Covering Tracks | What's Your IQ

Introduction

Covering tracks refers to the techniques attackers use to remove, modify, or obscure evidence of their activities on compromised systems. This is the final phase of the penetration testing kill chain, and from a defensive perspective, it is among the most important to understand. If an attacker can successfully eliminate all traces of their intrusion, the victim organization may never know it was compromised, may fail to identify the scope of the breach, and may be unable to remediate the root cause.

The study of covering tracks falls under the broader discipline of anti-forensics -- techniques specifically designed to frustrate forensic investigation. Anti-forensics is an adversarial field: forensic analysts develop new detection methods, and attackers develop new evasion techniques in response. Understanding this dynamic is essential for security professionals on both sides.

In authorized penetration testing, covering tracks is sometimes included in the engagement scope to test the organization's forensic readiness and monitoring capabilities. However, ethical penetration testers always maintain their own detailed logs of all activities, regardless of whether they also test track-covering techniques. The goal is to evaluate whether the organization could detect and investigate an intrusion, not to actually evade detection permanently.

"The absence of evidence is not the evidence of absence. A sophisticated attacker who cleans up after themselves does not mean the intrusion did not happen -- it means your detection capabilities have gaps." -- Harlan Carvey, Windows Forensic Analysis

Log Manipulation

Logs are the primary evidence source in most security investigations. System logs, application logs, authentication logs, and network logs collectively tell the story of what happened on a system. Attackers who gain sufficient privileges often attempt to manipulate these logs to remove evidence of their activities.

Linux Log Tampering

Linux systems maintain several log files that record authentication events, command execution, and system activity. Understanding where these logs are stored and how they can be manipulated helps defenders protect log integrity:

Log File	Contents	Tampering Method	Detection Approach
`/var/log/auth.log`	Authentication events (SSH, sudo, su)	Line deletion, file truncation	Log forwarding, line count monitoring
`/var/log/syslog`	General system messages	Selective editing, rotation manipulation	Remote syslog, hash verification
`/var/log/wtmp`	Login records (binary)	Binary editing tools, record removal	Cross-reference with auth.log, utmpdump
`/var/log/btmp`	Failed login attempts (binary)	Truncation, record manipulation	Remote logging, baseline comparison
`/var/log/lastlog`	Last login times per user	Binary record overwrite	Comparison with other login records
`~/.bash_history`	User command history	Deletion, HISTSIZE=0, unset HISTFILE	Auditd command logging, process monitoring

# Common log tampering techniques (for defensive understanding):# Clear specific entries from auth.log# Attacker may use sed to remove lines containing their IPsed -i '/192.168.1.50/d' /var/log/auth.log# Disable command history for current sessionunset HISTFILEexport HISTSIZE=0# Or redirect history to /dev/nullln -sf /dev/null ~/.bash_history# Clear login records from wtmp# utmpdump can be used to edit binary login records# DETECTION: These actions themselves leave traces# 1. File modification timestamps change even when content is removed# 2. Gaps in sequential log entries indicate deletion# 3. auditd can monitor log file access and modification# 4. Remote syslog servers retain copies that cannot be locally modified

Windows Event Log Tampering

Windows uses a structured event logging system with three primary log channels: Security, System, and Application. Additional channels exist for services, PowerShell, Sysmon, and other components. Attackers with administrative access can clear or selectively manipulate these logs:

# Windows log clearing (for defensive understanding):# Clear all Security logswevtutil cl Security# Clear all channelsfor /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"# PowerShell log clearingClear-EventLog -LogName Security, System, Application# Disable event logging serviceStop-Service -Name EventLog -Force# CRITICAL DETECTION POINT:# Clearing the Security log generates Event ID 1102 (audit log cleared)# This event is written BEFORE the log is cleared, so it persists# Clearing the System log generates Event ID 104# Selective event deletion is more sophisticated:# Tools like Mimikatz's "event::drop" can patch the event logging# service in memory to prevent new events from being written# This is detectable through event log gap analysis

Timestomping

Timestomping is the deliberate modification of file timestamps to make malicious files appear as if they were created or modified at a different time -- typically matching the timestamps of legitimate system files. This technique is designed to deceive forensic investigators who use timeline analysis to reconstruct attack sequences.

