Back to course

Covering Tracks and Clearing Logs

Cyber Security Mastery: From Zero to Hero

The Final Offensive Step (If in Scope)

In a real-world malicious attack, the attacker will attempt to erase all evidence of their presence to delay detection, complicate forensics, and ensure persistence.

Note: In ethical hacking, this phase is often strictly prohibited unless the Rules of Engagement explicitly permit log manipulation testing.

Log Tampering Techniques

  1. Editing Logs: Manually opening text logs (e.g., /var/log/auth.log on Linux) and removing entries corresponding to the login time or commands executed.
  2. Using Utilities: Tools like wtmp or utmp clear login history files.
  3. Metasploit Modules: Meterpreter has modules designed specifically to clear specific Windows Event Log types (Security, System, Application) from a compromised machine.

Time Stamp Manipulation

Attackers often use tools like touch or specialized utilities to change the creation, modification, and access timestamps of malicious files to match benign, existing files, making forensic investigation harder (Timestomp technique).