Problem solve Get help with specific problems with your technologies, process and projects.

Checklist: 11 things to do after a hack

Your network's been cracked, what do you do next? Contributor Jonathan Hassell recommends following these eleven steps to limit damage and preserve evidence.

We preach quite a bit on this site about how to prevent security breaches, and hopefully you take it to heart and...

play an active role in hardening your systems. But sometimes even that ounce of prevention and pound of cure isn't enough to defend against a predator and the resulting penetration of your protections can be a mind-boggling experience.

Where do you begin? Here's a brief list of some steps to take "post-hack" to ensure you have the best chance of determining who did what and how it was done:

 11 things to do after a hack
1. Get a picture of your network and systems before the event.
You might not be able to do this before a breach, but a significant part of effective computer forensics is practicing symmetrical security, in that you need to be able to determine the normal function and level of activity on your network and computers before the event to detect the anomalies post-hack.
2. Preserve the scene of the crime.
Often clues that will lead you to either the cracker's activities or the cracker himself are subtle and indirect, found mainly in the state of things as you discovered the hack. Further, data in a computer is very volatile, and the evidence you seek may be erased by continued usage of the system. For the same reason investigators wear plastic gloves while handling evidence -- to both preserve and not pollute -- tread carefully on your systems and rope them off while the investigation is underway.
3. Take some initial steps to notify stakeholders and other important people.
You'll want to get in touch with senior management, your firm's attorney, security experts, and local or federal law enforcement. Alert them that you suspect your network's (or servers') integrity has been compromised and you would appreciate their assistance. Note that law enforcement may not be able to immediately help you, but in my experience it's a good idea to alert them of your suspicions.
4. Understand where your threats may be coming from.
You might think you've been cracked from the outside, but it's a fact that a large number of events requiring forensic assistance are perpetrated by an insider. Don't assume you're dealing with someone outside your firewall.
5. Isolate the suspected system.
Either disconnect it from your network or route packets around it -- put it in a protected VLAN or somehow guard your other networked systems from being similarly infected. Make sure to observe chain of evidence -- who touched the system when, and what did that person do? Document everything.
6. Shut down the system.
This preserves the state of the machine for further investigation. However, before shutting down, if possible observe background processes that are running. An inexperienced or less sophisticated cracker may leave evidence that you can later use to determine what was penetrated and how.
7. Make an exact, bit-for-bit copy of the hard drive in the suspected system.
This can be used to compare with the baseline image mentioned in the first item above.
8. Take a look at audit logs.
Figure out exactly when certain events occurred. Document them.
9. Look for passwords/password prompts around and throughout the operating system and hard drive.
These can be ticking timebombs, in that if you enter an incorrect phrase a destructive process could be launched erasing the drive. The presence of unauthorized passwords, and their location, is significant to your investigation. Note what action you're trying to perform when you stumble upon the password prompt.
10. Look for strange files.
Are there a lot of graphics or text files that aren't ordinarily present? Run a time/date scan to find recently created or modified files and determine if there are any anomalies.
11. Know when to quit.
Sometimes law enforcement won't get involved, you've wasted three weeks without finding any sort of conclusive evidence, and your users are beginning to notice the down time. In this case, blow the operating system away, reinstall from scratch, and focus on preemptive security. Sometimes the fish aren't big enough to fry.

About the Author:
Jonathan Hassell is author of Hardening Windows (Apress LP) and a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

This checklist originally appeared on

This was last published in January 2006

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)