After gaining access to a system, an attacker modifies log files to remove evidence of their activities. This action is part of which phase of the system hacking methodology?
Correct. Erasing tracks includes clearing logs, removing evidence, and covering traces.
Why this answer
The correct answer is D, 'Erasing tracks,' because after gaining access, the attacker's goal is to cover their footprints by modifying or deleting log files, clearing event logs, or using tools like `wevtutil` or `clearev` to remove evidence of their activities. This phase ensures the system administrator cannot detect the intrusion or trace the attacker's actions.
Exam trap
The trap here is that candidates confuse 'Hiding files' (option C) with 'Erasing tracks,' but hiding files focuses on concealing payloads, while erasing tracks specifically targets log files and audit trails to cover the attacker's digital footprint.
How to eliminate wrong answers
Option A is wrong because 'Spying' is not a recognized phase in the CEH system hacking methodology; it is a vague term that does not correspond to any specific phase like reconnaissance or maintaining access. Option B is wrong because 'Executing applications' refers to running tools or payloads during the 'Gaining Access' or 'Maintaining Access' phases, not the post-exploitation cleanup of logs. Option C is wrong because 'Hiding files' involves concealing malicious files using techniques like NTFS alternate data streams or rootkits, which is part of the 'Maintaining Access' phase, not the specific act of erasing log evidence.