Whenever someone comes in contact with another person, place, or thing, something of that person is left behind. This means that the attacker must disable logging, clear log files, eliminate evidence, plant additional tools and cover his tracks.
Here are some of the techniques that an attacker can use to cover his tracks:-
(1) Disabling logging – Auditpol was originally included in the NT Resource kit for administrators. It works well for hackers too, as long as they have administrative access.
Just point it at the victim’s system as follows:
C:\>auditpol \\192.168.10 /disable
Auditing Disabled
(2) Clear the log file – The attacker will also attempt to clear the log. Tools, such as Winzapper, evidence Eliminator, or Elsave, can be used. Elsave will remove all entries from the logs, except one entry that shows the logs were cleared.
It is used as follows:
Elsave -s \\192.168.13.10 -1 “Security” -C
(3) Cover their tracks – One way for attackers to cover their tracks is with rootkits. Rootkits are malicious codes designed to allow an attacker to get expanded access and hide his presence. While rootkits were traditionally a Linux tool, they are now starting to make their way into the Windows environment. Tools, such as NTrootkit and AFX Windows rootkits, are available for Windows systems. If you suspect that a computer has been rootkitted, you need to use an MD5 checksum utility or a program, such as Tripwire, to determine the viability of your programs. The only other alternative is to rebuild the computer from known good media.
Here are some of the techniques that an attacker can use to cover his tracks:-
(1) Disabling logging – Auditpol was originally included in the NT Resource kit for administrators. It works well for hackers too, as long as they have administrative access.
Just point it at the victim’s system as follows:
C:\>auditpol \\192.168.10 /disable
Auditing Disabled
(2) Clear the log file – The attacker will also attempt to clear the log. Tools, such as Winzapper, evidence Eliminator, or Elsave, can be used. Elsave will remove all entries from the logs, except one entry that shows the logs were cleared.
It is used as follows:
Elsave -s \\192.168.13.10 -1 “Security” -C
(3) Cover their tracks – One way for attackers to cover their tracks is with rootkits. Rootkits are malicious codes designed to allow an attacker to get expanded access and hide his presence. While rootkits were traditionally a Linux tool, they are now starting to make their way into the Windows environment. Tools, such as NTrootkit and AFX Windows rootkits, are available for Windows systems. If you suspect that a computer has been rootkitted, you need to use an MD5 checksum utility or a program, such as Tripwire, to determine the viability of your programs. The only other alternative is to rebuild the computer from known good media.
Posts
