Description | Detection Difficulty |
|---|---|---|
| Full deletion | Clear entire log file | Easy (gap in logs obvious) |
| Selective deletion | Remove only attacker's entries | Medium (checksums may detect) |
| Event ID manipulation | Change event type/ID | Hard |
| Timestamp modification | Change event timestamps | Medium (timeline gaps) |
| Log flooding | Generate noise to hide real events | Hard (real events buried) |
Send logs to a remote SIEM (Splunk, ELK, etc.) in real-time. Even if local logs are cleared, remote copies persist. Also: log integrity monitoring with checksums.
Artifact Removal
Beyond logs, attackers leave artifacts throughout the system. Thorough cleanup requires understanding what creates artifacts.
Windows Artifacts to Remove
# Prefetch files (shows executed programs)
Remove-Item C:\Windows\Prefetch\MALWARE*.pf -Force
# Recent files / Jump lists
Remove-Item "$env:APPDATA\Microsoft\Windows\Recent\*" -Force
Remove-Item "$env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations\*" -Force
# PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath -Force
# Windows Defender logs
Remove-Item "C:\ProgramData\Microsoft\Windows Defender\Scans\History\*" -Recurse -Force
# Browser artifacts (if used)
Remove-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -Force
Remove-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\History" -Force
# USB connection history (registry)
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*" -Recurse -Force
# Thumbnail cache
Remove-Item "$env:LOCALAPPDATA\Microsoft\Windows\Explorer\thumbcache_*.db" -Force
# UserAssist (tracks program execution)
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*" -Recurse -Force
# ShimCache / AppCompatCache
# Requires registry modification - persists across rebootsLinux Artifacts to Remove
# Command history (all shells)
rm -f ~/.bash_history ~/.zsh_history ~/.sh_history
history -c
# Recently used files
rm -rf ~/.local/share/recently-used.xbel
# Thumbnail cache
rm -rf ~/.cache/thumbnails/*
# Temp files
rm -rf /tmp/* /var/tmp/*
# Vim history
rm -f ~/.viminfo
# SSH known hosts (if connected to new systems)
rm -f ~/.ssh/known_hosts
# Systemd journal (if applicable)
journalctl --vacuum-time=1s
# Last login records
> /var/log/lastlog
> /var/log/wtmp
> /var/log/btmpMemory Artifacts
MEMORY-ONLY MALWARE (Fileless)
Advantages:
├── No files on disk to scan
├── Disappears on reboot
├── Harder to detect with traditional AV
└── Forensic memory acquisition required
Techniques:
├── PowerShell in-memory execution
├── .NET assembly loading (Assembly.Load)
├── Process injection (no new files)
├── Reflective DLL loading
└── Living off the land (LOLBins)
Cleanup:
├── Exit implant gracefully
├── Unload injected DLLs
├── Clear PowerShell runspace
└── Force garbage collectionSecure File Deletion
Simply deleting files leaves recoverable data. Forensic tools can recover "deleted" files from unallocated disk space. Secure deletion overwrites data.
Windows Secure Delete
# Using SDelete (Sysinternals)
# Download: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
sdelete -p 3 C:\malware.exe # 3-pass overwrite
sdelete -p 3 -s C:\Tools\ # Recursive directory
sdelete -c C: # Clean free space
# PowerShell overwrite method
$file = "C:\malware.exe"
$size = (Get-Item $file).Length
$random = New-Object byte[] $size
(New-Object Random).NextBytes($random)
[IO.File]::WriteAllBytes($file, $random)
Remove-Item $file -Force
# Using cipher (built-in)
cipher /w:C:\ # Overwrite deleted file spaceLinux Secure Delete
# Using shred (most common)
shred -vfz -n 5 /tmp/malware # 5 passes + zero fill
shred -vfz -n 5 -u /tmp/malware # Also unlink after
# Using dd
dd if=/dev/urandom of=/tmp/malware bs=1M count=10
rm /tmp/malware
# Using srm (secure-delete package)
srm -vz /tmp/malware
# Wipe free space
dd if=/dev/zero of=/tmp/wipe bs=1M
rm /tmp/wipe
# For SSDs: TRIM makes recovery harder
# But wear leveling can preserve data in other blocksSSDs use wear leveling and TRIM, making traditional secure deletion less reliable. Data may exist in spare blocks. Full disk encryption before use is the best protection.
