Importance of Covering your tracks
Jonas Satkauskas
Intro
When we compromise the system using tools like metasploit or entering the system in a different way there are always records about our activity in the system that we were inspecting.
Where are the records being stored?
Logs
Probably the first place where skilled forensic investigator would look for our tracks is Logs. You can read more about logging in my previous article. Systems log the activity.
Terminal history
Other important place is terminal history. We must delete the history. Not only delete, but shred it multiple times, because deleted files easily can be recovered by skilled forensic investigator.
Timestamps
There’s also an important role of MAC (Modified, Accessed, Created) timestamps. Investigator can see when the files were modified, accessed or created. It is important to set the timestamp to it’s original value. This is the reason why we should note the original time of the file before working with it. Usually we have access to this functionality via meterpreter.
Deleting terminal history in Linux
If you want to see the terminal history, simply write:
root@kali:/home$ history
1 history
2 history
3 history -d 2
4 history
5 shred -f .bash_history
6 cat .bash_history
7 history
8 cat .bash_history
9 ls
10 cd
11 pwd
12 ls ..
13 ls
14 cd ..
15 cd Desktop
16 echo "Hello from the terminal"
17 history
This is the place where every command that you enter will be stored.
We can change the size of the history, but if we do it, we won’t be able to retrieve last command by pressing the UP arrow.
Personally for me, the really good option is to write:
history -c
This option will delete the entire history.
Shreding the file
Deletion is not the safest way. The safest way would be to shred the file multiple times so it would be very difficult, nearly impossible to recover the file.
To see options, lets see shred help screen:
root@kali:/home$ shred --help
Usage: shred [OPTION]... FILE...
Overwrite the specified FILE(s) repeatedly, in order to make it harder
for even very expensive hardware probing to recover the data.
If FILE is -, shred standard output.
Mandatory arguments to long options are mandatory for short options too.
-f, --force change permissions to allow writing if necessary
-n, --iterations=N overwrite N times instead of the default (3)
--random-source=FILE get random bytes from FILE
-s, --size=N shred this many bytes (suffixes like K, M, G accepted)
-u deallocate and remove file after overwriting
--remove[=HOW] like -u but give control on HOW to delete; See below
-v, --verbose show progress
-x, --exact do not round file sizes up to the next full block;
this is the default for non-regular files
-z, --zero add a final overwrite with zeros to hide shredding
--help display this help and exit
--version output version information and exit
Delete FILE(s) if --remove (-u) is specified. The default is not to remove
the files because it is common to operate on device files like /dev/hda,
and those files usually should not be removed.
The optional HOW parameter indicates how to remove a directory entry:
'unlink' => use a standard unlink call.
'wipe' => also first obfuscate bytes in the name.
'wipesync' => also sync each obfuscated byte to the device.
The default mode is 'wipesync', but note it can be expensive.
CAUTION: shred assumes the file system and hardware overwrite data in place.
Although this is common, many platforms operate otherwise. Also, backups
and mirrors may contain unremovable copies that will let a shredded file
be recovered later. See the GNU coreutils manual for details.
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation <https://www.gnu.org/software/coreutils/shred>
or available locally via: info '(coreutils) shred invocation'
As we can see there are many options available. We can even hide shredding.
Shred in action:
History command is stored at /home/kali/.bash_history . Let’s see what’s inside:
root@kali:~$ cat .bash_history
ls ..
ls
cd ..
cd Desktop
echo "Hello from the terminal"
history
shred
shred --help
cat .bash_history
ls
ls
cat .bash_history
rm .bash_history
ls
cd
ls
pwd
cat .bash_history
cd Desktop/
ls
cat .bash_history
locate history
cat /home/kali/.bash_history
exit
We see some history. These are the placeholder commands of course but imagine that there are history of powerful scripts being placed.
Let’s see what will happen if we’ll shred this file.
root@kali:~$ shred .bash_history
root@kali:~$ cat .bash_history
����_��▒^�bB{ih0��i�鵧�ذ��t�
�+������8�Lh9h▒�V�?!��H���6��Y`�|�����fųl$
�����`���a�E�
����<xH�r��8k����-�nz▒ӐݟZ6Sh<��lR�J�PI\E�[�zi^�▒�Pb�m�|���� tq�99��
�2&y
�!
�On�-� ����M����}25Q����JB���kZ�"n扸x��Kf�j��#�$&v1Q���>_�fO��
�r�حAŒ5�п�e<^z����%����`���
��p�L�-?;[���&��qy~�Px�ʦ&([j��˾�� e�����{�`�▒i�����/�J @9�+��pN@�H{�L�<����zi��o���%�"���Ͽ�}�p▒Av�������B�Y_k��.h?
