Finally! “Mr. Robot” is back!
The first episode of season 3 did not disappoint. Elliot is back and hacking again!
The 5/9 hack of Evil Corporation has left the world in chaos and the economy crippled. There is no electricity, no banking system and little Internet access. Elliot is feeling responsible and bit guilty. The Dark Army is readying “Stage 2” that will hack the UPS (uninterruptible power supply) within Evil Corporation and start a fire to burn all their financial records and likely kill many people. Elliot is having regrets for ever having gotten involved in such scheme.
Elliot decides he MUST stop Stage 2 before more people die and even more chaos reigns. Cisco and many others have died and Darlene is stressed that she may be next. Without Internet access, Elliot is stymied in his efforts to stop Stage 2.
Darlene knows of a way to get Elliot Internet access. There is a CTF (capture the flag. Its a hacking competition) competition taking place where Internet access is available. Elliot calmly sits done to a computer and wins the competition and then proceeds to stop Stage 2. When he is done, he must cover his tracks so that no one (most importantly the Dark Army) can attribute his actions to him.
How Elliot Clear his Tracks
You may have noticed that after Elliot had completed his task of stopping Stage 2, the camera went to his computer screen and displayed the command below. This is shred, a command designed to cover your tracks.
As you know, even deleted files can be recovered (see my article, Digital Forensics, Part 3: Recovering Deleted Files). Of course, Elliot knows this as well and wants to make certain that he does not leave evidence behind. Shred enables Elliot to overwrite his files, so that can not be recovered even by a skilled forensic investigator.
Let’s take a look a shred’s help screen in Kali.
kali > shred –help
As you can see above, shred is designed to “Overwrite the specified FILE(s) repeatedly, in order to make it harder for even a very expensive hardware probing to recover the data.”
Elliot uses the following command;
#shred -f -n 3 *
If we reference the help screen, we can see that Elliot is using the -f switch which “forces the change of permissions to allow writing if necessary”, then the -n 3 switch which overwrites three times (this is the default, so its optional) and finally Elliot uses the wildcard (*) to indicate that all files are to be shredded.
Let’s try using this command to better understand what it does. For demonstration purposes, I simply created a text file named Stage_2_Plan in leafpad. You can use any text editor and it can ANY file.
Now, let’s shred that file just like Elliot did except instead of shredding all the files, we will shred just the Stage_2_Plan file.
kali > shred -f -n 3 Stage_2_Plan
Now, let’s open that file in Leafpad after being “shredded”.
kali > leafpad Stage_2_Plan
As you can see, the shred command has overwritten the file 3 times and now the only thing that remains of that file is indecipherable text. This is exactly what the Dark Army or a forensic investigator would find! Shred is a key command to cover your tracks, making your commands and actions unrecoverable!
For more on covering your tracks, check out Anti-Forensics series, including my article and “How to Cover Your BASH Shell Tracks” and How to Use BleachBit to Remove Evidence.
As the season 3 progresses, keep coming back to Hackers-Arise as we demonstrate how Elliot does his hacking magic!