{"id":23642323,"url":"https://github.com/cybersecurityup/anti-forensic-techniques","last_synced_at":"2026-01-23T09:05:14.130Z","repository":{"id":269444028,"uuid":"907436682","full_name":"CyberSecurityUP/Anti-Forensic-Techniques","owner":"CyberSecurityUP","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-23T15:21:59.000Z","size":3,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-12-23T16:29:25.171Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CyberSecurityUP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-23T15:21:03.000Z","updated_at":"2024-12-23T16:27:25.000Z","dependencies_parsed_at":"2024-12-23T16:29:49.934Z","dependency_job_id":"575726c3-dca6-4ba9-9f26-99ffd16d52c5","html_url":"https://github.com/CyberSecurityUP/Anti-Forensic-Techniques","commit_stats":null,"previous_names":["cybersecurityup/anti-forensic-techniques"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FAnti-Forensic-Techniques","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FAnti-Forensic-Techniques/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FAnti-Forensic-Techniques/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FAnti-Forensic-Techniques/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CyberSecurityUP","download_url":"https://codeload.github.com/CyberSecurityUP/Anti-Forensic-Techniques/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239581763,"owners_count":19662960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-28T10:49:17.979Z","updated_at":"2025-11-10T15:30:19.792Z","avatar_url":"https://github.com/CyberSecurityUP.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Anti-Forensic-Techniques\n\n### Checklist: Anti-Forensic Techniques for Windows and Linux\n\n#### **Windows Techniques**\n\n**1. Metadata Manipulation**\n   - **Timestamp Alteration**: Use `Timestomp` or custom tools to modify file creation, access, and modification times.\n   - **Log Editing**: Manually or automatically edit event logs using `EvtxEdit` or similar tools.\n   - **File Renaming**: Rename files to inconspicuous names or extensions.\n\n**2. Data Hiding**\n   - **Alternate Data Streams (ADS)**: Use `stream.exe` to hide data in NTFS streams.\n   - **Slack Space Utilization**: Hide data in file slack space using tools like `SlackCleaner`.\n   - **File Attribute Manipulation**: Change attributes (e.g., hidden, system) with `attrib` command.\n\n**3. Obfuscation**\n   - **Executable Packing**: Use tools like UPX to pack or obfuscate binaries.\n   - **Encryption**: Encrypt sensitive files with tools like `BitLocker` or third-party tools.\n   - **Registry Obfuscation**: Store payloads or configuration in obscure registry keys.\n\n**4. Log and Artifact Clearing**\n   - **Event Logs**: Use `wevtutil` to clear event logs:\n     ```powershell\n     wevtutil cl System\n     ```\n   - **Prefetch Cleaning**: Delete files in `C:\\Windows\\Prefetch`.\n   - **Recycle Bin**: Empty recycle bin contents.\n\n**5. Disk Manipulation**\n   - **Wiping Tools**: Use `sdelete` or similar to securely delete files.\n   - **Volume Shadow Copy Deletion**:\n     ```powershell\n     vssadmin delete shadows /all /quiet\n     ```\n   - **Hibernation File Removal**:\n     ```powershell\n     powercfg -h off\n     ```\n\n**6. Memory and Process Manipulation**\n   - **Anti-Dumping**: Use tools like `Pafish` to detect and avoid memory dumps.\n   - **Process Hollowing**: Replace the memory of a legitimate process with malicious code.\n\n**7. Network Obfuscation**\n   - **Proxy Usage**: Route traffic through proxies or VPNs.\n   - **Firewall Rules**: Create rules to block forensic tools from connecting to critical resources.\n   - **DNS Manipulation**: Redirect traffic to fake or benign domains.\n\n---\n\n#### **Linux Techniques**\n\n**1. Metadata Manipulation**\n   - **Timestamp Alteration**: Use `touch` to modify file timestamps:\n     ```bash\n     touch -t 202401010101 targetfile\n     ```\n   - **Inode Modification**: Use tools like `debugfs` to edit inode metadata.\n\n**2. Data Hiding**\n   - **Hidden Directories**: Use `.` prefix to create hidden directories.\n   - **Steganography**: Hide data in images or other file formats using tools like `steghide`.\n   - **Filesystem Obfuscation**: Use obscure filesystems like EncFS or eCryptfs.\n\n**3. Obfuscation**\n   - **Binary Packing**: Compress executables with `upx`.\n   - **Custom Encoding**: Encode scripts or binaries with `base64` or `shc`.\n\n**4. Log and Artifact Clearing**\n   - **Log Deletion**:\n     ```bash\n     rm -rf /var/log/*\n     ```\n   - **Command History Clearing**:\n     ```bash\n     history -c \u0026\u0026 rm ~/.bash_history\n     ```\n   - **Temp File Cleanup**:\n     ```bash\n     rm -rf /tmp/*\n     ```\n\n**5. Disk Manipulation**\n   - **Secure File Deletion**: Use `shred` or `dd` for secure deletion:\n     ```bash\n     shred -u targetfile\n     ```\n   - **Partition Wiping**:\n     ```bash\n     dd if=/dev/zero of=/dev/sdX bs=1M\n     ```\n\n**6. Memory and Process Manipulation**\n   - **Process Cloaking**: Use `libprocesshider` to hide processes.\n   - **Kill Forensic Tools**: Identify and terminate forensic processes with `pkill`.\n\n**7. Network Obfuscation**\n   - **MAC Address Spoofing**:\n     ```bash\n     ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX\n     ```\n   - **VPN and Proxy Usage**: Route traffic through `OpenVPN` or `tor`.\n   - **Log Tampering**: Alter `/var/log/auth.log` to obscure SSH or other access logs.\n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fanti-forensic-techniques","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcybersecurityup%2Fanti-forensic-techniques","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fanti-forensic-techniques/lists"}