Ethical hacking: Log tampering 101
Introduction
Getting caught is exactly what every hacker does not want. They want to be able to gain entry into a system and then quickly withdraw to the safety of the internet café they are presumably hacking from. Logs are designed to record nearly everything that occurs in a system, including hacking attempts, and can be the determinative factor in catching hackers after their crime has been committed.
Ethical hackers need to understand how hackers tamper with logs, as it is a common practice with hackers. This article will detail the basics of log tampering for ethical hackers, including disabling auditing, clearing logs, modifying logs and erasing command history. The focus will be on Windows and Linux logs, as they are the most used by organizations.
Please note that this article is intended as an introduction to log tampering for ethical hacking purposes only.
A little about logs
In terms of analogies, hacking is sort of like stealing cookies from the cookie jar. Every cookie thief, or hacker, wants to be able to get in there and do what their dirty deeds before getting caught.
Now imagine that this cookie jar is surrounded by fresh snow that covers everything around it. It would be impossible to even get to the cookie jar without leaving tracks — just as it would be impossible to gain entry to a system without being detected. Tampering with logs is the equivalent of covering these obvious tracks that administrators use to catch hackers.
The process
There is a four-step process to covering your tracks by tamping with logs that hackers know like the back of their hand. These steps are:
- Disable auditing
- Clearing logs
- Modifying logs
- Erasing command history
1. Disable auditing
Disable auditing is a smart first step for hackers because (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Ubvog7-tLIE/
