Author Topic: How do you fully truncate logs?  (Read 608 times)

0 Members and 1 Guest are viewing this topic.

Offline th3l4st

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
How do you fully truncate logs?
« on: February 17, 2016, 03:36:51 pm »
Hello Evilzone, long time no see!

I've a question! I was documenting about anti forensic techniques and I came to the always hot topic of logs. To my utter shame I did not manage to find any sort of guide on how to truncate (yes, never delete files in this sort of places, to truncate is always better...) ALL, and by all I mean really everything, the logs in Linux systems, especially on Debian based distros. I know there are logs in the /var/log and in the temp folders, but who knows if there are other places where some sort of logs are stored and how to truncate them?

Thanks!!
"Privacy is like bacon, it makes everything better." Zoz, DEFCON 22

"Timeo danaos et dona ferentes" Laocoön, Aeneid

Offline Sherlock3d

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
  • Nada resulta más engañoso que un hecho evidente.
    • View Profile
Re: How do you fully truncate logs?
« Reply #1 on: February 17, 2016, 04:39:27 pm »
Hi th3l4st, when you're in the post explotation one of the most important things it's evidences cleaning and there are diferent ways to accomplish them. Of course I assume that u're root due to the fact that those log files are privileged, some people delete them other people modify the files (I think that you're refering to modify with truncate).
For deleting the log files you can do diferent things from deleting them manually to writing a script (zapper) who searches and deletes the log files but I won't give you a source code because it won't help you, I recommend you to write your own scripts even more if you're interested in the process (everybody knows how to launch a script...) you can easily fill the log file with /dev/null.
You was asking about how many log files do you have to truncate, it depends on how did you accessed the system if you got in from a web issue you'll probably have to truncate server log files (apache or whatever it runs), if you had exploited a buffer overflow and it has broke the program probably you'll want to truncate the core dumps or the logs created at /var/log/messages in conclusion you have to pay attention on everything you do (bash history could betray you) access logs etc...
Here you have a list of log files and their location: http://www.thegeekstuff.com/2011/08/linux-var-log-files/
Most of the forensics use automated tools to analyze the log files (here you can start searching how they work and what log files they analyze for knowing what you have to modify or delete) mostly using string matching or regex you can confuse them by using strange ascii characters, commas, quotes, pipes or eLfL (it's 4 bytes header for Windows Event Logs) or replacing your IP address in the files or whatever you can think of.
Here you have a good presentation about anti-forensics techniques: https://www.defcon.org/images/defcon-20/dc-20-presentations/Perklin/DEFCON-20-Perklin-AntiForensics.pdf
If you have any doubts i'll be pleased to help you  :P
Sherlock3d
Lo que sabemos es una gota de agua; lo que ignoramos es el océano.

Offline TheWormKill

  • EZ's Scripting Whore
  • Global Moderator
  • Knight
  • *
  • Posts: 257
  • Cookies: 66
  • The Grim Reaper of Worms
    • View Profile
Re: How do you fully truncate logs?
« Reply #2 on: February 17, 2016, 05:42:21 pm »
An important thing to add is that systemd uses a custom binary log format for some reason, so you should look into that, as Debian uses systemd as it's init system (not so Devuan).
Stuff I did: How to think like a superuser, Iridium

He should make that "Haskell"
Quote
<m0rph-is-gay> fuck you thewormkill you python coding mother fucker

Offline th3l4st

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: How do you fully truncate logs?
« Reply #3 on: February 17, 2016, 07:17:21 pm »
Thanks guys.  The website Sherlock posted is interesting 'cause it explains the various kinds of logs you can find on a Linux-based OS. BTW yes, I was assuming I had full root-access on the machine, after all it's mine.  ;D
"Privacy is like bacon, it makes everything better." Zoz, DEFCON 22

"Timeo danaos et dona ferentes" Laocoön, Aeneid