File systems maintain multiple timestamps that attackers may target:

Timestamp	Abbreviation	NTFS Standard Info	NTFS File Name
Modified	M	Modifiable by user	Updated by OS only
Accessed	A	Modifiable by user	Updated by OS only
Changed (MFT)	C	Modifiable by user	Updated by OS only
Born (Created)	B	Modifiable by user	Updated by OS only

A critical insight for defenders: on NTFS file systems, each file has two sets of MACB timestamps -- one in the $STANDARD_INFORMATION attribute and one in the $FILE_NAME attribute. Standard timestomping tools (including Metasploit's timestomp command and PowerShell's Set-ItemProperty) can only modify the $STANDARD_INFORMATION timestamps. The $FILE_NAME timestamps are maintained by the NTFS driver and cannot be modified through normal API calls.

# Timestomping examples (for defensive understanding):# Linux -- using touch to modify timestampstouch -t 202001011200.00 /tmp/malicious_file# Sets modification and access time to Jan 1, 2020 12:00:00# Windows PowerShell$(Get-Item malware.exe).CreationTime = "01/01/2020 12:00:00"$(Get-Item malware.exe).LastWriteTime = "01/01/2020 12:00:00"$(Get-Item malware.exe).LastAccessTime = "01/01/2020 12:00:00"# Metasploit Meterpretermeterpreter > timestomp malware.exe -m "01/01/2020 12:00:00"# DETECTION of timestomping on NTFS:# Compare $STANDARD_INFORMATION vs $FILE_NAME timestamps# If $SI timestamps are OLDER than $FN timestamps, timestomping occurred# Tools: MFTECmd (Eric Zimmerman), Plaso/log2timeline, Autopsy# Example with MFTECmd:MFTECmd.exe -f "$MFT" --csv output_dir# Then analyze: if Created($SI) < Created($FN), timestamps were modified

"Timestomping is one of the most common anti-forensic techniques, but it is also one of the easiest to detect when investigators know where to look. The $FILE_NAME attribute in NTFS does not lie." -- Eric Zimmerman, DFIR tools developer and SANS instructor

File System Anti-Forensics

Attackers use various file system techniques to hide or destroy evidence. Understanding these techniques helps forensic investigators and defenders know what to look for:

Alternate Data Streams (ADS) -- NTFS supports attaching additional data streams to files. Attackers can hide data in these streams, which are not visible in standard directory listings. Detection: use dir /r, streams.exe (Sysinternals), or forensic tools
Slack space -- data can be hidden in the unused space between the end of a file's content and the end of its allocated cluster. Detection: forensic imaging and analysis tools
Deleted file recovery prevention -- overwriting file contents before deletion prevents standard file recovery. Tools like shred (Linux) and SDelete (Windows) perform secure deletion. Detection: unusual use of secure deletion tools, or gaps in expected file sequences
Steganography -- hiding data within image, audio, or video files. Detection: statistical analysis of media files, known steganography tool signatures
Encrypted containers -- storing data in encrypted volumes (VeraCrypt, LUKS) that cannot be analyzed without the key. Detection: presence of encrypted containers, unusual disk usage patterns

# Alternate Data Streams (NTFS) -- for defensive understanding:# Hide data in an ADSecho "hidden content" > normal_file.txt:hidden_stream# Read hidden streammore < normal_file.txt:hidden_stream# DETECTION:dir /r # Shows ADS in directory listingstreams.exe -s C:\path\to\directory # Sysinternals toolGet-Item -Path .\normal_file.txt -Stream * # PowerShell enumeration# Secure deletion -- for defensive understanding:# Linux:shred -vfz -n 5 sensitive_file # Overwrite 5 times then zero# Windows:sdelete.exe -p 3 sensitive_file # Sysinternals SDelete# DETECTION: Monitor for execution of shred, sdelete, cipher /w# Auditd rule: -w /usr/bin/shred -p x -k file_destruction

