The Event Viewer most likely won’t offer much in the way of valuable evidence because logging the sort of information you really want would have required preparation (See Plan Ahead to Catch an Intruder). But, it can’t hurt to look. By default there are three logs maintained on a Windows system- Application, Security and System. If you have certain services enabled like DNS or IIS or use some third-party applications you may have Event Viewer logs for those as well. You can look through the logs to see if any entries were made at odd times when you know you weren’t using your computer or if there were errors cause by programs you know you haven’t used.
OK. So you’ve scanned through the computer looking for the clues and evidence you need to try and figure out who hacked your system, when and how. Now its time to move on to phase 4 (clean system and patch vulnerabilities) and get your system back into non-hacked operational status.
There are steps you can take and tools you can use to be relatively sure the system is cleaned and secure. However, the tools rely on knowledge of existing hacker tools and techniques. There is always the possibility that your hacker did something different that won’t be picked up and you may miss a backdoor, Trojan or other trick that may allow him to infiltrate your system again. If you have backups of your critical data your best bet is to completely format your hard drive and reinstall your entire system from scratch and then patch and secure it.
If you don’t have backups of your data or that sounds too extreme for your taste you need to do what you can to make sure the system is clean. If you have not previously unplugged the Internet connection now would be the time to do that, but, if the hacked computer is your only computer, you may need to download some of the tools and updates you will need before disconnecting. If your system is too damaged or you feel better disconnecting it from the Internet you will need to find a second computer to download the software you will need.
