http://www.reuters.com/article/2013/06/1...PN20130614

I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

A log shows time and date each file was accessed.

(06-14-2013 12:06 PM)WMD Owl Wrote:  

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

A log shows time and date each file was accessed.

That can be fixed. Not only that, a file could be altered and the date changed to make it appear it was done a long time ago. I know network servers have logs that pretty much detail all activity, but I'm unaware of individual computers having that ability.

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

Probably tripwire or an analysis of the filesystem at a deep level. It's actually quite impressive what a forensic hacker can do given free reign on a system.

I'm not an expert on the files systems that Windows uses but on the UNIX side it's pretty dang hard to access data without leaving a fingerprint behind and if you try to clean that (inode alteration) then you're going to muck something else up.

And then at the end of the day you get into the physical aspect of the world where the magnetic properties of the file locations on the platters of the disks themselves will have been altered.

There is no such ting as a perfect crime. It's as true of murder as it is of computer hacking. The only question is how much do you want to spend trying to run it down.

(06-14-2013 12:11 PM)smn1256 Wrote:  

(06-14-2013 12:06 PM)WMD Owl Wrote:  

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

A log shows time and date each file was accessed.

That can be fixed. Not only that, a file could be altered and the date changed to make it appear it was done a long time ago. I know network servers have logs that pretty much detail all activity, but I'm unaware of individual computers having that ability.

I think the article was inaccurate. It was probably a server with files associated with the Reporters WorkStation being accessed.

(06-14-2013 12:20 PM)WMD Owl Wrote:  

(06-14-2013 12:11 PM)smn1256 Wrote:  

(06-14-2013 12:06 PM)WMD Owl Wrote:  

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

A log shows time and date each file was accessed.

That can be fixed. Not only that, a file could be altered and the date changed to make it appear it was done a long time ago. I know network servers have logs that pretty much detail all activity, but I'm unaware of individual computers having that ability.

I think the article was inaccurate. It was probably a server with files associated with the Reporters WorkStation being accessed.

That makes a lot of sense. The last place I worked had all email folders and all the folders in the My Documents folder stored on a server. If I created a directory on C: it was not stored on the server. I had a few computers crap out on me and when I got a new one everything was there except the stuff I stored in the self created directories on C.

(06-14-2013 12:11 PM)smn1256 Wrote:  

(06-14-2013 12:06 PM)WMD Owl Wrote:  

(06-14-2013 12:04 PM)smn1256 Wrote:  I'd like to know how they know the computer was hacked. Specifically, getting into the machine could have been easy, but how do they know what happened after they got into it? I'm pretty good with computers and I can't figure that one out unless there is already something in the computer that logs all activity.

A log shows time and date each file was accessed.

That can be fixed. Not only that, a file could be altered and the date changed to make it appear it was done a long time ago. I know network servers have logs that pretty much detail all activity, but I'm unaware of individual computers having that ability.

It's very difficult to modify the ctime property of an inode. Yea changing a file so it looks like the access or modify time is pretty simple but you have to hack the inode table to alter ctimes and that would mess up hash values in other places. If something like Tripwire is employed then there is even more of an issue.

It would be like kicking in a door so you can go lower the toilet seat so that nobody knew you used their bathroom. Better to leave things be and hope the person does not notice the seat up, after all you cleaned up the sink and put the towels back.