Administrators know when they get hacked, but they often don't know whodunit. And if you're one of the zillions of people running personal firewalls to protect your Windows desktop from Internet-based attackers -- in a home office or a small branch office, say -- then you've probably noticed that you do get scanned and attacked on a fairly regular basis (assuming you're not behind a firewall). Most Windows users' first reaction to a scan or attack is surprise and fear, but assuming their personal firewall thwarted the attempt, this reaction quickly turns into curiosity. Who was it that attacked you? Why did they attack you? Where are they from?
These are difficult questions to answer, but there are some great sites designed to give you a hand trying to trace someone through the Internet. An example of just such a site can be found at users.rcn.com/rms2000/sleuth/index.htm. This site contains everything from simple tools like tracert and WHOIS to links to search for user accounts on Amazon and Ebay. Another popular site for detective work is www.samspade.org.
However, if you decide to go investigating, keep these tips in mind:
Attackers frequently try to cover their tracks by breaking into someone else's computer so that they can launch their attacks without a clear trail back to their own computer. This is similar to someone stealing a car to rob a bank because it's more difficult to trace. The important thing to understand is that the owner of that computer probably has no idea he's being used as a launchpad for an attack.
There is now quite a bit of case law regarding gathering computer evidence. You might be surprised how many hoops you have to jump through to get your log files admitted as evidence. A quick search on "computer forensics" will turn up more than you ever wanted to know about this topic. So even if you find your target, the information won't do you any good unless you followed the rules.
Understand the tools you're using. Many of the tools you'll find are effective and harmless, but their use may violate laws or the terms of service for your ISP.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in May 2002