8.4 - Cover Your Tracks

 8.4 - Cover your tracks 

 

Key Terms: 

    • Rootkit – A program that hackers use to establish root-level privileges to a system. 
    • Steganography – A method of embedding data into legitimate files like graphics, music, video, and plain text messages to hide it from everyone except the intended reader. 
    • NTFS data streams – One data stream stores the attributes; another stores the data. 
    • Slack space – The unused portion of an existing file that has been defined. 
    • System file logs – Files that are continuously recording when files are created, accessed, or modified. 

 

System log files 

System log files are the first place system administrators check when suspicious activity is detected. Erasing or modifying files to look as they were before the attack is a typical practice that can be done without admin privileges. In Windows, some specific files should be deleted or modified: 

    • Secevent.evt 
    • Sysevent.evt 
    • Appevent.evt 

 

Hide Evidence 

By choosing the hidden attribute from the attribute's menu will hide a file from browsing windows and directory listing. Alternate data streams are hidden in Windows explorer which means it is a good place to hide executable files. Hiding a file in the slack space of an existing file means that it shows no data was added to the file as it was defined previously. 

 

Modify Timestamps 

Altering timestamps on files can be done using the tool Timestomp. An attacker will change a timestamp to blend in with existing timestamps. The touch command in Unix can also alter the timestamp. ctime can also be modified to a given date/time. 

 

Disable Auditing 

As soon as a hacker gains access to a system, they will disable the auditing software. This allows them to install malware and access sensitive files. Hackers can use the command line tool AuditPol.exe to disable auditing on a machine. They can also reenable auditing to avoid suspicion after the attack is complete. 

 

Tools 

    • CcleanerThis program will remove files and clear internet browsing history. 
    • Clear My History – This software clears cookies and stored data along with other traces of data left on a system. 
    • Dump Event Log – This tool dumps an event log into a separated text file. 

 

Clear Online Tracks 

Hackers usually browse in incognito mode to cover up tracks in browsing history. They also clear cookies and caches and delete downloads, saved sessions, and user JavaScript. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more