10.1 From Whom Are You Hiding?

Before planning how to hide your tracks, you must first ask a simple question: from whom are you hiding? Is the target a home user who just bought his first Linux machine at WalMart? His computer will be deployed with all of the default services on and no access control, apart from the password for the mighty "root" user. Or are you up against the paranoid hackers at the local security consultancy, who write secure Unix kernel modules before breakfast and know the location of every bit on their hard drives ? Or, the worst-case scenario, is the opponent a powerful government entity armed with special-purpose hardware (such as magnetic force scanning tunneling microscopy, as mentioned in Peter Gutmann's seminal paper ”see Section 10.5 for more information) and familiar with the latest nonpublic data recovery techniques? The relevant tips and tricks are completely different in each of these cases.

Sometimes, hiding does not work, no matter how hard you try; in this case, it's better to do your thing, clean up, and leave without looking back. This book cannot help you with that. Instead, this chapter aims to provide a general overview of most known hiding methods .

Unless otherwise noted, most of these tips are applicable to a not-too-skilled cracker (from now on referred to as an "attacker") hiding from a not-too-skilled system administrator (the "defender"), sometimes armed with commercial off-the-shelf or free open source computer forensic tools. In some cases, we will escalate the scenario ”for example, in situations where these things happen:

1. Attacker: logfiles erased and evidence gone

2. Defender: erased files recovered using standard forensic tools

3. Attacker: logfiles erased and overwritten with zeros

4. Defender: parts of logfile survive due to OS peculiarities and are recovered

5. Attacker: logfiles erased and completely overwritten with zeros

6. Defender: parts of logfile are found during swap file analysis

7. Attacker: logfiles erased and completely overwritten with zeros, swap file sanitized, memory dump sanitized, free and slack space sanitized

8. Defender: data recovered using special hardware

9. Attacker: logfiles erased using methods aimed to foil the above hardware

10. Defender: files recovered using the yet-undisclosed novel forensic technique

Obviously, a real situation usually breaks at one of the steps of the above escalation scenario. Thus, we will not go into every possible permutation. The reader might rightfully ask, "What about such-an-such tool? Won't it uncover the evidence?" Maybe. But if its use is unlikely in most situations, we won't discuss it here.

We start with hiding your tracks immediately after an attack. Then, we proceed to finding and cleaning logfiles, followed by a section about antiforensics and secure data deletion. Finally, we touch on IDS evasion and provide an analysis of rootkit technology.