Once a target system has been penetrated and backdoors has been put in place, the next step is cleaning up after yourself or covering your tracks. The purpose of this phase is to prevent your attack from being easily discovered by using various techniques to hide the red flags and other signs. During this phase, you seek to eliminate error messages, log files, and other items that may have been altered during the attack process.
Covering Tracks is the phase when you attempt to remove evidence of your presence in a system. You purge log files and destroy other evidence that might give away the valuable clues needed for the system owner to determine an attack occurred.

Covering your tracks includes

• Disable or re-enable auditing
• Clear or manipulate logs
• Remove or hide tools
• Verify and manipulate timestamps
• Remove created users and groups
• Clear command history
• Re-enable antivirus software
• Stop unneeded listeners

In general, an attacker should keep track of everything that is created, modified or removed and make sure that these items no longer leave tell tale signs of an attack. Users rarely notice that something is wrong unless they are looking for it or it is very obvious. Super users or administrators may notice that something has been changed and become alert. Also, security software such as HIDS programs may see that a particular file no longer calculates to a certain hash value and may set off an alarm.

For browsers the following may be done

• Most Recently Used (MRU)
• Delete cookies
• Clear cache
• Turn off AutoComplete
• Clear Toolbar Data

The same should be done for items such as the list of recently opened documents, WiFi Preferred Network List (PNL) and anything else that may make an administrator suspicious.