Antiforensics refers to a set of techniques, tools, or practices used to hinder, mislead, or obstruct digital forensic investigations. This opens opportunities for attackers to intentionally disable or tamper with logs, use short-lived compute resources like AWS Lambda to carry out malicious actions, and store payloads in less-monitored services like object storage or serverless APIs. Effective cloud forensic readiness requires proactive measures such as enabling comprehensive logging (e.g., CloudTrail, VPC Flow Logs), enforcing strict IAM policies, and integrating tamper-evident storage solutions to preserve the integrity of evidence.

In this demo driven technical presentation I’ll begin by introducing the audience on how log collection, security detection and digital forensics is executed in AWS Environments, like what services are needed to ship data to a SIEM, what are the delays we can take advantage of, how Guardduty works and how SOC teams are getting non-cloud-specific logs from servers using SSM. Then I will demonstrate how an attacker can leverage common known blindspots, like the share responsibility model lack of visibility and the internal delays between log generation and log collection, to execute antiforensics techniques with the objective of hindering an investigator’s ability to recover, analyze, or attribute activity related to cloud-based attacks.