Problem
Digital Forensics Case: Tracing Hackers and Target Customers Identity Theft
Target was hacked in November of 2013. Target told reporters the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. 70 million customers had information such as their name, address, phone number and e-mail address hacked in the breach. Sources now suggest that the vendor in question was a refrigeration, heating and air conditioning subcontractor that worked at a number of locations at Target and other top retailers.
Investigators used several techniques to track the hacker to a Ukraine residence, although Russia did not allow the US to take the resident into custody. The techniques included:
Reverse DNS (Domain Name Server) Query - The 'Domain Name Server' are machines connected to the Internet that keep track of the IP Addresses and Domain Names of other PCs. Doing a reverse DNS allowed investigators to determine what domains sent network packets to the Target server prior to the hack. Although learning the domain helps to locate the country where the hacker resides, the exact geographical location cannot be determined without cooperation from the Internet Service Provider of that area.
Tracerouting - This technique shows all the computers within the range of a user and the target machine. A traceroute enables investigators to find out the location of the IP addresses involved in data communication with the targeted computer/server and the geographic areas where the hacker operates.
What question would most likely be on a Search Lead List for the digital forensic examiner (technician) when extracting data from the computer used by the hacker?
1. What code was used to hack into the Target server?
2. What was the domain name used by this computer?
3. What is the IP address of this computer?
4. What is the network packet for this computer?