This repository has been archived by the owner on Mar 28, 2023. It is now read-only.
Implement detection of filesystem anti-forensics #34
Labels
detections
Related to sensors and/or detection capabilities
enhancement
New feature or request
icebox
question
Further information is requested
Projects
Although macOS uses APFS now, not HFS+, there may be methods of filesystem anti-forensics similar to the use of Alternate Data Streams on NTFS volumes, by which an attacker might hide their presence on the filesystem.
Research and further detail is needed here, to determine what exactly should be getting detected. It might build upon issue #23
The feasibility challenge is that any kind of whole-filesystem activity monitoring is performance prohibitive.
The text was updated successfully, but these errors were encountered: