I play online games competitively. Sometimes people try to use hacking programs in the matches to win, but we can use a program called teamview to see their computer screen and have control of their mouse, send them files, and such.
Now what I am trying to do is find any hacking programs they are using if they do indeed hack. I have tried the simple "search C drive for hacking file names" and look in the games screenshot folder. After those I found a more advanced method, using the event viewer to find window logs of the hack crashing, because even hacks that don't leave traces in the user assist part of the registry do leave traces here. If that doesn't work I send them a program called user assist view to view their user assist registry files and look for hack names.
The problem is that userassist view sometimes finds hacks, even from years ago, but sometimes misses them or doesn't even work on someone's computer. I cannot be sure that the event viewer alone finds all the hack files either, or any other method. So I am trying to find another, better way to find if someone had hacking programs on their computer within the last month or so. Usually these people use the program on a USB drive, it does not leave anything in the prefetch or registry/program data, and they delete the file + use CCCleaner before I teamview them.
Any programs or methods I should use? Note another problem is the cheat also randomly names itself for the last few months, making it hard to search for it. If possible i wish to be able to search for the hacking file without knowing the name. Maybe by size or hashes or code.
Here is the download link to the hacking program in question http//
I play online games competitively. Sometimes people try to use hacking programs in the matches to win, but we can use a program called teamview to see their computer screen and have control of their mouse, send them files, and such.
Who are the "we"?
I am not sure to have understood, are you saying that people allow you to access their computers remotely? ?
jaclaz
Yes that is what I said. We as in the tournament admins (if im not one I usually know them) and just in general when someone is accused of hacking they let you remotely connect to their pc, even if they do hack. Because the benefit of seeming legit seems to be better than the risk of you finding their hacks, because they "deleted them" and also usually they have been teamviewed before by people with no clue about finding hacks.
Ghoster
Please accept my apology first……. but isnt this just a GAME !!!!
If people are hacking and cheating then dont play the GAME !!!!
and like i have always said a PC is a Personal Computer not a game console
Purchase a PS3
Mitch
Ghoster
Please accept my apology first……. but isnt this just a GAME !!!!
If people are hacking and cheating then dont play the GAME !!!!and like i have always said a PC is a Personal Computer not a game console
Purchase a PS3Mitch
I don't see a difference between finding hacking programs in real hacking situations as computer forensics does, and finding hacks that people use in tournaments.
You do understand there are prizes and money involved in these as well correct?
Anyway as I have said, it requires less skill to do what im doing but at the same time the same techniques can be applied. Criminals and hackers are one and the same.
How about comparing the hash values of the game files (EXE, DLL, etc) to a known control list?
If steam.exe (as an example) on player 1, 2 and 3 is a match - but NOT player 4 - then you must ask why? Evidence of foul play perhaps?
But from the original post, it does sound like some kid asked Google questions on detecting hacking, and found this forum…
There are several ways I can think of approaching this.
The biggest problem I can think of is how would you get the tools to execute on the target (player) machine.
But, here is something you can do with two tools.
You need to develop your own database of hacking tool signatures, that is, what artifacts they have installed, and leave after "deleted" or uninstalled.
Example
RegShot (download it off of sourceforge) and batch files.
Some sort of a Virtual Machine, (or full blown works too), that matches a working, payer's machine configuration.
Take RegShot "baseline"
Install Hack A.
Take RegShot "installed Hack A"
Uninstall Hack A.
Take RegShot "uninstalled Hack A"
Revert back to original machine state.
Now compare the difference between the three regshots.
Repeat for every hacking tool.
When actually investigating, search for things (possibly with a batch file, or similar) that appear different in the 2nd and 3rd Regshot.
Theoretically, you can write a batch program that searches for these artifacts for the top three or five or however many hacking tools you test.
Thanks for the suggestions.
It is true that I found this site by google and that I do know little about computer forensics, but I have had experince in doing what im asking for and it does pertain to computer forensics as I said earlier. I also have the encase software however I am having an issue with it so im not including it right now.
I want to learn more about computer forensics because of what I am doing. I mean if I like finding hacks on someones computer, it would be the same as finding evidence of a crime on a criminals computer if I choose to go into that field. At least thats my thinking, feel free to post your own.
You have the Encase software, but you are having a problem with it?
Did you pay for it? If so what version are you using? What kind of dongle etc. we can help with that.
Thanks for the suggestions.
It is true that I found this site by google and that I do know little about computer forensics, but I have had experince in doing what im asking for and it does pertain to computer forensics as I said earlier. I also have the encase software however I am having an issue with it so im not including it right now.
I want to learn more about computer forensics because of what I am doing. I mean if I like finding hacks on someones computer, it would be the same as finding evidence of a crime on a criminals computer if I choose to go into that field. At least thats my thinking, feel free to post your own.
I doubt that the TeamView method is valid "generally".
I mean in forensics (real digital forensics) the procedure is almost invariably the same (with some possible exceptions of course)
"freeze" everything exactly "as is" and at the earlier possible moment in time, make an exact copy of the disk, then review it's contents.
With TeamView (or similar) you are working "online" on a PC running an "unknown" OS with the user (let's call it "suspect") physically in front of the actual PC - possibly largely bothered by the procedure and not willing to cooperate, and able to run commands in it, enable/disable/connect/disconnect devices, etc..
The possibilities of "counter-forensics" actions seem to me almost infinite.
If the thingy is "serious" (money involved, as you mentioned, etc.) a possible solution (cannot say how viable this could be) could be that of having players use for the game a "dedicated" machine, and you (or the "tournament referees" or whomever) establish a way to take an image of the machine (or of the relevant parts/registry, filesystem tables, etc) at the time of enrollment and another one an the end (this latter only in case the player ranks high enough and there is a claim he/she "cheated").
The image(s) need could be made (and stay) "locally" and transfered to the "cheat detectives" only if needed.
Basically a tool that when run"snapshots" (besides the Registry) also some other key parts of the OS/filesystem and stores them in a (compressed/encrypted) container, MD5 or SHA hashed, ready to be - if needed - transmitted to the "cheat detectives".
jaclaz