Clear Your Tracks on Linux

Clear Your Tracks on Linux

In this article and video, I show you how to clear your tracks in Linux. This is very important if you are a penetration tester, an ethical hacker, or a cybersecurity expert.


Clear Your Tracks The Final Step

It is one of the biggest mistakes an attacker makes to let a track behind.

If you see the biggest attacks in the past years, most of the detection was made really easy from the malware that the black hat hacker(s) have left, which they didn’t clear. Many of the “best hackers” got caught this way.

If you are an attacker your first have to clear your logs, modify your registry, or clear the registry you did create. And at the last remove any files or commands that you have been using. “Clearing Your Tracks” is really underestimated in my opinion.


cd /var/log

As you can see below, when we open the cd /var/log they’re a lot of logs. It is pretty self-explanatory as you can guess it from the names
these log having various use cases like there is a user log, a mack changer log, an authentication log, and kernel log as well with is always interesting.


cd /var/log

auth.log

The authentication log with stores all the auth.log, which is very important to a forensic team, they can analyze what was happen, and what activities are done. You can of course use any text editor. like vim, nano, pluma, or any other you like.

sudo nano /var/log/auth.log

pluma

kern.log

Another log you can use to view kernel information is the /var/log/kern.log file, this logs the kernel information and events on your system, it also logs dmesg output.

sudo dmesg
sudo dmesg

You can see what’s going on. I will not explain right now, because this can be another topic for another time. But I think you will get the idea.

Now lets clear those tracks..! 😀


Clear Your Tracks with Shred

Shred is an amazing tool and for sure one of my favorites..! What shred does, it removes all logs permanently.

But why don’t we just simply delete all those files, because all the deleted files can be recovered, and deleting them with shred it actually wipes them permanently

Shred actually renames the file, and changes it to 0’s so many times, and at the end removes it completely.

Now explored the help menu of shred
It is all self explain.. you also may like to have a look at the man page of shred.

shred -h
man shred

man shred ethical hacking Clear Your Tracks

Now let’s remove a file and clear your tracks

shred -zxuvf (Name of your file)

sudo shred -zxuvf Clear Your Tracks

The command (Explanation) I used for this ::

-z, --zero     add a final overwrite with zeros to hide shredding
-x, --exact    do not round file sizes up to the next full block; this is the default for non-regular files
-u             deallocate and remove file after overwriting
-v, --verbose  show progress
-n, --iterations=N  overwrite N times instead of the default (3)

As you can see it has renamed it so many times 0 and finally removed it.
This can not be recovered.

Apart from that, your bash history is also very important. Even a normal Linux user can guess what someone has done looking at the file, so make sure you delete that as well. You can delete that with shred also but I am not going to do it with shred this time.


Once again, be aware that all files that are normally removed can be recovered..!


Delete The History And Clear Your Tracks

cat ~/.bash_history
> ~/.bash_history

Using the redirect for now

> ~/.bash_history

bash history

Here we go the history is cleared.


Command history #command-history

All your commands are stored at:

echo $HISTFILE
echo $HISTSIZE

You can set your file-size like this to zero, to avoid storing commands.

export HISTSIZE=0

If you set it when you get shell you won’t have to worry about cleaning up the history.


.bash_history

Automate the Clearing of (any) File

To automate the process so that the command history is deleted each day. In this way, if we forget to remove our history (I’m sure I will often) 😀 , the system will do it at 11:00 p.m. every day, automatically.

First, open the crontab table in edit mode by typing:

sudo crontab -e

Using the crontab, we can navigate to the end of the file and add the following line.

00 23 * * * shed~/dev/null > ~/.bash_history && cat /dev/null > .bash_hystory

00 23 * * * shed~/dev/null > ~/.bash_history && cat /dev/null > .bash_hystory

In the article below I describe in more detail about the cronjobs
* https://hackingpassion.com/determine-if-your-linux-computer-or-server-is-hacked/#Crontab_scheduled_jobs


Secure-Delete

Secure-Delete is a set of tools for Linux operating system and they provide advanced techniques for permanent removal of files.  Once Secure-Delete has been installed on any Linux system, it provides following four commands:

  • srm
  • smem
  • sfill
  • sswap
sudo apt install secure-delete

sudo apt install secure-delete

secure-delete --help

Install Wipe

“Wipe was originally developed to securely erase files from magnetic media. Wipe repeatedly overwrites special patterns to the files to be destroyed, using the fsync() call
and/or the O_SYNC bit to force disk access. In normal mode, 34 patterns are used (of which
8 are random).”
You can remove the contents of a single file, folder, or entire hard disk with this command, but the whole hard disk format using wipe command will take a good amount of time.

sudo apt install wipe

sudo apt install wipe

man wipe
wipe -h

man wipe

wipe -h

Remove any file as:

sudo wipe filename

Remove any directory as:

sudo wipe -r directory name
wipe directory

wipe end

Some other tricks

Check for hidden files

Are there recent hidden files?

ls -altr

Check what are the currently open files on the systems.

Currently open and active log files?

sudo lsof | grep .log

Check what are the recent documents on the systems

Recent documents on the system?

sudo find / -cmin 0 -print

sudo find / -cmin 0 -print

Don’t forget to remove your Brouwser History

Obviously, you should also think about your browser history, your cookies and so many other things. (more about that in another article)


Linux distribution Tails

A good option is to use a Tails for example, which you install on a USB. After shutting down or restarting the system, all downloaded files, browser history, etc. – are deleted.


Clear Your Tracks linux Video

In this video, I show how you give the terminal an attitude. Is this important? No, certainly not, but it is fun.
Then I will show you where to find your all log files, and how to delete them in an easy and good way. I hope you enjoy the video ..! Talking is still a thing 🙂

Become a member on LBRY
Plus earning LBRY for watching videos ♥️
Here an invitation link, so that we both benefit.
In this way, you also support my work.

https://lbry.tv/$/invite/@hackingpassion:9

Obviously you can also follow me on YouTube (But not all videos will be placed there).


Clear Your Tracks Conclusion

I hope from now on, you think a little further than the usual “How to hack” Before you start doing anything, you must have already thought in advance ::

How am I going to make sure I don’t leave any tracks behind


IMPORTANT THINGS TO REMEMBER

  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer

All the techniques provided in the tutorials on the hackingpassion.com, YouTube channel, and on the website hackingpassion.com are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, hackingpassion.com can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


Finally

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.


Bulls Eye
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open-source and Linux"
error: Content is protected !!