Covering Tracks

Once an attacker finishes his work, he wants to erase all tracks leading the investigators tracing back to him. This can be done using

  1. Disable auditing.
  2. Clearing logs.
  3. Modifying logs, registry files.
  4. Removing all files, folders created.

Disabling Auditing: Auditpol

  • Intruders will disable auditing immediately after gaining administrator privileges.
  • At the end of their stay, the intruders will just turn on auditing again using auditpol.exe.

Clearing Logs

  • Attacker uses clearlogs.exe utility to clear the security, system, and application logs.
  • If the system is exploited with Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system.

Manually Clearing Event Logs

  • Windows:
    • Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer.
    • Delete the all the log entries logged while compromising of the system.
  • Linux:
    • Navigates to /var/log directory on the Linux system.
    • Open plain text file containing log messages with text editor /var/log/messages
    • Delete the all the log entries logged while compromising of the system. 

Ways to Clear Online Tracks

  • Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, clear Toolbar data from the browsers.
  • Privacy Settings in Windows 8.1:
    • Click on the Start button, choose Control Panel > Appearance and Personalization > Taskbar and Start Menu.
    • Click the Start Menu tab, and then, under Privacy, clear the Store and display recently opened items in the Start menu and the taskbar check box.

Covering Tracks Tools

  • CCleaner:
    • CCleaner is system optimization and cleaning tool.
    • It cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history.
  • MRU-Blaster:
    • MRU-Blaster is an application for Windows that allows you to clean the most recently used lists stored on your computer.
    • It allows you to clean out your temporary Internet files and cookies.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *