February 6th, 2004 03:58 AM
Finding people that don't want to be found
Recently the company I work for was subjected to an intrusion. A machine was backdoored, accesses were made to critical systems.
Well I was able to track the person down. I was able to identify him. Although he denied it, We were able to find prior complaints. When he was confronted, He explained that he knew nothing about computers and was being framed by people connecting through "botted computers". Hah!
Anyway, the police didn't care because there was no proof, just a little curcumstantial evidence and a good hunch.
I don't want to find him, I know who he is and where he lives. I want to find him online, or traces of him.
He is here! He may even be reading and posting on this site...
How could it be so easy to go from anonymity to a physical person, but so unimaginably harder to go the other way around?
Anyone had any luck doing this?
Seems like it'd be good to have an MO directory, of sorts. Where as much information regarding the identity of the person doing the attack and maybe some specific, and obvious details about each person. (source ips, style, files found, obvious identifiers in files like urls and the such) It may then be possible to find that someone else was compromised by the same 'john doe'.
Seems like organized crime fighting should possess such a database, but based on my experiences the ability for local police departments to collect and process this kind of information is limited.
February 6th, 2004 04:42 AM
Ok, first how do you know it was the guy that you think. Trust me it is very easy to frame someone for something.
Now as far as your question. It is probably as easy if not easier to track someone in reverse order (i.e) Real person --> Online life. How do you do it. Well there are several ways.
First Real person has an IP address that they are assigned. Find it and you can get all that you need. (You will be surprised how much an ISP will, tell you about a person if they think the person is doing wrong. You can Social Engineer **** loads of Info out of them.)
Next way. Alot of people when they set up Email accounts use there real name for the subscriber. Well that is also a way. Another good thing. Believe it or not try google. You would be surprised what info might be there about you.
I will tell you this much if you have the time and don't mind doing the work, you can find an amatures or someone that doesn't cares fake life quiet easily.
If you need anymore help with this let me know in PM and I will see what I can do.
February 6th, 2004 04:46 AM
That sounds about right....since you know who it is and he works in your company, try monitoring his computer. Either remote logging, IP monitoring, or key logging would be good options.
February 6th, 2004 05:50 AM
You may consider looking at what JP left on AntiOnline... http://www.antionline.com/hacker-profiling/?s= I haven't checked it out in over 2-3 years myself...
It works in the opposite direction of what you seem to be doing, but I guess that any reading is better than none at all. Good luck and hopefully it helps.
And Googling does find a lot. What do these other people you said you meet with to determine that you had your man think about his online identity? They may have done some work already.
But for true evidence, there are some very important steps to follow. 1) You will need to NOT do ANYTHING to the PC. Turn off, remove HDD, get a HDD cloner and clone the HDD. Then bag the original one and it *should* be permissiable as evidence. Search the cloned HDD for info you are looking for. Not following at least that can ruine evidence-worthiness... For more, search AO and you might find something, I think a tutorial was written a while back.
February 6th, 2004 02:02 PM
"How could it be so easy to go from anonymity to a physical person, but so unimaginably harder to go the other way around? "
Well it is logical if you think about it. You trace the "anonymous" to the "physical" because they have made contact with you.
You have no idea how many proxy accounts, fake e-mails, ISPs, or even computers that they have.
Let's face it, it could be me, because you have had no contact from this ISP?
It is difficult enough tracing an attacker, if they know what they are doing, if they don't attack you, then you really have little chance, as they could be anyone on the internet and that is a very large number?
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
February 6th, 2004 02:24 PM
since you know who it is and he works in your company
Where did cmbaron say this? I see "I was able to track the person down. I was able to identify him" and "I know who he is and where he lives"... but I don't see anything like you assumed....I have reread the post about 15 times, and I still don't see it.
If "he" worked for the company in question, then "he" probably would no longer have a job?
remote logging, IP monitoring, or key logging would be good options
You should never give advice based on assumptions.
February 15th, 2004 07:20 PM
Actually, it is possible that he was being used by the actual culprit as a Zombie, which means his comp was being used to hack the comp by the culprit because of a backdoor in his comp.
you want commitment put on your best suit, get your arms around me now we\'re goin\' down down down