4FR1M0N1N

Covering your BASH Shell Tracks- Anti-Forensics

Covering your BASH Shell Tracks- Anti-Forensics

AfriMonin's photo
AfriMonin
·

4 min read

Welcome Back Hackers!

BASH users love the convenience of retrieving command history with the up and down arrows, saving valuable time. The BASH, or Bourne Again Shell, stores this history in a file named "bash_history." However, in system activity investigations, this convenience can turn against us. As most hacking activities take place through the Linux command line, the commands stored in bash_history can easily expose our actions.

Saved Command History

Before delving into methods to conceal BASH tracks, it's crucial to understand a bit about the command history. Linux saves your command history in the hidden file, ~/.bash_history. You can view its contents by typing:
# more ~/.bash_history

This would be the same way a skilled forensic investigator would find our history. This may not be a good thing.

Disabling History

To prevent the BASH shell from saving our command history, we can set the environment variable HISTSIZE to zero. HISTSIZE determines the number of commands being stored, with a default setting of 500 or 1000.

We can keep the BASH shell from saving our commands by typing:
# export HISTSIZE=0

With the shell no longer saving our command history, we sacrifice the convenience of quickly retrieving commands while working on our Linux system. This may extend the time needed for hacking as we have to rewrite each command, which I find inconvenient.

Clearing the History

Rather than disabling command history, we can clear the history on the current BASH shell by simply using the history command with the -c (clear) switch.
# history -c

Then, to make certain the changes are written to disk, we need to tell the history command to do so with the -w switch such as;
# history -w

Clearing the history with the history -c command only affects the current shell, leaving commands in other shells untouched. To completely remove our command history, we have to execute this command in every shell, which is not the most convenient method. It necessitates remembering and going back to clear each shell individually. There must be a more efficient way to accomplish this.

Clearing the User's Complete History

A more effective and convenient approach to erase our command history involves writing /dev/null to the bash_history file and then clearing the current shell with history -c. We can construct a command to achieve this and exit the shell simultaneously. Simply type:
# cat /dev/null > ~.bash_history && history -c && exit

Now, when inspecting the shell history or the bash_history, you'll find that they are empty.

Shredding the History

While deleting these files is beneficial, it's essential to note that a skilled forensic investigator can potentially recover deleted files. BASH provides a command, shred, that aligns with its name by securely shredding the target file. In this scenario, even if a forensic investigator locates the history file, its contents will be rendered unreadable.
# shred ~/.bash_history

Upon inspection, we can observe that the contents of this file consist of binary data that appears nonsensical.

The act of shredding the file itself may be construed as evidence of malicious activity. To eliminate even this trace, we can combine the shred command with writing /dev/null to the bash_history. This sequence would first shred the history file, then empty it, and finally clear the evidence of the command itself by utilizing the history -c command before exiting.

# shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit

Now, if someone attempts to view our command history, it will be empty. Even if they go to the effort of trying to recover the deleted file, all they will find is the shredded file. Success! We've left no evidence behind and effectively covered our tracks!

Automating the Clearing of Command History

Ultimately, we may want to automate this process to ensure our command history is deleted daily. This way, even if we forget to remove our history manually (a likely occurrence), the system will automatically handle it for us at the end of each day.

First, open the crontab table in edit mode by typing:
# crontab -e

With crontab, navigate to the end of the file and add the following line:

1 * * * shred ~/.bash_history && cat /dev/null > .bash_history

This command will run every morning at 1 am, initiating the shredding of bash_history followed by its erasure. It's worth noting that I omitted the history -c command, as it is an internal BASH shell command and cannot be used in crontab.

Stay Safe Hackers!

anti-forensicshackingethicalhacking#cybersecurityforensicsLinuxhistoryBashshell