Identifying the Hacker

One of the primary goals of any investigation is to identify the person or persons who committed the criminal acts. The Internet adds levels of complexity to the process of establishing their identity. Because of the makeup of the Internet, it is sometimes difficult for law enforcement officers to discover the identity of a hacker. There are a variety of anonymous applications which, by their nature, obscure the identity of the user , and there are many tools which can be used by a hacker to intentionally hide or alter his or her identity. Tracking a hacker may call for a combination of Internet research skills, subpoenas, court orders, search warrants , electronic surveillance, and traditional investigative techniques.

A hacker might hide or "spoof" his Internet Protocol (IP) address or might intentionally bounce his communications through many intermediate computers scattered throughout the world before arriving at a target computer. The investigator must then identify all of the bounce points to find the location of the hacker, but usually can trace the hacker back only one bounce point at a time. Subpoenas and court orders to each bounce point may be necessary to identify the hacker.

^[77] White, Aoife, "Hackers Steal Military Source Code," vnunet.com, 15 March 2001.

Network Tracking

A computer on a network has a number of addresses. Originally, these addresses were assigned to specific machines and identified the machine. Today, that is not so. The unprecedented growth of the Internet has made the Internet numbering scheme inadequate to handle the number of users from the number of access providers. To help allow the numbering scheme to go further, and to help provide mobile computer, reusable numbering methods have been deployed.

IP addresses are issued by various organizations under the direction of the Internet Assigned Numbers Authority, IANA. DHCP became the normal method for setting addresses as Internet Service Providers were requesting and trying to manage addresses for an explosively growing market. An ISP could have one IP address for each modem and ten times as many customers. IP addresses are no longer a identifier of a system; rather, they are an identification of the location where a system gains Internet access. A machine may have a specific address for only one session, and not necessarily even that, because a machine can release an address and renegotiate for another.

Network Address Translation, NAT, is a process which allows multiple computers to share a single, or group of, IPs. It allows a company or a home network to connect multiple computers to the Internet through a service which provides only a single network address. This can provide security, since the systems do not provide their address to external networks. NAT is built into most router and firewall devices and is used extensively throughout the Internet.

Every network connection is to have a unique machine address. This machine address is usually part of the network interface card, and is suppose to be unique, but it is required to be unique only on a physical network. These original machine addresses were issued to the manufactures of network interfaces. However, with the explosive growth of networks, machine addresses have become assignable and configurable so that a machine can easily change its machine address.

Address spoofing is a common hacking technique whereby the source address in a packet is changed so that the actual address is not available to the system which is being attacked. This can be a nonexistent address, or an address which will lead the investigation down the wrong path .

Inadequate Logs

Computer systems of interest to hackers usually keep track of all authorized and unauthorized access attempts. These computer logs provide records which are useful and often critical clues that can be used as the starting point to trace the route taken from computer to computer through the Internet, to discover the source of the attack. However, some victims don't keep logs or don't keep them long enough so that, when a hacker's activities are discovered , the logs are no longer available. Some ISPs don't keep records, or don't keep them long enough to be of help to law enforcement officers. A victim who has no record of the IP address of the computer from which unauthorized access was gained limits the ability to track the attack and may be unable to identify the hacker.

Identifying an Individual

Determining the specific individual or individuals who are responsible can be a very difficult task. Often it will be possible to determine what was done, how it was done, when it was done, and from where it was done, but not who did it. The address, which is the usual identity found in an investigation, belongs to a machine, not an individual. The search will lead to the point where the attacker accesses the Internet, possibly the machine. You will probably be able to tell what account was used, even those accounts on other systems that were used during the attack. However, the information from the computer itself will rarely be able to prove who the person was who compromised the system. Without stronger authentication methods, there is no proof that this person was the user on the system. It generally takes physical evidence to prove that a specific person was the hacker. It could be his possession of the information that was taken or his bragging of his conquest that is the conclusive evidence.

In cases when the guilty party is found, it is important to prosecute the hacker as a deterrent to this hacker, as well as to others.