Covering Tracks
What is Covering Tracks?
Covering Tracks involves removing evidence of the attacker's activities to avoid detection and maintain stealth. This includes clearing logs, deleting temporary files, and hiding any changes made to the system during the attack.
Common Methods
Log Manipulation
Clearing, altering, or disabling system logs that record activities.
File Deletion
Removing temporary files, download artifacts, and other evidence.
Timestamp Modification
Changing file timestamps to hide when files were accessed or modified.
Anti-Forensics
Using techniques to frustrate forensic investigation attempts.
Common Techniques
- Clearing bash history (Linux) or PowerShell history (Windows)
- Deleting temporary files and download artifacts
- Modifying or clearing event logs
- Disabling auditing and logging features
- Using rootkits to hide processes and files
- Timestomping (modifying file timestamps)
Popular Tools
Metasploit's clearev
Module for clearing event logs on Windows systems.
Timestomp
Tool for modifying file timestamps to hide activity.
BleachBit
Open source tool for securely deleting files and cleaning disks.
shred
Linux command for securely deleting files.
Ethical Considerations
In ethical hacking, covering tracks should be approached carefully. While testers may demonstrate how an attacker would cover their tracks, they must maintain detailed records of all activities for reporting purposes. Some organizations may require logs to remain intact for compliance reasons.