Network Detection Evasion

Attackers attempt to disguise their network activity to avoid triggering intrusion detection systems, firewall rules, and network monitoring tools. Understanding these evasion techniques helps defenders tune their detection capabilities:

Traffic encryption -- using TLS/SSL for C2 communication prevents deep packet inspection of payload content. Detection: JA3/JA3S fingerprinting, certificate analysis, behavioral patterns
Protocol tunneling -- encapsulating C2 traffic within legitimate protocols like DNS, ICMP, or HTTP. Detection: DNS query volume analysis, payload size anomalies, unusual ICMP patterns
Domain fronting -- routing traffic through CDN providers so the destination appears to be a legitimate service. Detection: SNI/Host header mismatches, CDN traffic analysis
Traffic timing manipulation -- jittering callback intervals to avoid regular beaconing detection. Detection: statistical analysis of connection patterns over longer time windows
Living off the land -- using built-in system tools (PowerShell, certutil, bitsadmin) instead of custom tools to blend with normal administrative activity. Detection: behavioral baselines, script block logging, command-line auditing

Evasion Technique	How It Works	Detection Method	Effectiveness
Encrypted C2	TLS-encrypted command channels	JA3 fingerprinting, certificate transparency	Defeats payload inspection only
DNS Tunneling	Data encoded in DNS queries/responses	Query length analysis, entropy measurement	Moderate -- detectable with DNS analytics
Domain Fronting	CDN-routed traffic masquerading	TLS/HTTP host header comparison	Declining -- CDNs blocking this technique
Slow Beaconing	Infrequent callbacks with jitter	Long-duration traffic analysis	High -- requires extended monitoring
Protocol Mimicry	C2 traffic mimics legitimate protocols	Deep protocol analysis, behavioral baselines	Variable -- depends on mimicry quality

Memory Forensics Evasion

As memory forensics has become a standard part of incident response, attackers have developed techniques to evade memory-based detection:

Process injection -- injecting malicious code into legitimate processes so it does not appear as a separate suspicious process. Detection: scanning process memory for injected code using tools like Volatility's malfind plugin
Reflective DLL loading -- loading DLLs directly into process memory without using the Windows loader, avoiding entries in the PEB's loaded module list. Detection: comparing loaded modules list against VAD entries
Process hollowing -- creating a legitimate process in a suspended state, replacing its memory with malicious code, then resuming execution. Detection: comparing the on-disk executable with the in-memory image
Direct syscalls -- calling kernel functions directly to bypass API hooks placed by EDR solutions. Detection: monitoring for unusual syscall patterns, stack trace analysis
AMSI bypass -- patching the Antimalware Scan Interface in memory to prevent PowerShell and .NET content inspection. Detection: monitoring for AMSI initialization failures, scanning for common bypass patterns

Artifact Removal

Beyond logs and timestamps, attackers must remove numerous other artifacts to avoid detection. Forensic investigators look for these artifacts during incident response:

Prefetch files (Windows) -- Windows Prefetch records information about recently executed applications. Location: C:\Windows\Prefetch\. Even deleted prefetch files can be recovered from unallocated disk space
Recent file lists -- MRU (Most Recently Used) lists in the registry, jump lists, and LNK files record recently accessed files and applications
Browser artifacts -- browsing history, downloads, cookies, and cache from any browsers used during the attack
PowerShell artifacts -- transcript logs, script block logs (Event ID 4104), module logs, and the ConsoleHost_history.txt file
WMI traces -- WMI activity logs and repository artifacts
Temporary files -- files in %TEMP%, /tmp, or /dev/shm used during the attack
Network artifacts -- DNS cache entries, ARP cache, recent network connections in netstat

# Common artifact locations defenders should monitor:# Windows Prefetchdir C:\Windows\Prefetch\*.pf# PowerShell historytype %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt# Recent LNK filesdir %APPDATA%\Microsoft\Windows\Recent\# Windows DNS cacheipconfig /displaydns# Linux temp directoriesls -la /tmp /dev/shm /var/tmp# Linux DNS cache (systemd-resolved)resolvectl statistics

