Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I tell what hackers took?


  • Please log in to reply
19 replies to this topic

#1 Jacqui123

Jacqui123

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 23 January 2015 - 09:01 PM

Hello and thanks in advance,

 

I've reason to believe I've had hackers pick up documents from my laptop. Is there a way I can find out what they took i.e. did they just take those documents or have they copied the contents of my drive?

 

The reason I think I've been hacked is that people who should not have had those documents had them in paper format. My laptop was a possible source.

 

On 18th Jan our network practically ground to a halt. The Windows Event Log for that day reads three times in a row:

 

The system time was changed.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:        LOCAL SERVICE
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e5

 

 

On 19th Jan the network was back up to speed. The Event Log reads:

 

An attempt was made to register a security event source.
 

 

These log items do not appear on any other the other days. Am I wrong in deducing that I was hacked? If not, can I tell what they took?

 

Thank you for your time,

 

Jacqui

 

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 24 January 2015 - 04:42 AM

There can be other explanations for those Windows events than a hack.

 

But I need more information about your environment.

You speak about "our network". Is this a corporate network?

What Windows version do you have?

How is your laptop protected? With logon credentials? With full disk encryption?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 24 January 2015 - 04:49 AM

I'm working under the assumption that you want to know just out of curiosity. Correct?

 

Because if you want to escalate this (for example report theft to the policy), then we shouldn't give you advise.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 05:35 AM

Thanks, Didier. You're right - it's just curiosity - relationship stuff (but nothing heavy).

 

I'm on Windows 7. Password protect only - all I have is Zone Alarm and WIndows Firewall.

 

It's a private network.

 

I was watching one of their videos on Google Drive that they had uploaded (they = suspected hackers). I went to watch the next and the video would not download. No probs - I forgot all about it. But the next day I saw the video appear in my Windows Downloads list  as a failed download when I hadn't been downloading it. I thought nothing of it and removed the link from the Windows Donload list. But that was the day the network was slow. Is it possible that my downloading from Google Drive might have given them some kind of a "window" (sorry - I'm not tehnical) to pick things up through?

 

Thanks for your time.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 24 January 2015 - 05:52 AM

Can those people that you suspect have physical access to your laptop?

Because then it is easy: boot your laptop with a Live CD, and copy the files to a USB stick. No password is required.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 09:16 AM

Thanka agan, Didier - no they don't.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 24 January 2015 - 11:23 AM

Windows keeps no direct trace of files that were copied. A forensic investigator could find indirect evidence, but there is no direct evidence.

 

If you suspect that someone might have accessed your laptop without our consent, and that they installed malware on your machine during that process, I suggest you open a post in forum "Am I infected? What do I do?" and wait for further instructions.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 12:03 PM

Thanks for the reply. I'm not worried about Malware - I don't think I'm infected. If it was a hack it was probably a silent, trace-free pick-up of my docs. But never mind, if WIndows can't tell me whether they took anything else I will just have to wait and see,

 

Thanks for your time.

 

J



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 24 January 2015 - 12:29 PM

You're welcome.

 

If you suspect that this might happen again, we can configure your laptop now so that it will collect more evidence.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 05:29 PM

That would be wonderful. Yes please. But excuse me if I don't reply immediately - it's the time difference.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 25 January 2015 - 03:52 PM

You run Windows 7? What edition?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 26 January 2015 - 06:40 AM

Windows 7 Home Premium

 

SP 1 ,2009



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 26 January 2015 - 01:32 PM

If you had the professional or enterprise edition, we could use a Microsoft utility to activate object auditing so that we can see what files are accessed.

 

But we can install another Microsoft tool that will log all programs that are started, and all network connections.

The tool is called Sysmon: https://technet.microsoft.com/en-us/sysinternals/dn798348

 

To install it, start an elevated command-line prompt (cmd.exe) and run this command:

Sysmon.exe -i -h md5 -l -n


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 Jacqui123

Jacqui123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 January 2015 - 07:01 AM

It says it's not recognised as an internal or external command, operable program or batch file.

 

When I bought my laptop I didn't realise there was windows 8 on it. So I took it back and the guy at the shop  put Windows 7 on it (I think he used a compartment, if that makes sense - as I saidm I'm not technical). Might that be why this doesn't work?

 

If it's a problem or is going to take up hours of your time then don't worry. It would be a nice thing to have if it's easy but I know you guys have got lots of other people to help! :-)



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 27 January 2015 - 05:36 PM

You have to download the Sysmon tool for which I posted a link, unzip it, start an elevated cmd.exe and CD to the directory with sysmon, and then execute the command I gave you.

Edited by Didier Stevens, 27 January 2015 - 05:37 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users