Anti-forensics is the set of techniques attackers use to hide their activity, destroy evidence, or make security investigations harder. Instead of only breaking into a system, the attacker also tries to reduce what defenders can see afterward. Common examples include deleting logs, wiping shadow copies and backups, timestomping files to change timestamps, clearing event records, using encrypted or obfuscated payloads, and staging tools in ways that blend into normal administration.
In cyber security, anti-forensics matters because it delays detection, weakens incident response, and can obscure the initial access vector, lateral movement, and data theft. Ransomware groups often use these methods to slow recovery and increase pressure on victims. Defenders look for unusual log gaps, disabled auditing, tampered timestamps, missing backups, and sudden loss of telemetry. Good logging, centralized log collection, immutable backups, and endpoint detection help reduce the impact of anti-forensic behavior.