Stalling

The subject deliberately leverages formally approved leave, such as annual vacation, sick leave, or medically certified absence, to delay or frustrate investigative procedures. This tactic may be employed after becoming aware of organizational suspicion, active inquiry, or impending enforcement action. By taking sanctioned time off, the subject restricts opportunities for time-sensitive interviews, effectively obstructing the pace of investigation without violating leave policy.

The subject deliberately removes a corporate device from network connectivity to obstruct remote monitoring, containment, or forensic acquisition with the intent to frustrate and delay an investigation, or avoid detection while conducting local activity. This may involve disabling Wi-Fi or Ethernet, enabling airplane mode, disabling a network interface, removing SIM cards, or disconnecting from the organization’s virtual private network (VPN).

In some cases, the subject may physically relocate the device outside managed infrastructure, such as taking it off-premises or into unmonitored environments, further complicating retrieval and response. By operating offline or outside trusted channels, the subject effectively severs telemetry pipelines (EDR, SIEM, UAM), limiting visibility into device activity, user behavior, or policy violations.

Unlike powering off, this tactic allows the subject to continue accessing, modifying, or destroying data while bypassing containment triggers or remote access restrictions.

The subject avoids or delays engagement with the investigation by failing to respond to formal communication attempts. This anti-forensic behavior manifests as ignored meeting requests, prolonged email silence, delayed replies to HR or Legal correspondence, or refusal to engage in scheduled discussions. In more sophisticated cases, the subject may cite external justifications, such as stress, workload, or active legal consultation, to defer interaction without outright refusal.

These behaviors often emerge once the subject becomes aware of investigative scrutiny or anticipates disciplinary action. While not overtly obstructive in isolation, the cumulative impact of sustained communication avoidance can materially hinder the investigation’s pace and prevent timely evidence preservation, containment, or escalation.

This tactic is particularly effective in organizations where procedural deference, wellness accommodations, or interdepartmental dependencies limit the ability to enforce timely cooperation. Investigators should treat communication silence, especially when it follows a triggering event, as a potential indicator of an anti-forensic strategy and escalate accordingly.

The subject deliberately powers off corporate devices to obstruct remote forensic acquisition, containment, or monitoring. This tactic prevents endpoint detection and response (EDR) tools, disk imaging systems, and memory capture utilities from executing, delaying evidence collection and hindering response actions.

Often triggered by awareness of investigative scrutiny, powering down devices can result in the loss of volatile data and disruption of containment workflows. The tactic is especially effective in environments reliant on real-time telemetry or remote tooling.

This activity could be considered an anti-forensics technique, especially when the device is powered off during periods where the subject is expected to be working.

The subject avoids investigative scrutiny by failing to report to work without formal authorization, also known as Absence Without Leave (AWOL). This may occur immediately after detection avoidance behaviors or in anticipation of policy enforcement. By going dark, the subject hinders interview scheduling and limits organizational recourse under standard HR workflows. This tactic may also serve to buy time for evidence destruction, off-site data transfer, or the coordination of third-party narratives.