Solved

windows 8 has been hacked by a hacker

Posted on 2014-11-21
14
130 Views
Last Modified: 2015-03-29
We have a machine that has been hacked. The machine is a windows 8 laptop.

Is there any software on the market that will trace the hacker?

Can you find the hackers ip address from the event logs?

How can we determine hackers ip address?
0
Comment
Question by:SCOT-TECH
  • 3
  • 3
  • 2
  • +3
14 Comments
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
"Is there any software on the market that will trace the hacker?"
No, you cannot trace the hacker without another hackers or FBI assistance.

"Can you find the hackers ip address from the event logs?"
No

"How can we determine hackers ip address?"
You cannot, without another hackers or FBI assistance.
0
 

Author Comment

by:SCOT-TECH
Comment Utility
Ok Michael the FBI are not interested in a single laptop there must be another solution
0
 

Author Comment

by:SCOT-TECH
Comment Utility
Does windows firewall keep logs? Is there software to find an IP address.
0
 
LVL 61

Accepted Solution

by:
btan earned 334 total points
Comment Utility
Do change the login account password firstmost before the investigtion to be on safe side. IP address can be spoofed hence not a real evidence for trace back.

As for the Windows FW log, there is src and dest ip as stated in the field listing and also able to set logging on specifici interface. Logging for dropped or success attempt need to be checked though to have the information in the .log file (see "Using Logging")
Using LoggingYou can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file.
You can catch my EE posting on
a) intrusion indicator on other log to explore as well

b) useful commands to gather trails left behind and anomalous activities pertaining to accounts, appl and network

Also do look out in event log in areas of
-Logon and Logoff success and failure (based on various login type esp the network and Interactive type)
(Such as many denied access attempts from one accessor, many denied access attempts to a service within a small timeframe, any access attempts to any high-risk service, allowed access attempts for services that should not be allowed)
-Use of User Rights success, Use of Group Management success, Security Policy Changes success and failure
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
Comment Utility
I'm not readily understanding why you would want to be able to trace the attacker if you are not wanting to get law enforcement involved. Generally the only benefit in gathering this type of data is in an effort to press charges. The Secret Service is who has main jurisdiction over data breaches / cyber attacks now.. and they could help track down person X to press charges. .but as you said, I'm not readily certain how anxious they would be for a single personal laptop.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
better check the impact of the hack and know the legal breach notification if applicable. the organisation will have set of incident handling sop per se, but if it is a personal one it is up to you. overall, attribution is beyond just tracing IP addresses as that is not 100% accurate or verifiable on true adversary..
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 166 total points
Comment Utility
We have a machine that has been hacked. The machine is a windows 8 laptop.
Are you sure? So many people say they've been hacked when really they've just been compromised in a drive by malware download.

Is there any software on the market that will trace the hacker?
Yes, your logs. Local system logs and firewall logs.

Can you find the hackers ip address from the event logs?
View your firewall logs.

How can we determine hackers ip address?
View your firewall logs. Once you have the source IP you can contact the authorities and ask them to investigate. An IP will do you no good. You will never know on your own if this is the source or a jump box/proxy. The authorities can request warrants to gather further information. In short you need to contact the law :)

If you are unsure how to gather this information yourself, you can contact a security forensics company who can come out to you and at great cost analyse the system and determine what has happened and potentially (they can't guarantee a result) give you a basic trail of where it appeared to originate from and what they believe was done. But I must stress, a source IP means nothing. It does not mean this was the true source or that the person who was using that IP at any given time was in any way shape of form involved other than being an innocent victim themselves.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 334 total points
Comment Utility
Symptom of hack is important before incident or breach is confirmed. The ease kill is AV alert and quarantined log, or host intrusion log alerts, far beyond just FW log. Anomalies as in my prev posting further ascertain the level of compromise. I would check for strange processes and browser add in for a quick start..

Tracing IP can be even been active by planting crafted document (honeytoken, or for some created honeypots/nets) for hacker to grab and beacon you back , that is too hardcore and no end user go to that extend. Furthermore, You cannot totally trust the IP in event log even if you see it, it would most likely be proxied type to add. However, there are online for proxy trace too..but for website per se not really computer. In other words, if log have callback to web (URL) domain, that can be another means to sieve more clues on source based on those traces...
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 168 points for btan's comment #a40458776
Assisted answer: 166 points for Learnctx's comment #a40576442
Assisted answer: 166 points for btan's comment #a40576541

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
http:#ID: 40457601 should also be included in the split as an us full answer.
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
Your Comment
Michael-Best2015-03-30 at 02:17:35ID: 40694830
Comment Utility
http:#a40457601 should also be included in the split as an useful answer.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Michael, your statements made are superficial. The marked comments can help getting a hint, and hence are worth an accept.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now