Solved

windows 8 has been hacked by a hacker

Posted on 2014-11-21
14
139 Views
Last Modified: 2015-03-29
We have a machine that has been hacked. The machine is a windows 8 laptop.

Is there any software on the market that will trace the hacker?

Can you find the hackers ip address from the event logs?

How can we determine hackers ip address?
0
Comment
Question by:SCOT-TECH
  • 3
  • 3
  • 2
  • +3
14 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40457601
"Is there any software on the market that will trace the hacker?"
No, you cannot trace the hacker without another hackers or FBI assistance.

"Can you find the hackers ip address from the event logs?"
No

"How can we determine hackers ip address?"
You cannot, without another hackers or FBI assistance.
0
 

Author Comment

by:SCOT-TECH
ID: 40457843
Ok Michael the FBI are not interested in a single laptop there must be another solution
0
 

Author Comment

by:SCOT-TECH
ID: 40457861
Does windows firewall keep logs? Is there software to find an IP address.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 62

Accepted Solution

by:
btan earned 334 total points
ID: 40458776
Do change the login account password firstmost before the investigtion to be on safe side. IP address can be spoofed hence not a real evidence for trace back.

As for the Windows FW log, there is src and dest ip as stated in the field listing and also able to set logging on specifici interface. Logging for dropped or success attempt need to be checked though to have the information in the .log file (see "Using Logging")
Using LoggingYou can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file.
You can catch my EE posting on
a) intrusion indicator on other log to explore as well

b) useful commands to gather trails left behind and anomalous activities pertaining to accounts, appl and network

Also do look out in event log in areas of
-Logon and Logoff success and failure (based on various login type esp the network and Interactive type)
(Such as many denied access attempts from one accessor, many denied access attempts to a service within a small timeframe, any access attempts to any high-risk service, allowed access attempts for services that should not be allowed)
-Use of User Rights success, Use of Group Management success, Security Policy Changes success and failure
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40476139
I'm not readily understanding why you would want to be able to trace the attacker if you are not wanting to get law enforcement involved. Generally the only benefit in gathering this type of data is in an effort to press charges. The Secret Service is who has main jurisdiction over data breaches / cyber attacks now.. and they could help track down person X to press charges. .but as you said, I'm not readily certain how anxious they would be for a single personal laptop.
0
 
LVL 62

Expert Comment

by:btan
ID: 40476164
better check the impact of the hack and know the legal breach notification if applicable. the organisation will have set of incident handling sop per se, but if it is a personal one it is up to you. overall, attribution is beyond just tracing IP addresses as that is not 100% accurate or verifiable on true adversary..
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 166 total points
ID: 40576442
We have a machine that has been hacked. The machine is a windows 8 laptop.
Are you sure? So many people say they've been hacked when really they've just been compromised in a drive by malware download.

Is there any software on the market that will trace the hacker?
Yes, your logs. Local system logs and firewall logs.

Can you find the hackers ip address from the event logs?
View your firewall logs.

How can we determine hackers ip address?
View your firewall logs. Once you have the source IP you can contact the authorities and ask them to investigate. An IP will do you no good. You will never know on your own if this is the source or a jump box/proxy. The authorities can request warrants to gather further information. In short you need to contact the law :)

If you are unsure how to gather this information yourself, you can contact a security forensics company who can come out to you and at great cost analyse the system and determine what has happened and potentially (they can't guarantee a result) give you a basic trail of where it appeared to originate from and what they believe was done. But I must stress, a source IP means nothing. It does not mean this was the true source or that the person who was using that IP at any given time was in any way shape of form involved other than being an innocent victim themselves.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 334 total points
ID: 40576541
Symptom of hack is important before incident or breach is confirmed. The ease kill is AV alert and quarantined log, or host intrusion log alerts, far beyond just FW log. Anomalies as in my prev posting further ascertain the level of compromise. I would check for strange processes and browser add in for a quick start..

Tracing IP can be even been active by planting crafted document (honeytoken, or for some created honeypots/nets) for hacker to grab and beacon you back , that is too hardcore and no end user go to that extend. Furthermore, You cannot totally trust the IP in event log even if you see it, it would most likely be proxied type to add. However, there are online for proxy trace too..but for website per se not really computer. In other words, if log have callback to web (URL) domain, that can be another means to sieve more clues on source based on those traces...
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40694831
I've requested that this question be closed as follows:

Accepted answer: 168 points for btan's comment #a40458776
Assisted answer: 166 points for Learnctx's comment #a40576442
Assisted answer: 166 points for btan's comment #a40576541

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40694830
http:#ID: 40457601 should also be included in the split as an us full answer.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40694832
Your Comment
Michael-Best2015-03-30 at 02:17:35ID: 40694830
Comment Utility
http:#a40457601 should also be included in the split as an useful answer.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40694868
Michael, your statements made are superficial. The marked comments can help getting a hint, and hence are worth an accept.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question