L in u X ba sics for h acke rs g e t t I n g s t a r t e d w I t h
Download 7.3 Mb. Pdf ko'rish
|
linuxbasicsforhackers
- Bu sahifa navigatsiya:
- Removing Evidence
|
Remaining Stealthy
Once you’ve compromised a Linux system, it’s useful to disable logging and remove any evidence of your intrusion in the log files to reduce the chances of detection. There are many ways to do this, and each carries its own risks and level of reliability. Removing Evidence First, you’ll want to remove any logs of your activity. You could simply open the log files and precisely remove any logs detailing your activity, line by line, using the file deletion techniques you learned in Chapter 2. However, this could be timeconsuming and leave time gaps in the log files, which would look suspicious. Also, deleted files can generally be recovered by a skilled forensic investigator. A better and more secure solution is to shred the log files. With other file deletion systems, a skilled investigator is still able to recover the deleted files (deleted files are simply made available to be overwritten by the file system; they still exist until they are overwritten), but suppose there was a way to delete the file and overwrite it several times, making it much harder to recover. Lucky for us, Linux has a builtin command, appropriately named shred , for just this purpose. To understand how the shred command works, take a quick look at the help screen by entering the following command: kali >shred --help Usage: shred [OPTION]...FILE... Overwrite the specified FILE(s) repeatedly in order to make it harder for even very expensive hardware probing to recover data --snip-- As you can see from the full output on your screen, the shred command has many options. In its most basic form, the syntax is simple: shred 118 Chapter 11 On its own, shred will delete the file and overwrite it several times— by default, shred overwrites four times. Generally, the more times the file is overwritten, the harder it is to recover, but keep in mind that each overwrite takes time, so for very large files, shredding may become timeconsuming. Two useful options to include are the -f option, which changes the per missions on the files to allow overwriting if a permission change is neces sary, and the –n option, which lets you choose how many times to overwrite the files. As an example, we’ll shred the log files in /var/log/auth.log 10 times using the following command: kali >shred -f -n 10 /var/log/auth.log.* We need the –f option to give us permission to shred auth files, and we follow the –n option with the desired number of times to overwrite. After the path of the file we want to shred, we include the wildcard asterisk so we’re shredding not just the auth.log file, but also any logs that have been created with logrotate , such as auth.log.1, auth.log.2, and so on. Now try to open a log file: kali >leafpad /var/log/auth.log.1 Once you’ve shredded a file, you’ll see that the contents are indecipher able gibberish, as shown in Figure 111. Figure 11-1: A shredded log file Now if the security engineer or forensic investigator examines the log files, they will find nothing of use because none of it is recoverable! Download 7.3 Mb. Do'stlaringiz bilan baham: 
|