# 4. Clear Logs to hide the Evidence of Compromise
## Clear Windows Machine Logs using Various Utilities
The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.
There are various Windows utilities that can be used to clear system logs such as Clear\_Event\_Viewer\_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.
Right-click **Clear\_Event\_Viewer\_Logs.bat** and click **Run as administrator**.
A **Command Prompt** window appears, and the utility starts clearing the event logs, as shown in the screenshot. The command prompt will automatically close when finished.
Clear\_Event\_Viewer\_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt or PowerShell, and it uses a BAT file to delete security, system, and application logs on the target system. You can use this utility to wipe out logs as one method of covering your tracks on the target system.
### **wevtutil**
**el | enum-logs** lists event log names. Run **wevtutil cl \[log\_name]** command (here, we are clearing **system** logs) to clear a specific event log. **cl | clear-log**: clears a log, **log\_name** is the name of the log to clear, and ex: is the system, application, and security.
Similarly, you can also clear application and security logs by issuing the same command with different log names (**application, security**).
### Cipher.exe
In **Command Prompt**, run **cipher /w:\[Drive or Folder or File Location]** command to overwrite deleted files in a specific drive, folder, or file. The Cipher.exe utility starts overwriting the deleted files, first, with all zeroes (0x00); second, with all 255s (0xFF); and finally, with random numbers, as shown in the screenshot.
Cipher.exe is an in-built Windows command-line tool that can be used to securely delete a chunk of data by overwriting it to prevent its possible recovery. This command also assists in encrypting and decrypting data in NTFS partitions.
When an attacker creates a malicious text file and encrypts it, at the time of the encryption process, a backup file is created. Therefore, in cases where the encryption process is interrupted, the backup file can be used to recover the data. After the completion of the encryption process, the backup file is deleted, but this deleted file can be recovered using data recovery software and can further be used by security personnel for investigation. To avoid data recovery and to cover their tracks, attackers use the Cipher.exe tool to overwrite the deleted files.
## 2. Clear Linux Machine Logs using the BASH Shell
The BASH or Bourne Again Shell is a sh-compatible shell that stores command history in a file called bash history. You can view the saved command history using the more \~/.bash\_history command. This feature of BASH is a problem for hackers, as investigators could use the bash\_history file to track the origin of an attack and learn the exact commands used by the intruder to compromise the system.
Open a Terminal window and run **export HISTSIZE=0** command to disable the BASH shell from saving the history.\
In the **Terminal** window, run **history -c** command to clear the stored history.
This command is an effective alternative to the disabling history command; with **history -c**, you have the convenience of rewriting or reviewing the earlier used commands.
Similarly, you can also use the **history -w** command to delete the history of the current shell, leaving the command history of other shells unaffected. Run **shred \~/.bash\_history** command to shred the history file, making its content unreadable.
```
shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit
```
This command first shreds the history file, then deletes it, and finally clears the evidence of using this command. After this command, you will exit from the terminal window.
## 3. View, Edit and clear Audit Policies using Auditpol
Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. In real-time, the moment intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they turn auditing back on by using the same tool (audit.exe).
See all audit policies
```
auditpol /get /category:*
```
To set an auditing policy
```
auditpol /set /category:"system","account logon" /success:enable /failure:enable
```
To clear all audit policies
```
auditpol /clear /y
```
## 4. Clear windows logs using different utilities
**Bat Script**
{% embed url="" %}
Download the script and run as administrator.
**wevtutil el**
list event logs
```
wevtutil el
```
To clear a single log
```
wevtutil cl system \\system is the log name
```
To clear all logs
```
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
```
**Cipher (Overwrite deleted files)**
```
cipher /w:c:
```
## 5. Clear Linux logs using bash shell
Disable history keeping
```
export HISTSIZE=0
```
To clear bash history
```
history -c
```
clear history of existing shell only
```
history -w
```
shred the history without clearing
```
shred ~/.bash_history
```
to view history file
```
more ~/.bash_history
```
First shred history file and then clear it.
```
shred ~/.bash_history && cat /dev/null>.bash_history && history -c && exit
```
## 6. Hiding Artifacts in Windows and Linux
### Windows
create a dir
```
mkdir test
```
Hide a folder in windows
```
attrib +h +r +s test
```
To unhide a folder in windows
```
attrib -s -h -r test
```
Hide user accounts in windows
```
net user test /add
net user test /active:yes
net user test /active:no \\hides the account
```
### Linux
Create a file with **.** to hide a file. Ti view the hidden files
```
ls -la
```
## 7. Clear window logs using CCleaner
{% embed url="" %}
### CEHv13 Practical Course
{% embed url="" %}
