5

It's well known what measures one should take to prevent hackers from hacking their PC. But are there any steps that allows a user to evaluate the damage done by a hacker?

Say that I know for sure that someone hacked me yesterday. But I have no idea what they did when they were in my PC. Is there a way to know what files they took (if any) or what exploit the attacker used to gain access?

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
HSN
  • 1,198
  • 13
  • 23

2 Answers2

2

So there are really two sides to this question.

1. What can I do NOW. I am hacked.

a. You can view your system logs. Instead of trying to parse through the differnet logs on your system, it might be easier to use a timeline tool such as log2timeline. This will gather all timeline evidence artifacts and put them in an easy to read .csv file. Timeline information is really all of the available log sources in one place. This can really help you determine various indicators of compromise and help you find where you need to spend some time digging on your system.

b. You really need to capture a snapshot of your memory as soon as you can. It is very possible that there are still remnants of malware on your system or cached network information about the attacker. There are several free memory acquisition tools available, such as MoonSols DumpIt. Once you have a copy of your memory, you will need to analyze it, and can use a tool like Mandiant Redline (also free).

c. If you are really serious about finding what was taken on your system, you really should take a forensic image of your hard drive and work off of the image, for accountability sake. There are some free HDD imaging tools, like FTK Imager. Once you have a snapshot of your HDD, you can run it through a forensic acquisition toolkit like the Autopsy forensic suite. You can then run the files against a bad file hash list, which will alert on malicious files on your PC based on hashes taken of the malware in the past. You can load the hash lists in your forensic acquisition tool and run it against your file system. You can find free and up to date hash lists at the NSRL (National Software Reference Library).

2. How to prevent getting hacked in the future.

a. It is a good idea to use log collection and analysis tool on your PC's, a HIDS agent. OSSEC is an open source HIDS agent that works very well. It gathers logs from your PC's as well as monitoring system critical files and registry entries.

b. It is a good idea to employ a NIDS system. This will watch for signs of compromise over the wire. Tools such as suricata provide excellent monitoring capabilities. Check out SecurityOnion. It is a linux distro packed with tools such as suricata. It makes setting up a NIDS system super easy.

c. You really need to keep on top of patching. Employ a vulnerability assessment tool such as OpenVAS (Open source). This will help you keep on top of vulnerabilities on your network.

d. Have a solid Incident Response plan!!! This is so important.

e. Follow the SANS top 20 Critical Security Controls.

Maumee River
  • 384
  • 1
  • 3
  • Note that unless you've got a separate logging server, your logs are untrustworthy. Most script-kiddie-class tools attempt to delete your system logs (with varying degrees of success); a more sophisticated attacker will tamper with the logs to hide his tracks while not interfering with honest log entries. – Mark Oct 24 '14 at 19:35
1

The answer largely depends on what you are running (e.g. a personal PC vs. large company server, operating system(s) in use). My first step would be to reach out to the professionals in this area. If you have access to a computer security team / IT department (e.g. within a company), I would consult them immediately. If you are US based, you can probably make use of resources available at the Computer Emergency Readiness Team: https://www.us-cert.gov/ Globally, you may find a team that can help you here: http://www.first.org/

If this is your personal PC and you are unable to reach out to another computer security professional, I would disconnect the computer from the internet to prevent further damage (if feasible), then look at the log files to look for what the hacker did. How you do this varies depending on what operating system you are running. There are tools that make log file review easier (including Splunk). If you are running a Linux server, this question may be useful for forensics as well: How do you know your server has been compromised? Another good, similar question is: Forensics after web server compromise

You may be able to find some further good log file review tools under this question I just asked: https://security.stackexchange.com/questions/71526/good-log-file-review-tools

Jonathan
  • 3,157
  • 4
  • 26
  • 42