Network Evidence Cleanup
DNS Cache
# Windows - Clear DNS cache
ipconfig /flushdns
# View DNS cache first
Get-DnsClientCache
# Linux
systemd-resolve --flush-caches
# or
service nscd restartARP Cache
# Windows
arp -d *
# Linux
ip neigh flush allNetwork Connections
NETWORK ARTIFACTS TO CONSIDER:
On the compromised host:
├── Active connections (netstat, ss)
├── DNS cache
├── ARP cache
├── Firewall logs
└── Browser cache/history
On the network:
├── Firewall logs
├── Proxy logs
├── DNS server query logs
├── NetFlow/IPFIX data
├── IDS/IPS alerts
├── PCAP captures (if running)
└── DHCP lease records
YOU CANNOT CLEAN:
├── Network device logs (switches, routers)
├── Upstream DNS server logs
├── ISP records
├── Cloud provider logs
└── Anything you don't controlRegistry Cleanup
# Remove persistence mechanisms you created
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater"
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\MaliciousService" -Recurse
# Clear MRU (Most Recently Used) lists
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Recurse
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Recurse
# Clear typed URLs (if browser used)
Remove-Item "HKCU:\Software\Microsoft\Internet Explorer\TypedURLs" -Recurse
# UserAssist (encoded program execution history)
$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
Get-ChildItem $path | ForEach-Object {
Remove-Item $_.PSPath -Recurse -Force
}Living Off the Land (Minimal Artifacts)
The best anti-forensics is creating fewer artifacts in the first place. Using built-in tools leaves smaller footprints than custom malware.
| Instead of... | Use... | Why |
|---|---|---|
| Custom malware.exe | PowerShell, certutil, mshta | No new files, signed binaries |
| Mimikatz binary | Invoke-Mimikatz (in-memory) | No file on disk |
| PuTTY/plink | OpenSSH (built into Windows) | Native tool |
| wget.exe download | certutil, bitsadmin, curl | Built-in downloaders |
| Custom C2 binary | DNS TXT records, cloud services | No persistent binary |
See Execution and LOLBAS Project for comprehensive LOLBin coverage.
MITRE ATT&CK Mapping
Anti-forensics techniques map to MITRE ATT&CK Defense Evasion (TA0005):
| Technique ID | Name | Section |
|---|---|---|
| T1070 | Indicator Removal | All cleanup techniques |
| T1070.001 | Clear Windows Event Logs | Log Manipulation |
| T1070.003 | Clear Command History | Artifact Removal |
| T1070.004 | File Deletion | Secure File Deletion |
| T1070.006 | Timestomp | Timestomping |
| T1027 | Obfuscated Files or Information | Living Off the Land |
Detection: Catching Anti-Forensics
- Timeline gaps: Missing events during suspicious periods
- $MFT discrepancies: $SI and $FN timestamp mismatches
- Event ID 1102: "Audit log was cleared" (ironically logged)
- USN Journal: Records file changes even if files deleted
- Volume Shadow Copies: May contain pre-tampered files
- Remote SIEM: Has logs even if local copies deleted
- Memory forensics: Can recover artifacts from RAM
ANTI-FORENSICS DETECTION INDICATORS:
Timeline Analysis:
├── Timestamps in the future
├── Timestamps older than file system
├── Gaps in event logs
├── $SI timestamp != $FN timestamp (NTFS)
└── atime disabled but mtime modified (Linux)
Log Analysis:
├── Event ID 1102 (Security log cleared)
├── Event ID 104 (System log cleared)
├── Sudden drop in log volume
├── Missing logs for active system
└── Sysmon gaps (if deployed)
File System:
├── $MFT entries for deleted files
├── $UsnJrnl shows file operations
├── Prefetch files reference deleted executables
├── Shim cache references missing files
└── VSS contains original files