Removing Tracks

It is impossible for a hacker to spend much time on a system without leaving some tracks. These tracks will appear in system logs and on system backups . These two areas are very important because this captured information can be used as evidence in any criminal charges that might be brought.

It is quite common for hackers to attempt to modify, falsify, or eradicate these tracks. Some of these logs are well-known in both location and format.

Changing Logs

All systems do some logging; a good system administrator will turn on more than the default logging. Locating logs has been previously discussed. The question is, now that a hacker knows what logs are being kept and where they are, what can he do about them?

Some of the logs are simple text files. A hacker can edit these with a text editor to remove the evidence of his existence from them. Other logs are encoded binary files that cannot be edited with a text editor. To modify these files, the hacker must know the format of the information in the file. Some of the standard log files have well-known formats and there are programs that will allow them to be edited.

The system manager may be able to tell that the logs have been altered, but he will not be able to tell what information has been altered or removed. Some of these tools leave fingerprints in the log where the entry was altered . The hacker may decide to take the easy path and delete log files. This will remove the information from the file; however, it will also be evident that someone is tampering with the system.

The program " invis," which is available on the included CD-ROM, allows the hacker to change the login name and the associated terminal of his current session in the /etc/utmp file. This will effectively remove his session and replace it with another user login name and terminal. A hacker could use such a tool to misdirect an investigation or to attempt to lay blame elsewhere.

If the system's auditing allows for auditing of events to a specific file, you should audit all activities that pertain to the log files. If you are saving the log files to another machine, the connection to that machine should be audited .

Destroying Evidence

If the hacker has completely finished using of the system, with no expectations of returning, he may opt to delete everything. This will guarantee that the system manager will want to hunt him to the ends of the earth. However, few system administrators have the time to do this; they have systems to repair and users and managers to appease.

You must remember that you can never lose more information than what has changed since your last backup, unless you leave your backups online, or your procedures allow a hacker to request that an operator mount the backup tape. In this case, a hacker can delete your backups. There is one case of an intruder who erased all the tapes in an automated tape silo and then deleted all the files on the system, thereby deleting all the backup for that system.

During the recovery process, you must also remember that your system has been compromised. Until you can identify the time that the hacker first entered your system and recover your system to that point, the system will still be suspect.