You've been hacked: Stage one -- Diagnosis

Article

You've been hacked: Stage one -- Diagnosis

Lindsay Mullen, Assistant Editor
Given the information in the hacking scenario, has this person been hacked or not? Find out what the experts have to say, or click here to go back to the scenario.

Lawrence Abrams: In the discovery (diagnosis) phase, the first thing to do is freeze the laptop so the infection will not spread and data or evidence corruption and loss does not occur. In the event that the laptop needs to be admitted as evidence in court, you must perform the proper steps before analyzing any of the data on the hard drive.

Immediately unplug the ethernet cable and then power off the computer (do not shut it down). Then, using a byte-for-byte copy tool such as EnCase, FTK Imager, WinHex or the dd gui found on the Helix Linux CD, image your hard drive from the infected laptop to a spare laptop. Now that you have a forensically sound copy of the laptop, lock the original laptop away and do not turn it on again in case you need to use it as evidence in court.

Once the data has been moved to a spare laptop, the next step is to identify the infection. In the scenario described, I would first download Fport

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

from Foundstone research tools and HijackThis to get an overview of what is running on the computer. Fport will identify the programs that are opening the IP ports and HijackThis will tell you how these programs are starting in Windows. Then with Netstat you can see if the computer is attempting to connect to other machines on the network and infect them.

Kevin Beaver: The odds are good that this user's computer has been hacked or infected with some type of malware.

Tony Bradley: The scenario does describe suspicious activity, but given only the information in the scenario, it is difficult to determine with any certainty if the activity is malicious or just a glitch of some sort.

Stage two: Immediate actions

About the experts: Expert bios are available on the scenario page.


Back to top