Course Overview

A full-spectrum dive into anti-forensics across Windows and Linux (with a tad of MacOS, if time permits), centered on real incidents and modern attacker behavior.

The course walks through classic log wiping, deeper filesystem tricks, PowerShell, timestomping, sandbox artifacts, memory-only execution, endpoint solution blind spots, and advanced Linux log manipulation.

Each technique is paired with detection logic, weaknesses in attacker tradecraft, and practical forensic recovery paths. The material emphasizes hands-on analysis, including MFT/MSRUM/USN artifacts, ETW traces, VHDX extraction, /proc-based investigation, and highlights new research and tooling that shape current offensive and defensive strategies.

With many examples from real-world Incident Response cases, this course is an excellent addition to regular forensic classes.

Course outline

Part One - Windows

1. Introduction & Context

• Origins of anti-forensics (THC 1995, NATO 2015)

• How red/blue/purple perspectives frame the topic

2. Simple Anti-Forensics

• Basic log-clearing techniques

• Clearing MRU, TypedPaths, Recent Items

• Event log wiping with wevtutil

• What does “cover your tracks” actually mean

3. File Deletion & NTFS Internals

• How deletion works on NTFS (MFT entries, slack)

• File recovery from MFT / I30

• sdelete, Cipher, wiping approaches

• USN Journal fundamentals

• Disabling or deleting USN records

4. Detection & Analyst Artifacts

• MFT slack space

• SRUM: usage insights, real-case examples

• Limitations of selective SRUM manipulation

• AppCmd misuse (attacker vs defender perspectives)

5. PowerShell Traces

• PowerShell transcripts

• ConsoleHost_history & PSReadLine

• How attackers tamper with PSReadLine paths and styles

• Limitations of Clear-History

• Turla-style PowerShell ETW evasion attempts

6. Microsoft Defender (MP) Logs

• Threat, engine, and scan artifacts

• ClickFix campaign example

7. Timestomping in Depth

• Tell-tale signs (and false assumptions)

• touch.exe usage (UnxUtils)

• File system tunneling

• Velociraptor / KAPE analysis approaches

• LNK-file metadata behavior

8. Additional Windows Artifacts

• UAL (User Access Logging)

• Windows Error Reporting (WER)

• Bitmap Cache remnants from RDP

• Firewall logs

• PFRO.log behavior

• Temporary event logs (Temp EVTX)

• NTFS Operational logs

• Shimcache, Clipboard, SearchService

• Screenshots

• Various other artifacts

9. Windows Sandbox & VHDX Forensics

• How sandbox storage works

• What artifacts persist

• Extracting and analyzing differential disks

10. WSL & Service Abuse

• WSL forensics and anti-forensics

• Red-team service creation patterns and host cleanup issues

11. Exotic & Overlooked Artifacts

• Palo Alto WildFire temp-file detections

• Crash dump artifacts

• Phant0m (Windows Event Log Killer) behavior

• ETW provider disabling (Defender, PowerShell)

• auditpol abuse patterns

Part Two - Linux

12. Linux Anti-Forensics

• dmesg clearing pitfalls (journalctl -k)

• Syslog wiping (bleach) and what remains

• Journal manipulation and persistence

• memfd_create & fileless execution

• /proc as an investigation goldmine

• DDExec

• Bash history avoidance strategies

• File Deletion & Recovery

• /proc and Runtime Forensics

13. Advanced Loading & Evasion

• Dynamic loader abuse

• Memory-only execution flows

• Reconstructing ELF binaries from mapped regions

• Using eBFP to silence logging mechanisms

• Introduction to Linux Rootkits

Part Three - BONUS (If time permits) - MacOS

• Short detour in the wonderful world of MacOS forensics

• macOS Security Artifacts