One of the best ways to cover your tracks is not to leave any in the first place. In this case, disabling auditing is a way to do just that. Auditing is designed to allow the detection and tracking of events that are occurring on a system. If auditing is disabled, an attacker can deprive the system owner of the ability to detect the activities that have been carried out. When auditing is enabled on a Windows computer, all events that the system owner chooses to track will be placed in the Windows security log and can be viewed as needed. An attacker can disable it with the auditpol command included with Windows.

Using the NULL session technique seen earlier, you can attach to a system remotely and run the command as follows:

It is also possible for an attacker to perform what amounts to the surgical removal of entries in the Windows security log using tools such as the following:

• Dumpel

• ELsave

• WinZapper

Of course, clearing audit logs isn’t the only way to clear tracks because attackers can use rootkits. Using techniques that will be discussed later, you can thwart rootkits to a certain degree, but once rootkits make their way onto a system, sometimes the only reliable way to ensure that a system is free of them is to rebuild that system.

There are other ways to hide evidence of an attack, such as hiding the files placed on the system. Operating systems provide many methods that can be used to hide files, including file attributes and alternate data streams (ADS).

File attributes are a feature of OSs that allow files to be marked as having certain properties, including read only and hidden. Files can be flagged as hidden, making for a convenient way of hiding data and preventing detection through simple means, such as directory listings or browsing in Windows Explorer. Hiding files in this way does not provide complete protection, however, because more advanced detective techniques can uncover files hidden in this manner.

Another lesser known way of hiding files in Windows is an ADS, which is a feature of the NTFS. Originally, this feature was designed to ensure interoperability with the Macintosh Hierarchical File System (HFS) but has since been used by hackers. ADS provides the ability to fork or hide file data within existing files without altering the appearance or behavior of a file in any way. In fact, when ADS is used, a file can be hidden from all traditional detection techniques as well as dir and Windows Explorer.

In practice, the use of ADS is a major security issue because it is nearly a perfect mechanism for hiding data. Once a piece of data is embedded using ADS and is hidden, it can lie in wait until the attacker decides to run it later on.

The process of creating an ADS is simple:

Executing this command will take the file ninja.exe and hide it behind the file smoke.doc. At this point, the file is streamed. The next step would be to delete the original file that you just hid, specifically ninja.exe.

As an attacker, to retrieve the file, the process is as simple as the following:

This command has the effect of opening the hidden file and executing it.

As a defender, this sounds like bad news because files hidden in this way are impossible to detect using most means, but with the use of some advanced methods, they can be detected. Some of the tools that can be used to do this include:

• Sfind—A forensic tool for finding streamed files

• LNS—Used for finding ADS streamed files

• Tripwire—Used to detect changes in files, this tool, by nature, can detect ADSs

Depending on the version of Windows and the system settings in place, an attacker can clear events completely from an event log or remove individual events.