401 Reading 28 - marsecguy/reading-notes-cyberops GitHub Wiki

Log Clearing

1. Explain some specifics of why a hacker might want to clear log files to a family member. Do not use the example from the article.

   • Logs create a record of what happened. much like evidence at a crime scene. Like crime scene evidence, a good cybersecurity "detective" can examine the clues and figure out what happened and who is responsible. As such, clearing log files can be thought of similarly as a perpetrator trying to clean the scene after a crime. They want to get rid of things like fingerprints to obfuscate what they did and prevent being caught. Logs can be like a fingerprint, in the respect that they can be used to identify the attacker. So, clearing logs is an attempt to similarly hide what was done and by whom.

2. What are three methods by which you can clear logs in a Windows system?

   • Clearlogs.exe
   • Use Meterpreter
   • Through the Windows Event Viewer

3. What are the four steps in the process of covering your tracks.

   • Disable auditing
   • Clearing logs
   • Modifying logs
   • Deleting commands

Source: INFOSEC