• Removing Evidence
  • L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h




    Download 7,3 Mb.
    Pdf ko'rish
    bet111/115
    Sana27.11.2023
    Hajmi7,3 Mb.
    #106243
    1   ...   107   108   109   110   111   112   113   114   115
    Bog'liq
    linuxbasicsforhackers

    Remaining Stealthy
    Once you’ve compromised a Linux system, it’s useful to disable logging and 
    remove any evidence of your intrusion in the log files to reduce the chances 
    of detection. There are many ways to do this, and each carries its own risks 
    and level of reliability.
    Removing Evidence
    First, you’ll want to remove any logs of your activity. You could simply open 
    the log files and precisely remove any logs detailing your activity, line by 
    line, using the file deletion techniques you learned in Chapter 2. However, 
    this could be time­consuming and leave time gaps in the log files, which 
    would look suspicious. Also, deleted files can generally be recovered by a 
    skilled forensic investigator.
    A better and more secure solution is to shred the log files. With other 
    file deletion systems, a skilled investigator is still able to recover the deleted 
    files (deleted files are simply made available to be overwritten by the file­
    system; they still exist until they are overwritten), but suppose there was a 
    way to delete the file and overwrite it several times, making it much harder 
    to recover. Lucky for us, Linux has a built­in command, appropriately 
    named 
    shred
    , for just this purpose.
    To understand how the 
    shred
    command works, take a quick look at the 
    help screen by entering the following command:
    kali >shred --help
    Usage: shred [OPTION]...FILE...
    Overwrite the specified FILE(s) repeatedly in order to make it harder
    for even very expensive hardware probing to recover data
    --snip--
    As you can see from the full output on your screen, the 
    shred
    command 
    has many options. In its most basic form, the syntax is simple:
    shred


    118
    Chapter 11
    On its own, 
    shred
    will delete the file and overwrite it several times— 
    by default, 
    shred
    overwrites four times. Generally, the more times the file is 
    overwritten, the harder it is to recover, but keep in mind that each overwrite 
    takes time, so for very large files, shredding may become time­consuming.
    Two useful options to include are the 
    -f
    option, which changes the per­
    missions on the files to allow overwriting if a permission change is neces­
    sary, and the 
    –n
    option, which lets you choose how many times to overwrite 
    the files. As an example, we’ll shred the log files in /var/log/auth.log 10 times 
    using the following command:
    kali >shred -f -n 10 /var/log/auth.log.*
    We need the 
    –f
    option to give us permission to shred 
    auth
    files, and we 
    follow the 
    –n
    option with the desired number of times to overwrite. After 
    the path of the file we want to shred, we include the wildcard asterisk so 
    we’re shredding not just the auth.log file, but also any logs that have been 
    created with 
    logrotate
    , such as auth.log.1auth.log.2, and so on.
    Now try to open a log file:
    kali >leafpad /var/log/auth.log.1
    Once you’ve shredded a file, you’ll see that the contents are indecipher­
    able gibberish, as shown in Figure 11­1.
    Figure 11-1: A shredded log file
    Now if the security engineer or forensic investigator examines the log 
    files, they will find nothing of use because none of it is recoverable!

    Download 7,3 Mb.
    1   ...   107   108   109   110   111   112   113   114   115




    Download 7,3 Mb.
    Pdf ko'rish

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h

    Download 7,3 Mb.
    Pdf ko'rish