See how quickly this goes? Just by not properly preparing to detect and respond to incidents you have already cut the list down from 6 phases to 3. I think when you get to phase 6 (take lesson from incident and apply them to secure for future) though that one of the primary lessons would be that you should have been better prepared so hopefully that will change for your next incident.
We’re not on phase 6 though- we’re still on phase 3: gather clues and evidence. One of the first things you should do is to try running netstat. Netstat is a utility that will show you all open ports on your computer and your current connections. If your hacker is sloppy you may even be able to find his source IP address using netstat.
To use netstat you need to open a command prompt window and type “netstat” followed by the parameters you want to use. The available parameters are:
Using netstat can yield a ton of valuable information. You may be able to find open ports, connections to IP addresses or connections opened by processes that you are not aware of. For your evidence gathering purposes you will want to export the results to a text file that you can save and refer back to later. Typing “netstat –an >c:\log.txt” will run netstat using both the –a and the –n parameters and will save the results to a file called “log.txt” on your C drive. You can change the drive and file name to anything you choose.
Another action you can perform is to validate your users and their privileges. Check out the list of users on the machine to make sure there haven’t been any new users created that you aren’t familiar with. Additionally, you should verify that the existing users have the appropriate permissions assigned. The hacker may have taken one or many accounts and granted it administrative permissions.
