Snapshots and Rollbacks to Remove Evidence

The subject uses virtual machine snapshots, checkpoints, or revert-to-save-state features to erase forensic evidence of activity within a virtualized environment. By taking a snapshot before conducting malicious or high-risk operations, the subject ensures they can later roll the system back—removing all traces of files, commands, logs, and process history created during the session.

This technique allows the subject to:

• Create disposable execution environments for malware, exfiltration staging, or credential harvesting.
• Test or refine malicious payloads without contaminating the final operating state.
• Erase system logs, shell history, temp files, or volatile indicators without needing individual cleanup.
• Avoid triggering file integrity monitoring or host-based change detection on the base image.
• Delay detection by performing actions in a timeline that no longer exists once the rollback is complete.

Example Scenarios:

• A subject launches a virtual machine, takes a snapshot, and performs a simulated ransomware attack using internal files. After testing, they roll back to the original snapshot, deleting all evidence of tool execution, encryption activity, and lateral movement.
• During a data staging operation, the subject collects documents within a VM and compresses them. After extraction, they revert the VM to a pre-staging snapshot, eliminating any trace of the aggregation.
• An insider uses nested virtualization to test payload delivery across OS versions. Each test is followed by a rollback, leaving no visible trace of the toolsets used or the compromised states created.