Detection Strategies for Defenders

The most effective defense against track-covering techniques is building a logging and monitoring infrastructure that is resilient to tampering. Key strategies include:

Centralized log collection -- forward all logs to a remote SIEM or log aggregation platform in real-time. Even if an attacker clears local logs, the remote copies remain intact
Immutable logging -- use write-once storage, append-only log streams, or blockchain-based log integrity verification
Log integrity monitoring -- cryptographically hash log files at regular intervals and verify integrity. Any modification triggers an alert
Event ID 1102 monitoring -- always alert on Windows Security log clearing events (this event is generated before the log is cleared)
Sysmon deployment -- Microsoft Sysmon provides detailed process creation, network connection, file creation, and registry modification logging that is difficult to evade
Auditd configuration -- Linux auditd can monitor file access, command execution, and system calls, providing tamper-evident logging
Timeline analysis -- during incident response, build comprehensive timelines from multiple evidence sources; inconsistencies reveal anti-forensic activity
Gap analysis -- look for missing log entries, gaps in sequential event IDs, or periods with unusually low activity

Defense Layer	Technology	What It Detects
Log Forwarding	rsyslog, Windows Event Forwarding, Fluentd	Preserves evidence even if local logs are cleared
SIEM	Splunk, Elastic, Microsoft Sentinel	Log clearing events, gap detection, correlation
EDR	CrowdStrike, SentinelOne, Defender for Endpoint	Process injection, timestomping tools, evasion techniques
Sysmon	Microsoft Sysmon	Process creation, file creation, registry changes, network connections
FIM	OSSEC, Tripwire, AIDE	File modifications, permission changes, new files in monitored directories
NTA	Zeek, Suricata, Darktrace	Encrypted C2, DNS tunneling, beaconing, protocol anomalies

"Your logging infrastructure is only as good as its resilience to tampering. If an attacker with root or SYSTEM privileges can delete your logs with no alert being generated, your monitoring architecture has a critical blind spot." -- SANS Institute, Incident Response course materials

Building Forensic Resilience

Organizations should proactively build infrastructure and procedures that maximize their ability to investigate incidents even when attackers attempt to cover their tracks:

Defense in depth logging -- collect logs from endpoints, network devices, applications, and cloud services so that no single log source is a single point of failure
Separate log infrastructure -- the SIEM and log collection servers should be in a separate security domain from production systems, with independent authentication
Log retention policies -- retain logs for sufficient duration to support investigation of advanced persistent threats that may maintain access for months
Regular forensic readiness testing -- conduct tabletop exercises and purple team assessments that specifically test whether the organization can detect anti-forensic techniques
Memory acquisition capability -- maintain the tools and procedures to capture volatile memory from compromised systems before shutdown, preserving evidence that does not survive reboot
Disk imaging procedures -- have forensic imaging tools and procedures ready for rapid deployment during incident response

For related penetration testing phases, review Maintaining Access and Reconnaissance to understand the complete penetration testing lifecycle. For additional security monitoring concepts, see Intrusion Detection Systems.

References

Carvey, H. (2018). Windows Forensic Analysis Toolkit, 4th Edition. Academic Press.
Casey, E. (2011). Digital Evidence and Computer Crime, 3rd Edition. Academic Press.
Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
MITRE ATT&CK. (2024). "Defense Evasion." Tactic TA0005. The MITRE Corporation.
MITRE ATT&CK. (2024). "Indicator Removal." Technique T1070. The MITRE Corporation.
Zimmerman, E. (2024). DFIR Tools Documentation. ericzimmerman.github.io.
SANS Institute. (2023). "FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics." Course Materials.
Russinovich, M., Solomon, D., & Ionescu, A. (2017). Windows Internals, 7th Edition. Microsoft Press.
NIST SP 800-86. (2006). Guide to Integrating Forensic Techniques into Incident Response. National Institute of Standards and Technology.
Mandiant. (2023). M-Trends 2023: Special Report. Google Cloud.