����9�|z#=��=�-=���<%3���
��*�▒ ���1�t��3��^J�x{'���>s'ʤ�5��p�(ۋ�_�꧐�*
ncT1���h:/� >�����[B2&�ق��GE��DA$E���9Xh��9���,�d��S9���%"?�����S��`�7g��6��▒��*�9Q��ѣbUĬ@{{���N���\�
"Ј���P��c���B��7U�p\47���Cg����s�`�����b�r@d���Ɲ����f+@�▒�A�h�P��+�i��Y��r�ud���z%�B ��.F��.�1W?�!�g#�H=�@sɞ��\iݭ����ď�YQ���t�h�%���j�R����� z�3����"`��Tㅘ
0 �ƱPg��Pk▒��Z���[�;��i�,�9�x�G���+�r:\�ԝ�[kp^�|��U�/���+�*����5�۾%�V��:Pmc/7��H�Ӡ�w1��œ���f�i'x�mlX�?M|i������4aW��I����R�zjEI��ݜ�O� �����ޘ �]�o��s��,�b�։��▒4Nc�3���E���{.퇨\p�%z�?_N�▒���b6č��c������Js���/
����X�������i�����▒X��:�C�G�
*M�7�H6���
3쟢k%J%����Ki�Pm�9������P|��=1�UH{�Y��WO_:▒i�(�cW��L�,�XZ����H����cJjȧ�x崒Z:ߔ���|ꯆ�C���� ���{��D�^wB�:4E�L▒��%@��MG8ǭ<
��W��DaW����ˡ��
֍���E�����Ո�и����_��Z��GY%[������+���Ә�{<�5"����U<,G�3U�џ���:Gmw▒r▒�r���H����e�X��S�3�8��������ݹ
���R��B�˼{�V��C��o P�
��iB����/�M��z�-c�{��▒�fL���E%�e�k�
�c[睉z�6�����XnȤ��8܆a�M��E+|p�M舴�Vt*�Xo ����'���A�/|,<j
�}�w5�D�[-�������iH��H?��*����`]��e��
< Ͼx?��=��#V`4����l���tZ�.<ZJ�6��M'V�=�輽z�
6G_�I���5�l�P�h�˩�{��
ۄ^^Ẳ������
5"n���ۍ!c� ���E$)��
aJ츫���F�� Q*%t��+�AV�����<�1����J��7�!b
�I��}�����\�)6>�_N �b�������V���m&��w xE_�`� ��8$�7l��Mu�
��R־�} p���T�ѕ�j�O M����u�x��5��S�v��M������ D��▒�tpm�_W`����]_�� *�0�p�*ʈ�)��Ͳ1�.���"���|z8����
P�_�f�����ހ��A-����:=n}�#�@}k��G^;Pji▒E����K�,�8z� ����@��E��V��k��D>X����>▒�P�I�����2zD���7���/���&����X�q�ъ�%��e=NO��ET ��5cY▒�H�6����pJ�:,:j7?2s�#ڪj�*μ�3�)�1▒O%��'��,�q���Q��i^o�f����ҥGT�}��9����/7������)s8�u▒�H*h
<��c58�rJEVɶ�n&���+�q.�����ᖗ�\d�N�m��Ǡ�7���#3����^D�▒
�⣿X�a�L��@T�
���&��I���ƿ#�d� \�f�4+�M���
Zz��3.�
�y����怎�M�p;^7�@ZP8A�ԸK(Y��ŢǞ94H�'���f�L
#���{��Pd5�ϩs}*=�"�+���횃sp��ޱ�,�o�3����b�fK��I�xY��?��u�# <
�����5�▒H�vL[�Dh���c.�=�s���
o�轕�8�
�v���_�+��`���R��>��;k�"�:�5Y4+T7��R[zw�<=46O4��6�i.
��@�C�a�"�����A�|gO���G1.�^њ�CvX����Pm�H]B�i����g�g�8tϚ�$xSyI1��$kNkח�6B��:n�U��f/�����4�M��3��I�,�����Z Ygւ����`��S8��Q.��E��9��Qab����S��@������%~뽬�]#�@�������쭌?��"��gm��W.�T�?����7�A�Y;4w`i�����j�#�G���3��.b#�jP�▒��D�
7��ۃ�����%p�����%��1}9�sy{�▒!���H�43b1��7�T�Ȇߟ����^�/;-~\�k�M�������Ȭ��~q]0��*��G^gvs
!������3�����Ŷ�u����:�9�ɴ���Z� �%o�m��4��壣CC�rEv� ▒��/�vR�7�ig�Ua6���4�(sO�U�q�G!��������>�,A�����niX�nh���▒�Q�_�HMj�"[@�B{�HFD@x]��� Si*����Dp
��A�*Q�m��r�Se�nt�%������&�{f���n�@7^JZ�)eZ��▒v�▒ϮeU�$6�Uս.eٶ��)M�w�7+�pQ�j�`yC��2���
+�(��*�▒�:k�x0Y���S���
d�h(� }5�N�)��jy�'�Q������H�Q��t�B�▒#���yU�pWO^�R�O�$y\ŧ�$
"�=�����aY�
2v.�5�u�Ms���fq=E���+��֎\H\b�y�]�gF�M�▒vB��t�1K�劮mI6P��*���JRf68{��r���g>XD5���P���CR���=}����]�A}��D�K��=
f���q���X$'C�������%����7�v�n��.I����㚝/�B�T{��M�
As you can see, it is impossible to read the history now. It was shredded 3 times (by default). To add additional security layer, you can shred it 20 times.
Outro
In conclusion, covering your tracks is a crucial step in maintaining operational security after accessing a system. By effectively managing logs, terminal history, and timestamps, you can minimize the risk of detection by forensic investigators. Remember, thoroughness in these actions is key to ensuring your activities remain undetected.
I showed you only one way to clear tracks, but you have the idea about the topics that you need to check.
Subscribe to my newsletter
Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by