Solved

windows 8 has been hacked by a hacker

Posted on 2014-11-21
14
174 Views
Last Modified: 2015-03-29
We have a machine that has been hacked. The machine is a windows 8 laptop.

Is there any software on the market that will trace the hacker?

Can you find the hackers ip address from the event logs?

How can we determine hackers ip address?
0
Comment
Question by:SCOT-TECH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
14 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40457601
"Is there any software on the market that will trace the hacker?"
No, you cannot trace the hacker without another hackers or FBI assistance.

"Can you find the hackers ip address from the event logs?"
No

"How can we determine hackers ip address?"
You cannot, without another hackers or FBI assistance.
0
 

Author Comment

by:SCOT-TECH
ID: 40457843
Ok Michael the FBI are not interested in a single laptop there must be another solution
0
 

Author Comment

by:SCOT-TECH
ID: 40457861
Does windows firewall keep logs? Is there software to find an IP address.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 64

Accepted Solution

by:
btan earned 334 total points
ID: 40458776
Do change the login account password firstmost before the investigtion to be on safe side. IP address can be spoofed hence not a real evidence for trace back.

As for the Windows FW log, there is src and dest ip as stated in the field listing and also able to set logging on specifici interface. Logging for dropped or success attempt need to be checked though to have the information in the .log file (see "Using Logging")
Using LoggingYou can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file.
You can catch my EE posting on
a) intrusion indicator on other log to explore as well

b) useful commands to gather trails left behind and anomalous activities pertaining to accounts, appl and network

Also do look out in event log in areas of
-Logon and Logoff success and failure (based on various login type esp the network and Interactive type)
(Such as many denied access attempts from one accessor, many denied access attempts to a service within a small timeframe, any access attempts to any high-risk service, allowed access attempts for services that should not be allowed)
-Use of User Rights success, Use of Group Management success, Security Policy Changes success and failure
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40476139
I'm not readily understanding why you would want to be able to trace the attacker if you are not wanting to get law enforcement involved. Generally the only benefit in gathering this type of data is in an effort to press charges. The Secret Service is who has main jurisdiction over data breaches / cyber attacks now.. and they could help track down person X to press charges. .but as you said, I'm not readily certain how anxious they would be for a single personal laptop.
0
 
LVL 64

Expert Comment

by:btan
ID: 40476164
better check the impact of the hack and know the legal breach notification if applicable. the organisation will have set of incident handling sop per se, but if it is a personal one it is up to you. overall, attribution is beyond just tracing IP addresses as that is not 100% accurate or verifiable on true adversary..
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 166 total points
ID: 40576442
We have a machine that has been hacked. The machine is a windows 8 laptop.
Are you sure? So many people say they've been hacked when really they've just been compromised in a drive by malware download.

Is there any software on the market that will trace the hacker?
Yes, your logs. Local system logs and firewall logs.

Can you find the hackers ip address from the event logs?
View your firewall logs.

How can we determine hackers ip address?
View your firewall logs. Once you have the source IP you can contact the authorities and ask them to investigate. An IP will do you no good. You will never know on your own if this is the source or a jump box/proxy. The authorities can request warrants to gather further information. In short you need to contact the law :)

If you are unsure how to gather this information yourself, you can contact a security forensics company who can come out to you and at great cost analyse the system and determine what has happened and potentially (they can't guarantee a result) give you a basic trail of where it appeared to originate from and what they believe was done. But I must stress, a source IP means nothing. It does not mean this was the true source or that the person who was using that IP at any given time was in any way shape of form involved other than being an innocent victim themselves.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 334 total points
ID: 40576541
Symptom of hack is important before incident or breach is confirmed. The ease kill is AV alert and quarantined log, or host intrusion log alerts, far beyond just FW log. Anomalies as in my prev posting further ascertain the level of compromise. I would check for strange processes and browser add in for a quick start..

Tracing IP can be even been active by planting crafted document (honeytoken, or for some created honeypots/nets) for hacker to grab and beacon you back , that is too hardcore and no end user go to that extend. Furthermore, You cannot totally trust the IP in event log even if you see it, it would most likely be proxied type to add. However, there are online for proxy trace too..but for website per se not really computer. In other words, if log have callback to web (URL) domain, that can be another means to sieve more clues on source based on those traces...
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40694831
I've requested that this question be closed as follows:

Accepted answer: 168 points for btan's comment #a40458776
Assisted answer: 166 points for Learnctx's comment #a40576442
Assisted answer: 166 points for btan's comment #a40576541

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40694830
http:#ID: 40457601 should also be included in the split as an us full answer.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40694832
Your Comment
Michael-Best2015-03-30 at 02:17:35ID: 40694830
Comment Utility
http:#a40457601 should also be included in the split as an useful answer.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40694868
Michael, your statements made are superficial. The marked comments can help getting a hint, and hence are worth an accept.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question