Introduction
Covering tracks refers to the techniques attackers use to remove, modify, or obscure evidence of their activities on compromised systems. This is the final phase of the penetration testing kill chain, and from a defensive perspective, it is among the most important to understand. If an attacker can successfully eliminate all traces of their intrusion, the victim organization may never know it was compromised, may fail to identify the scope of the breach, and may be unable to remediate the root cause.
The study of covering tracks falls under the broader discipline of anti-forensics -- techniques specifically designed to frustrate forensic investigation. Anti-forensics is an adversarial field: forensic analysts develop new detection methods, and attackers develop new evasion techniques in response. Understanding this dynamic is essential for security professionals on both sides.
In authorized penetration testing, covering tracks is sometimes included in the engagement scope to test the organization's forensic readiness and monitoring capabilities. However, ethical penetration testers always maintain their own detailed logs of all activities, regardless of whether they also test track-covering techniques. The goal is to evaluate whether the organization could detect and investigate an intrusion, not to actually evade detection permanently.
"The absence of evidence is not the evidence of absence. A sophisticated attacker who cleans up after themselves does not mean the intrusion did not happen -- it means your detection capabilities have gaps." -- Harlan Carvey, Windows Forensic Analysis
Log Manipulation
Logs are the primary evidence source in most security investigations. System logs, application logs, authentication logs, and network logs collectively tell the story of what happened on a system. Attackers who gain sufficient privileges often attempt to manipulate these logs to remove evidence of their activities.
Linux Log Tampering
Linux systems maintain several log files that record authentication events, command execution, and system activity. Understanding where these logs are stored and how they can be manipulated helps defenders protect log integrity:
| Log File | Contents | Tampering Method | Detection Approach |
|---|---|---|---|
/var/log/auth.log | Authentication events (SSH, sudo, su) | Line deletion, file truncation | Log forwarding, line count monitoring |
/var/log/syslog | General system messages | Selective editing, rotation manipulation | R |