Enter a short description of the course.

Once intruders successfully gain administrator access on a system, they try to cover their tracks to prevent detection of their presence (either current or past). To prevent detection, the hacker usually erases any error messages or security events that have been logged.

Disabling auditing and clearing the event log are two methods used by a hacker to cover their tracks and avoid detection.

It is therefore important to study this topic to learn about defense strategies to be adopted to counter the system log attacks.

In this course, you will learn more about system logs and security measures that have to be activated in order to keep intruders at bay. You will become aware of inbuilt system log mechanisms that enable detection of any intrusions, and you will be able to safeguard your systems from any intrusions.


SELF-PACED, PRE-RECORDED

DURATION: 18 HOURS (18 CPE POINTS) 


Course benefits:

What will you learn about?

  • How clearing event logs and disabling auditing are used to cover tracks
  • How hiding files can be used to sneak out sensitive information
  • Steganography, NTFS streaming, and the attrib command. These are methods hackers use to  hide and steal files.

What skills will you gain?

You will be able to recognize compromised systems as well as launch the necessary defense in such circumstances. You will develop the necessary technical know-how with regard to:

  • EventLog working in Windows
  • Linux and Unix System Logging
  • How to defend against log and accounting file attacks
  • How to create hidden files and directories in Windows and Unix
  • File integrity checking tool usage.

What tools will you use?

  • Windows Event Viewer
  • Backdoor: Netcat
  • Kali with VirtualBox

Course Pre-requisites

What will you need?

Windows OS, LINUX/UNIX platforms.

What should you know before you join?

Basics of Cyber Forensics, for example the five-phase cycle of attack.


Sign up to receive notifications about this course >>


COURSE SYLLABUS


MODULE 1: COVERING TRACKS AND HIDING

Poorly maintained home computers connected to the Internet with broadband connections are the largest proportion of compromises, and business networks are attractive targets.

  • Hiding on a system is done by utilizing a rootkit or backdoor program.
  • Hackers cover their tracks by modifying logs, creating hidden files, and establishing covert channels.

What are the ways the attacker adopts to keep their presence hidden? The previously mentioned ways are mostly adopted by attackers in Windows and Linux/Unix systems. It is important to know about the ways the attacker adopts to interpret the moves. If you follow a career in system or network security administration, these are the basics you have to be aware of. It gives awareness to even any IT personnel in a corporate environment with regard to system management.

Techniques used by rootkits are incredibly powerful and allow an attacker to mask practically all of their activities on the compromised machine. There will often be traces of the installation of the rootkit in the system's logs. Events of failed login records, error conditions, stopped and restarted services, and file access and update times must be purged from the logs or altered to avoid having these activities spotted by an alert administrator.

An attacker hides his/her presence in the system and is capable of monitoring a machine without the knowledge of the user. Several of these hiding techniques are dealt with in this course.

If you choose a career in system or network security administration, these are the basics that you have to be aware of.

  1. HIDING EVIDENCE BY ALTERING EVENT LOGS.
  2. ATTACKING EVENT LOGS IN WINDOWS
  3. ATTACKING SYSTEM LOGS AND ACCOUNTING FILES IN UNIX AND LINUX
  4. ALTERING LINUX AND UNIX SHELL HISTORY FILES

Labs in this module will cover:

  • Windows Event Viewer
  • Backdoor: Netcat
  • Kali with VirtualBox
    • It would enable the student to understand the event logs in systems.
    • Also how a two-way Netcat communication happen.

MODULE 2: DEFENSES AGAINST LOG AND ACCOUNTING FILE ATTACKS

Logs that have been tampered with are useless for investigative purposes, and conducting a forensic investigation without adequate logging is like trying to drive a car while wearing a blindfold. Critical systems containing information about human resources, legal issues, and mergers and acquisitions, logs could make or break one’s ability to detect an attack and build a case for prosecution. To mount an effective defense, it is required to prevent attackers from having the ability to alter logs. It is important to know the possible security measures the users have to take to keep off the intruders.

An IT security professional who knows the defense mechanisms can prevent an intruder’s entry to computing machines.

  1. ACTIVATE LOGGING
  2. SETTING PROPER PERMISSIONS
  3. USING A SEPARATE LOGGING SERVER
  4. ENCRYPTING LOG FILES
  5. MAKING LOG FILES APPEND ONLY
  6. PROTECTING LOG FILES USING WRITE-ONCE MEDIA

These topics teach techniques used to defend logs on Windows and Linux/UNIX, as well as other platforms.

Labs in this module will cover:


MODULE 3: CREATING DIFFICULT-TO-FIND FILES AND DIRECTORIES

Attackers cover their tracks on a system creating files and directories with special names or other attributes that are easily overlooked by users and system administrators. We cover how attackers create hidden directories and files in UNIX and Windows systems, for their own purposes, which is not clear to a user. Knowing this will enable you to understand and identify “hidden” directories and files, which will enable you to defend directories and files with the Integrity checking tool.

Explore the many ways to hide files and directories under UNIX and Windows using only the basic operating system features, without requiring the installation of a rootkit.                                         

  1. CREATING HIDDEN FILES AND DIRECTORIES IN UNIX
  2. DEFENSES FROM HIDDEN FILES

Labs in this module will cover:

  • Scanning, as well as antivirus to999ol usage, check the contents of directories.
  • Lessons about working the Ads Spy tool used to search and remove Alternate Data Streams (ADS) from NTFS file systems available at https://www.bleepingcomputer.com/download/ads-spy/

MODULE 4: HIDING EVIDENCE ON THE NETWORK: COVERT CHANNELS

Attackers utilize stealth mechanisms to communicate with the backdoor system across the network. We cover how attackers communicate with the nefarious programs on a victim’s machine after cleaning tracks in the logs. It is important to prevent attackers from gaining access to the network. You will learn that the OS has to be hardened with secure configurations and also cover the necessity for regular security patch applications.

Once attackers have installed backdoor listeners on a system and cleaned up their tracks in the logs, they still need to communicate with their nefarious programs on the victim machine to control them. Disguised communication mechanisms are referred to as covert channels. Covert channels are essentially an exercise in hiding data while it moves.

  1. TUNNELING
  2. LOKI: COVERT CHANNELS USING ICMP
  3. REVERSE WWW SHELL: COVERT CHANNELS USING HTTP
  4. DEFENSES AGAINST COVERT CHANNELS

Labs in this module will cover:

  • Lessons about steganography tools.

Final exam

A multiple-choice test, covering topics discussed in the course; for example, Installation of backdoors, Log Clearing, Creating hidden files, Steganography (45 questions).


Your instructor: Ranjitha R

I am a post graduate in Cyber Forensics and Information Security and I have been in the field for the past five years.

I have a keen interest to acquire knowledge in my selected field. I have published two articles in the eForensics Magazine and I am in the beta testing group, too.

I love teaching and I am interested in research possibilities in Data Security.

Altogether I'm enjoying my life in learning and interacting with new events happening around me.  Looking forward ftoan interesting course session!


Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 18 hours of work to complete the training.
  • The course contains video and text materials, accompanied by practical labs and exercises.

Questions? Contact our course coordinator Marta at [email protected]

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

TAKE THIS COURSE
  • $219.00 $169.00
  • UNLIMITED ACCESS
  • Course Certificate
308 STUDENTS ENROLLED

Certificate Validation

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013