Anti-Forensic

Multi-pass overwriting destroys payload contents to defeat file carving, but metadata, slack, and journal residue often survive to prove a file existed.

Attackers clear browser history, cache, and cookies to hide payload downloads and C2 visits, but SQLite WAL and disk slack retain the records.

Embedding a null byte in a key name via the native API makes a registry entry invisible to regedit while it still runs at boot.

Attackers delete Prefetch files, Recent items, and Jump Lists to hide which programs ran, but execution evidence survives in many parallel artifacts.

Intruders delete or truncate /var/log and journald files to hide activity, but sequence numbers, forwarders, and inodes expose the cut.

Deleting the NTFS change journal erases a record of file activity, but it is recoverable from the MFT, $LogFile, and shadow copies.

Hiding a payload in a file's named ADS keeps it off a normal directory listing, but the stream is fully indexed in the MFT.

Attackers delete or forge Amcache and Shimcache entries to erase execution evidence, but the two artifacts and their backups rarely agree.

Malware rewrites a file's MACB timestamps to defeat timeline analysis, but the forged values rarely survive a full NTFS examination.

Attackers unset HISTFILE or shred .bash_history to hide commands, but the shell, kernel, and disk all retain copies the wipe never reaches.

Attackers wipe Windows event logs to destroy evidence, but the clearing itself is logged and leaves recoverable gaps and residue.

Wiping shadow copies blocks rollback before ransomware encryption, but the deletion is loud and the snapshots are often recoverable.