my friend's home network has been hacked by a intruder and all of his office documents,personal e-mails,financial details and other details were stolen(this happens just before 48 hours from this post),
As he said me regarding this I tried to monitor the network traffic using wire-shark and I tried to see the suspicious process running using process explorer but I can'table to get any thing useful regarding identifying the intruder ,As a pre-cautionary
measure we have already shut-down the internet connection going to and from the network to prevent damages,As this is just a home network we don't have an IDS Or IPS system or any monitoring softwares,we have microsoft windows xp on the hacked client,we didn't deleted or modified any data
after the intrusion ,If we get enough evidence my friend will lodge a legal complaint against the intruder(as we decided)
when I asked to some of my admin friend's they have been saying that the malware is designed to escape from wireshark analysis and process,and he also said it may be a FUD malware with options to kill our fire-walls such as zone-alarm etc..
so I am bit confused,I didn't deleted any thing on the pc what should I do to gather evidence against the intrusion?
hope I can get some help here..
Manoj, You're probably approaching this the wrong way; if you intend to prosecute - then STOP what you're doing, and report that matter to your local law enforcement immediately - let them take it over from here onwards.
yes I also thinked like you said but there are reasons behind it,first of all me,we want to know the intrusion has happened from our country or from other countried,if it was attempted by my friend's fellow office workers it may get critical,because the news about the company will be spread through quickly and it may risk my friend's job,if it was not from my friend's office mates,then we are ready to hand this over to the local law enforcement,but at first we need to gather evidence against the intruder and we know about fellow office mates,depending upon the evidence we get,my friend can proceed further this is very complicated,but this first we are trying to gather evidence against the intrusion,depending upon the evidence that we get ,we decided to proceed further and my friend also busy in recovering the compromised passwords etc.,
we have got some time so please help me to gather some evidence against the attack?
I am wondering is it wrong to gather evidence against the intrusion in our networks ?
hope I can get some help here..
There's a lot to look at, take a look at the recent discussion around something similar on this forum that may guide and assist you, but be sure to make forensically sound copies of the hard drives, and verify them before you do any further exploration.
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6540559#6540559
The malware you refer to - if you can find the executable and obtain a sample you can get in analyzed using a free sandbox, to determine exactly what it does during the initial infection/activation stages.
Evading wireshark? Some malware can use SSL, etc to evade detection – I’m assuming that is what your admin friend meant here, but then if they know the name of the malware strain – you should be able to find enough info on the web about what it does, and if it is a Remote Admin Tool, are part of a known bot network, etc.
Personally; if you're new to this I would suggest to get someone more experienced to guide and assist you or you could very well ruin your chances of having a successful case against the attacker, and could very well destroy a lot of the evidence that may have been left behind on the affected machine.
Good luck.
!
my friend's home network has been hacked by a intruder and all of his office documents,personal e-mails,financial details and other details were stolen(this happens just before 48 hours from this post),
What alerted you to the "hack"? What made you think the files were "stolen"? Are the files gone from the computer or were they just inappropriately accessed or e-mailed or otherwise sent off-site?
As MindSmith posted previously, in many locales what you have already done will likely disincline any formal authority from examining the computer. For example was Process Monitor already on the computer? If not how did you get it on the computer? And did you use WireShark on the subject computer or did you install a trap in the wire between the subject computer and the switch/router?
I know this seems like a lot of questions, but it is really just a very short list of likely questions that would have to be asked if this went to the authorities.
I suspected the attack as my friend's passwor
got changed next day,I installed the process monitor and wire-shark on the attacked pc after the intrusion,I tried to search for suspicious traffic in http,ftp,https,smtp in wire-shark I found nothing,and some of the files has been placed in different places and some were gone!,so I think it may be stolen..
what can I do in this short time?
can I call any non-law enforcement authorities like private agencies in this case?
I'm hoping your friend didn't have any data belonging to other third parties such as employer, customers, etc.
Otherwise, he/she has a more significant issue.
I don't know what options you have in India but I hope that you have a forensic image of the drive and are not working on the source. If you don't have such an image, get one ASAP if you want to try to recover what has been lost.
Next question Are you simply interested in recovering what was lost or do you want to find out what happened? If the latter, then, as others have suggested, either approach law enforcement, if the laws in your jurisdiction will support it, or ask for the assistance of someone who has done this type of investigation, before.
Determining the who, how and why can be extremely labor intensive and expensive. How important is this knowledge to your friend?
Finally (you have provided few details), what is the presumed motive? Are you suspecting simple, indiscriminate, malware, or a deliberate intrusion for the purposes of disrupting your friend's operations. If the latter, there are a lot more questions to be asked and answered.
I don't know what options you have in India but I hope that you have a forensic image of the drive and are not working on the source. If you don't have such an image, get one ASAP if you want to try to recover what has been lost.
Next question Are you simply interested in recovering what was lost or do you want to find out what happened? If the latter, then, as others have suggested, either approach law enforcement, if the laws in your jurisdiction will support it, or ask for the assistance of someone who has done this type of investigation, before.
Determining the who, how and why can be extremely labor intensive and expensive. How important is this knowledge to your friend?
Finally (you have provided few details), what is the presumed motive? Are you suspecting simple, indiscriminate, malware, or a deliberate intrusion for the purposes of disrupting your friend's operations. If the latter, there are a lot more questions to be asked and answered.
The next time you've been hacked don't disconect the computer, because your going to loose a lot of value information.
simple use this command.
netstat -ano > estado.txt
arp -a > algo.txt
look for prefetch folder in windows if you are using it.
Got a memory dump, it's going to give you value information.
So if you disconnected the computer get an image for analyzing it.
…
Evading wireshark? Some malware can use SSL, etc to evade detection – I’m assuming that is what your admin friend meant here, but then if they know the name of the malware strain – you should be able to find enough info on the web about what it does, and if it is a Remote Admin Tool, are part of a known bot network, etc.
…
Wee bit off topic, but -
I thought about this quite some time, even before this post.
There is no reason a malware could not install its own stack of TCP/IP protocol, and bind to the NIC.
Once that is achieved, few tools would detect it on that infiltrated machine.
Obviously once the packets are on the wire, they are back in the flow, and fair game.
I just think malware writers are getting lazy.