How to trace a hacker

So, I'm a big fan of the cheesy 90's movies about hacking (read Hackers). I've been using computers all my life, which has brought me to university studying in Computer Engineering. The other day I was watching a familiar cheesy hacking movie and the super-smart-teenager-guy-who-works-for-the-FBI-and-was-hired-to-catch-the-hacker had caught the hacker on his system. He continued to enter some commands and was able to trace ALL the computer hops the bad guy had made before making a connection to the hacked computer.

My question is simple: is this possible? I know you can traceroute packets and see where they have been, but can the same be done for active connections to a computer? How do security firms and big-shot organizations like the FBI "trace" a hacker back to his destination. Assuming of course he's using several proxies around the world and maybe even the tor network.

Moreover, how would one go about removing the possibility of traceback or making it very difficult for others. The obvious answer would be hopping through as many computers as possible before getting to your destination.

To the moderators: I don't believe this question is off-topic. I'm asking about actual procedures and uses of current technologies.

n0pe

Posted 2011-07-08T14:30:04.323

Reputation: 14 506

1Movies have absolutely nothing in common with the real world of tracking down hackers. Sophisticated brilliant hackers are never caught. They only get caught if they are sloppy and leave tracks behind. – Moab – 2011-07-08T14:47:18.477

@Moab, I know movies are completely out there when it comes to seriousness. However, I'm more asking about the "methods" used in real life compared to the movies. – n0pe – 2011-07-08T14:54:11.617

I am not a hacker, so they might know more, but if they go through someone else's server or infected computer along the way, I always thought that unless it was a real honeypot, with tracking software on it, there would be no way to trace it further. – KCotreau – 2011-07-08T15:24:05.637

1Almost every system has logging of some sort. Good hackers will know how to wipe or modify the logs. – music2myear – 2011-07-08T20:43:29.877

1Voting to close as not constructive. This isn't a question that can be answered in it's current form. The subject is way to broad and would probably require a degree in computer security to and more space that is suitable here on SU to answer. – Nifle – 2011-07-08T21:07:49.453

@Nifle: You're suggesting to close this on account of the SU community not being able to answer? Come on. I am asking a pretty pointed question here: "How can someone be traced back to the original computer?" – n0pe – 2011-07-08T21:15:22.287

1@Max - No I'm voting to close because noone can answer it in a way that fits the SE formula. You would need a research level paper to discuss all the different ways to achieve this. – Nifle – 2011-07-08T21:21:30.830

1@Nifle - better off migrating to security stack exchange, where this is very on-topic – Rory Alsop – 2011-07-11T08:48:11.870

@Nifle, try answering first, then migrating, and only then closing. Otherwise you quickly make yourself PNG. – music2myear – 2011-07-11T14:43:35.683

Answers

Please have a look at this question over on Security Stack Exchange for some discussion on why this sort of tracing is often impossible. It can be done if the attackers are sloppy or boastful, but generally the way most attackers are traced is by following the money - the same way it has always been done.

Rory Alsop

Posted 2011-07-08T14:30:04.323

Reputation: 3 168

The best hackers have steps, habits, processes they follow each and every hack that usually involve various combinations of proxies, compromised computers, timing differentials, and countries with laissez faire legal policies regarding technology security.

By employing all of these steps in different orders and with planned specific deviations they can mislead investigators, obfuscate their path, create multiple dead ends, and generally make it very difficult to trace them successfully.

Most successful hackers have incredible patience and take a long view of their attack. While some attacks appear to be quick, the setup behind a successful attack never is.

<rabbit trail>

Have you seen the Lockheed cyber security tv ad? I have no idea why they created such a hollywood-esque scenario for this 30-second spot that I assume is supposed to make them look like competent technology security people.

The only people it would impress are those who think hollywood offers accurate portrayals of technology and security.

</rabbit trail>

music2myear

Posted 2011-07-08T14:30:04.323

Reputation: 34 957

Here is the cyber Lockheed ad mentioned in the post http://www.youtube.com/watch?v=gT7r1D1iYiU Here is the full ad http://www.youtube.com/watch?v=fhjFsWGcUm4&feature=mfu_in_order&list=UL

– Scott Chamberlain – 2011-07-08T16:41:08.373

Anybody see Eagle Eye? Frankly I thought the super computer depicted in there was one of the most embarassing, offensive computer systems ever devised by a hollywood studio. If you want overly brilliant computer than is at least plausible, go with the one portrayed for I, Robot. It wasn't pretty, but at least it wasn't ugly like the Eagle Eye one was. Infrared transmission in the computer? Come on! – music2myear – 2011-07-08T20:42:21.530

There's basically 4 ways to follow such a trail. Social engineering to either exploit the hacker's ego or infiltrate their group, examining the compromised hosts used to bounce through, examining the network traffic on the compromised hosts, or large scale electronic eavesdropping. The last of which is only going to be an option for governments and only when national security is on the line. Ego, trust, sloppiness, curiosity, and underestimating what resources can/will be used against them are the mistakes that have to be exploited for a successful trace. – Stephanie – 2011-07-10T17:28:29.043

You can easily see all active connections to your computer, assuming it isn't infected. On linux, use "netstat -ta". On Windows, use Process Hacker, or some other task manager. If the hacker is using a proxy, then you would need access to the proxy to view its active connections. This is generally not possible, unless you happen to have access to a proxy the hacker is using.

If you're interested, read this: http://www.cert.org/archive/pdf/02sr009.pdf sections 8-12. The first half of the report basically says it's really difficult to trace because of how the internet works.

goweon

Posted 2011-07-08T14:30:04.323

Reputation: 1 390