Covering your tracks

All engagements should be authorized by the client, no matter what. This is not to say that after all of the scanning and exploiting is over one packs up and goes home; someone still has to present the findings to the client in a manner they can understand. But before this can happen, we must clean up the exploits or tools we left in the environment. Sometime this may or may not mean removing binaries or editing logs, I say editing because any sysadmin who sees no logs should get concerned very fast. As both Windows and Linux have their respective log mechanisms and they are very well-documented, there is no need to cover them here. I suggest you keep track of what you have changed on the system and be creative when you need to hide something; use system services names or usernames that would fit in to the accounts, for example, don't name the account EliteHAK3R.