Tracing the Hack

Totoy is a computer programming student and enthusiast who had just learned the art of hacking. Armed with his intoductory knowledge about hacking, he successfully gained access to a one of his schools web servers. Incidentally, he was holding a big grudge againts the school's chairman, Atty. Amang. Seizing this chance, he defaced the front page of the school's website and in a clear and distinct manner placed a compromising image (graphically manipulated and spliced of course) of the head of the school. Immediately upon doing this dastardly act of defacement, promptly closed his home DSL Internet connection and slept for the night.

The next day, the head of the school, and most of the studentry and faculty, were surprised at the new look of their school's website. Chagrined, Atty. Amang promptly caused the server to be disconnected and isolated then promptly called the NBI Anti-Fraud and Computer Crimes Division. Being a good friend of Division Chief Elfren Meneses, the good Division Chief assigned the case to Agent Bagito, his newest recruit, who had just listened to one of his lectures regarding cybercrimes. The green rookie is now faced the task of "tracing the hack".

Dissecting the Server

(It is assumed that this case is an investigator's dream. The hacker is an eager novice who does not cover his tracks and the administrator of the server while may not be that versed in securing his machine is diligent with the server log files.)

Among Bagito's initial tasks is to look at the offended server's log files and see the log entries relevant to the incident. Agent Bagito should at least look at the configuration file of the webserver and look for the directory where the web files are located and search for the start or index page for the website. In many cases this would have the name "index.html". Then, he should look at the time stamp when the file was last modified. Next he would look at the events log of the server and look for the entry wherein the said file was accessed and modified corresponding to the time when the file was last modified. The events log should also show the username of the person who last modified the file. From here, Agent Bagito can now search the server's access log and do a crosscheck of the username and the time stamp. Agent Bagito would then find a match and from there would determine the source IP address of the device which was used for the hack.

Tracing the IP

Loosely speaking, an Internet Protocol (IP) Address is the computer's address on the web. When one connects his/her computer to his/her ISP using a dial-up or DSL account which requires the entry of a username and password, it is most likely that the IP address to be used is dynamically assigned by the ISP and normally varies per ISP log-in. (To test this, for Microsoft Windows users, open the command prompt and there type "ipconfig /all" minus the quotes.) It is most likely that Totoy's ISP is using IP version 4 (IPv4). That in itself is not much relevant but to have a better appreciation of the trace, it is suffice to say that with (IPv4), there is only a limited number of IP adddresses available for the use of the whole world (4,294,967,296 assuming many things ; ) ). Because of the this inherent limitation, IP address allocation is strictly regulated by IANA (http://www.iana.org). IANA divided the world into Internet Registries (Regional Registries, National Registries, and Local Registries) which is tasked to allocate IP addresses per ISP. How would this help Agent Bagito?

With the IP address obtained from the logs, Agent Bagito would determine the ISP this particular IP address is assigned. He could do this by going to IANA itself or to the Registries or just use his favorite Web Browser. He chose the last. Using his favorite web browser he went to the IANA website and from there he found out that the Internet Registries' websites has a tool for determining to whom an IP address is assigned. He first looked at the Asia-Pacific Registry (http://www.apnic.net and http://www.apnic.net/apnic-bin/whois.pl) and tried the IP address he obtained. Luckily, the information may be viewed by the public and the seach revealed the ISP to whom the IP address is asssigned. Luckily, the ISP is located in Metro Manila.

(To be continued)