help needed in gathering evidence against network intruder?

manoj9372 · 2010-05-23T00:02:01Z

my friend's home network has been hacked by a intruder and all of his office documents,personal e-mails,financial details and other details were stolen(this happens just before 48 hours from this post), As he said me regarding this I tried to monitor the network traffic using wire-shark and I tried to see the suspicious process running using process explorer but I can'table to get any thing useful regarding identifying the intruder ,As a pre-cautionary measure we have already shut-down the internet connection going to and from the network to prevent damages,As this is just a home network we don't have an IDS Or IPS system or any monitoring softwares,we have microsoft windows xp on the hacked client,we didn't deleted or modified any data after the intrusion ,If we get enough evidence my friend will lodge a legal complaint against the intruder(as we decided) when I asked to some of my admin friend's they have been saying that the malware is designed to escape from wireshark analysis and process,and he also said it may be a FUD malware with options to kill our fire-walls such as zone-alarm etc.. so I am bit confused,I didn't deleted any thing on the pc what should I do to gather evidence against the intrusion? hope I can get some help here..

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jim.borwick 15 years ago

11 Posts

8 Users

0 Reactions

1,241 Views

RSS

jim.borwick

(@jim-borwick)

Active Member

Joined: 16 years ago

Posts: 9

23/11/2010 8:21 pm

I agree with the comments regarding preservation of evidence and consideration to reporting the incident to law enforcement. I also agree with jjbreton regarding the memory dump.

You can get valuable information from analysis of RAM - you can identify processes running and recover any suspicious processes. It may also be worth recovering the hiberfil.sys, if there is one as this can be examined in a similar fashion to a memory dump.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
288 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed