3.6 Covering Tracks, Anti-Forensics & Blue-Team Detection

The Last Phase: Staying Invisible

After persisting, an attacker tries to cover tracks so defenders and investigators cannot easily see what happened. The goal is rarely perfect erasure (almost never achievable) but delaying detection and degrading the forensic timeline. The CEH tests the categories of anti-forensics and, more importantly, the blue-team controls that defeat them.

Anti-Forensic Concept Categories

• Log tampering / clearing — deleting, truncating, or selectively editing system, security, and application logs to remove traces of access and actions. On Windows this might be clearing the Security event log; on Linux, wiping auth.log or shell history.
• Disabling logging or auditing — turning off or starving the logging subsystem so new activity is never recorded (stopping the logging agent, disabling audit policy).
• Timestamp manipulation (timestomping) — altering file created/modified/accessed (MAC) times to break the investigator's timeline and hide planted files.
• Artifact and history wiping — clearing command history, caches, temporary files, prefetch, and other residual evidence; secure-deletion tooling overwrites freed space.
• Data hiding — concealing tools or stolen data so they are not noticed. Beyond steganography (below), attackers use NTFS Alternate Data Streams (ADS) to attach hidden content to a file and slack space to tuck data into unused parts of disk clusters.

Steganography: Hiding the Existence of Data

Steganography hides the existence of data by embedding it inside an innocuous carrier — an image, audio file, video, or document — so an observer does not even suspect hidden content is present. This is the CEH's most-tested data-hiding concept, and the key distinction is:

• Encryption hides the meaning of data; an observer can see encrypted data exists but cannot read it.
• Steganography hides the existence of data; the carrier looks completely ordinary.

Attackers sometimes combine both (encrypt, then hide), but on the exam the defining contrast is existence vs. meaning. CEH names several steganography tools you should recognize:

The counter-discipline is steganalysis — detecting the presence of hidden data, often via statistical/entropy analysis of a carrier (a clean JPEG and a stego JPEG have subtly different statistical fingerprints). For defenders, egress monitoring on outbound files plus entropy/anomaly analysis is how steganographic exfiltration is caught.

Blue-Team Detection and Defenses

The exam consistently rewards the centralized, tamper-evident answer. If logs live only on the host the attacker controls, they can be rewritten; the defense is to remove that control.

Core controls to remember:

• Centralized log management and a SIEM — a Security Information and Event Management system aggregates logs from many sources off the host, correlates events, and alerts. Because the evidence has already left the compromised machine, clearing local logs no longer erases history. A conspicuous gap in expected log flow itself becomes an indicator of compromise.
• Tamper-evident / append-only log integrity — write-once or cryptographically chained logging so unauthorized edits are detectable.
• File Integrity Monitoring (FIM) — detects timestamp manipulation and unexpected changes to protected files and logs.
• Reliable time synchronization (NTP) — consistent, trusted clocks make timestomping and timeline gaps stand out during correlation.
• Least privilege on logs — restricting who can modify or clear audit logs raises the bar for tampering and makes clearing attempts themselves auditable.

The One Idea to Remember

If you remember a single thing from this section for the exam: ship logs off the host in real time. An attacker can rewrite history only on systems they control, so centralized, tamper-evident logging plus SIEM correlation is the decisive countermeasure to covering tracks. The same theme closes the whole chapter: at every system-hacking phase, the most durable defenses live off the compromised host, because a machine the attacker controls cannot be trusted to report honestly on itself.

Why Covering Tracks Rarely Fully Succeeds

The exam wants you to understand why defenders still win even when an attacker tries to erase evidence:

• Evidence has usually already left the host. Forwarded logs, SIEM events, and network flow records exist where the attacker cannot reach them.
• Deletion creates its own signal. A cleared event log, a stopped audit service, or a sudden log-source gap is itself an alertable indicator of compromise.
• Time and integrity controls expose tampering. Reliable NTP and File Integrity Monitoring make timestomping and altered binaries stand out during correlation.
• Forensics recovers more than attackers expect. Slack space, alternate data streams, journaling, and unallocated space frequently retain artifacts that simple wiping misses.

The practical exam heuristic: when a question describes an attacker hiding or destroying evidence, the best answer is almost always the control that moves the source of truth beyond the attacker's reach or makes tampering detectable — centralized off-host logging, tamper-evident integrity, FIM, and SIEM correlation — rather than any host-local hardening. That single principle ties the covering-tracks phase back to the chapter's through-line and is the highest-yield idea to carry into the exam.