Remove Backtrack Traces

TL;DR

Backtrack is an older Linux distribution used for penetration testing. If you’ve used it and want to remove evidence of its use from a system, this guide covers key areas: history, logs, temporary files, and configuration remnants.

Steps to Remove Backtrack Footprints

1. Clear Command History
• The .bash_history file stores your commands. Delete it:

  rm ~/.bash_history

• Alternatively, truncate the history file to remove all entries:

  echo "" > ~/.bash_history

• Prevent future commands from being saved (use with caution):

  unset HISTFILE

2. Wipe Logs
• System logs often record activity. Common log files include:
  • /var/log/syslog
  • /var/log/auth.log (or secure on some systems)
  • /var/log/kern.log
  • /var/log/messages
• Empty a log file:

  sudo truncate -s 0 /var/log/syslog

  Replace /var/log/syslog with the actual log file path.

3. Delete Temporary Files
• Backtrack (and Linux in general) creates temporary files. Common locations:
  • /tmp
  • /var/tmp
  • User’s temp directory (e.g., /home/user/.cache, /home/user/temp)
• Remove files from a temporary directory:

  sudo rm -rf /tmp/*

  Be extremely careful with rm -rf. Double-check the path before executing.

4. Remove Configuration Files
• Backtrack may leave configuration files in user’s home directory and system-wide locations.
  • Check /home/user/.config for application settings.
  • Look for Backtrack specific directories or files (e.g., related to Aircrack-ng, Metasploit).
  • System-wide configuration is often in /etc. Be cautious when deleting from /etc as it can affect system stability.
• Example: Removing a specific directory:

  rm -rf /home/user/.config/backtrack-tools

5. Check for Core Dumps
• If applications crashed, core dumps might contain sensitive information. They are often located in /var/lib/systemd/coredump or the current working directory of the crashing process.

  sudo rm -rf /var/lib/systemd/coredump/*

6. Review Network Connections
• Check for lingering network connections using:

  netstat -tulnp

  or

  ss -tulnp

• If suspicious connections are found, investigate and terminate them.

7. Disk Space Analysis
• Use a disk space analyzer (e.g., du -h --max-depth=1 / or graphical tools like Baobab) to identify large files or directories that might be remnants of Backtrack activity.

  du -h --max-depth=1 / | sort -hr

8. Consider a Full Disk Wipe (Extreme Option)
• For maximum security, consider reformatting the disk or using a secure wipe tool. This will erase all data on the disk.

  Warning: This is irreversible and will delete *all* data.