DEV Community

Cover image for Erasing evidence after attacking a host
Nitin Kumar
Nitin Kumar

Posted on

Erasing evidence after attacking a host

After attacking any host, the most important part is removing any evidence. If any ethical hacker got evidence about the attacker(i.e. you), then you might be in legal trouble. So, today, we'll look into some common methods to remove evidence from the host machine so that ALMOST every trace can be removed, almost because every criminal does leave some or the other trace that can be traced back. Small things might lead to the attacker.

For eg:- Let's say you're using the Tor Browser for searching something on the dark web. If you've maximized the browser, you might get traced with the window size and other details.


For our convenience, we'll be using Kali Linux & work on it only. In real life, you might be compromising some other machine, but the method and process of clearing the tracks are exactly the same.

How to wipe out all the logs and bash history so that we can get undetected after completing our attack.


Topics covered:

  1. Delete the history of commands executed in terminal
  2. Delete the history file, optional to the 1st one
  3. Delete system logs
  4. Delete auth logs used during login & sudo runs
  5. Empty the file contents for not being suspicious
  6. Delete logs & services used
  7. Delete all files under the temporary directory
  8. BONUS KNOWLEDGE

Open the terminal & execute some commands for it:

 history
Enter fullscreen mode Exit fullscreen mode

In order to not get caught, we need to delete all the history commands run during the attack. So, to perform it, simply type:

history -c
Enter fullscreen mode Exit fullscreen mode

;-c is for clear, after executing it, no history will be present.

We can also delete the history file. In order to search the history file, simply type the below command:

echo $HISTFILE
Enter fullscreen mode Exit fullscreen mode

To remove the history file, just type:

rm .bash_history
Enter fullscreen mode Exit fullscreen mode

(If your history file name is bash_history)

P.S.:- You don't need to perform it if history is cleared.

After clearing history, we need to delete the system log. For that, we need to change the directory to /var/ directory. So, run the command:

cd /var/log
Enter fullscreen mode Exit fullscreen mode

This directory contains all the logs of the tools and the services used in the machine. We now need to delete the logs of the tools and the services used during our attack.

One of the important file we need to delete is auth.log file. This is the auth logs which stores any login attempts done during our attack. Let's say we've used SSH service, it'll log that too. So, we need to delete it.

sudo rm auth.log
Enter fullscreen mode Exit fullscreen mode

Another important file we need to delete is sys.log file. It registers the system information. For that, write the command:

sudo rm sys.log
Enter fullscreen mode Exit fullscreen mode

Let's suppose we don't want to remove/delete a file, because deleting them might be suspicious & might be recovered from recovery tools. So, for that, what we do it make the file empty.

Let's say we've a log file called kern.log which stores the kernel logs, we need to empty this file. First check the contents of the file:

cat kern.log
Enter fullscreen mode Exit fullscreen mode

Then, to empty the file contents, type the command:

sudo truncate -s 0 kern.log
Enter fullscreen mode Exit fullscreen mode

Now, the contents of the file are empty.

Now, we need to remove/delete the logs & services that we used during the attack. So, let's say we've used PostgreSQL, we need to navigate to that directory using cd:

cd PostgreSQL
Enter fullscreen mode Exit fullscreen mode

Let's say we need to delete the file postgresql-16-main.log, we'll give the command:

sudo rm postgresql-16-main.log
Enter fullscreen mode Exit fullscreen mode

Now, we need to delete all the files under the temporary directory so that whatever services or tools we've used/installed can be made undetected. To perform that, type the command:

sudo rm -rf /tmp/*
Enter fullscreen mode Exit fullscreen mode

BONUS KNOWLEDGE

Let's learn how to securely delete any file so that data recovery tools can't even recover them. For that, we need to install another tool - secure-delete

sudo apt install secure-delete
Enter fullscreen mode Exit fullscreen mode
y
Enter fullscreen mode Exit fullscreen mode

Now, in order to permanently delete any file, let's say file name is file.py, type the command:

sudo shred -vfzu file.py
Enter fullscreen mode Exit fullscreen mode

Also, we need to permanently delete the tools we've used during the attack right? For that, write the below command:

sudo apt remove --purge secure-delete
Enter fullscreen mode Exit fullscreen mode

The last thing we need to do here is restart the machine/system so that it also clears the active memory consumption. For that, type the command:

sudo reboot
Enter fullscreen mode Exit fullscreen mode

And your system will be restarted..!


This was a small thing, yet a big thing that might help you after successfully attacking the host. It's the last yet important step to how to stay safe from unethical hacking.

This knowledge & article is strictly for educational purposes!!

HAPPY HACKING HACKERS !!!

Liked it? Give it a star & save it, so that next time you try something SUSPICIOUS, don't forget to try them out.

Connect with me on LinkedIn or GitHub

Top comments (0)