Type : Tips and Trick
Level : All Levels
After you successfully compromised a system usually you will do a lot of work there. But did you know that every activities you do inside compromised computer it’s actually recorded by the system?
Sometimes it’s best to not have your activities been logged. Whatever the reason, you may find a circumstance where you need to clear away the windows event logs. Because there’s also a lot of forensic tools to help finding out what happen in compromised computer and also tracking anything if you have log in your victim computer.
Here in this tips and trick, I will explain simple tutorial about how to clear Windows event log to minimize you’ve been tracked by forensic investigators.
When victim run eventvwr, there’s should be window like this below with some alert and information.
The error information maybe we can’t understand but with help of computer forensic tools it should be more easier.
In this case we need to clear the event log by using ruby interpreter in Meterpreter to clear the logs on the fly.
Now, let’s exploit the system and manually clear away the logs.
Then the next step “clear the log” by using log.clear.
Success…we cleared the windows system event logs. But there’s another main things here that the event logs is not only “System” itself, but still have security, Application, DNS, etc, and we need to clear all of that logs to minimize being tracked by forensic investigators.
To do that, let’s adopted winenum.rb scripts located in /pentest/exploits/framework3/scripts/meterpreter/winenum.rb and find clrevtlgs() function. That function used to clear all windows event logs.
I’ve created new scripts adopted from winenum.rb (just copy and modify the clrevtlgs function)and renamed to clearthelog.rb containing this :
After re-writing the script, we put it in /pentest/exploits/framework3/scripts/meterpreter. Then, let’s re-exploit the system and see if it works.
And here’s screenshot of windows event viewer on victim computer.
Hope you enjoyed 🙂