Here are now 6 investigative steps that will allow you to know for sure if you have been hacked. I will do an example simulation at the same time. You can check our tech blogs.
1. Observe Network Activity Of Programs
Usually malware will seek to communicate with the outside world, either to receive orders or send stolen information remotely.
The thing is they have plenty of applications also communicates, and in a legitimate way. We will, therefore, need to quickly understand network activity and know how to extract the content that interests us.
For this, you can install TcpView, and launch it to observe the programs on your computer that communicate with the outside:
But what is Microsoft doing here?
In fact, in the “Remote Port” column, we distinguish “smtp,” that is to say that the program in question has just sent an email, probably using a Microsoft account.
There are various reasons (malicious or not) to send an email; for example, a keylogger could send your personal information to a hacker.
2. Observe The History Of Downloaded Files
This is the first thing to do if you suspect a program to be the source of a hack. The history of downloaded files is usually accessible through the web browser. The latter retains typically the date of download and the place where the program was stored on the computer.
If you spot a suspicious program, don’t remove it immediately, but scan it through VirusTotal and Malwr:
3. Track A Hacker
Hackers or rather “hackers” are not always as smart as people think. Some use other people’s tools without even knowing how they work. This suits us well, as we can potentially track down the author of a malicious program, provided we have already identified the program in question.
4. Observe The Logs
Logs are computerized records of the state of specific software or the system. For example, if software crashes, a message will probably be written in the logs indicating the time of the collision and maybe even the reason for the impact.
The logs do not only record error messages, but contain other important information, such as the start time of the computer, the programs installed, the programs started, etc.
We can, therefore, to a certain extent, go back to the history of the computer. I have already spoken several times about the program that does this exceptionally well.
5. Observe the Processes
This is straightforward, although quite a complicated way for a novice to observe the programs running on the computer at any given time. Here, we have already spotted the name of the malicious program, but we could very well have done it via a task manager. I say “One” task manager because there are several, and while the default one that comes with Windows is sufficient in most cases, there are advanced task managers like Process Explorer. The term “advanced” refers to the additional functionality provided by this tool. We will mention the direct analysis with VirusTotal, signature verification, more pleasant graphic display, or even (very) detailed information on each process.
6. Observe The Programs Launched At Startup
This is one of the most potent possible ways to detect malware. We could very well have placed it first, but the order here doesn’t necessarily matter. Malware likes to launch itself every time the computer is started. The reason is apparent: they can thus continue their activity indefinitely because they will be found automatically by the operating system when you start your computer, without you even having to touch anything.
The fastest way to view the programs launched when your computer starts up is to open the Windows task manager, “Startup” tab:
So like that, we start at the start of the computer without permission?