10-05-2016, 11:51 AM
Phaser was a legend in their world. Some believed he was AI, others a man, others something in between. Carl wasn't sure, but he knew Phaser's signature. Every digital forensic engineer did, but unlike the other law enforcement investigators, Carl respected Phaser. He even tried to emulate him once, to no success. Phaser was too good.
Carl was busy working through a dozen windows on Prodrome, studying the way that Phaser gained access to the hospital network. If it really was Phaser. The attack was not his usual M.O., yet the sheer difficulty of the task certainly was. If it was really Phaser, and not an impostor setting him up, then Carl had some serious questions for him. Like, what in the world was his game? Why sign the hack? Why not hide his trail? That's what Carl was trying to find out.
His coffee had gone cold by then, but he sipped it anyway. The sun was up outside, the office getting busier. He heard the shuffling of his cubicle-mate, the man that worked on the other side of the partition, suggesting his arrival. A face peered over the top of Carl's work station, but Carl didn't look up.
"Hey Kincaid. Hell of a night, wouldn't you say?"
Carl mumbled and nodded.
"You working on something?"
He frowned, "Yah. I'm onto something here. Now shut up and leave me alone," that final bit was defused by a crooked smile. Chuckling followed and the man fell back down below sight. The sounds of fingers tapping on keys soon followed.
Carl was looking through the hospital's filesystems by then. When a hacker gained access to a network, they always left bits of themselves behind, like a kid trailing breadcrumbs. The better hackers knew to delete their own breadcrumbs, hiding the traces of their presence. But a good forensic strategist could recover those files. Carl was doing the trace. Phaser, the real phaser, should have deleted his own files. But then again, he also signed the images. Maybe he wanted to be found? Why?
Carl browsed the Master File Tables for for areas available to be overwritten, a sign that a file had recently been deleted. When they were overwritten, and the new file was not as long as the previous file, the difference in space, or slack space, showed up. That was his in to find the breadcrumbs. It was like replacing a baguette with a biscuit; the biscuit wasn't big enough to fill in the space that the baguette once occupied.
Yes, he confirmed the hacker's presence. Now to determine if Phaser and the Borg's location was real or set up as an impostor.
Next, he opened regedit in the network, the registry that logged everything about everyone that accessed the server and what they did while inside. Users, the time they used the system, the software used, devices connected, wireless access points, what and when the files were accessed, searches performed and more. Manipulating this data could reroute a hacker's location to anywhere he chose. For instance, an Anonymous member, John Borrell III, hacked into the computer systems of the Salt Lake City police department and the Utah Chiefs of Police. The FBI was called in to investigate and they traced the hacker back to the IP address of Blessed Sacrament Church's Wi-Fi AP in Toledo, Ohio. The hacker had apparently cracked the password of the church's wireless AP and was using it to hack "anonymously" on the Internet. In the end, Borell was caught because he bragged about the hack on social media, the idiot. Surely Phaser wasn't doing something similar? Surely the signature wasn't bragging? Or was it?
Carl was busy working through a dozen windows on Prodrome, studying the way that Phaser gained access to the hospital network. If it really was Phaser. The attack was not his usual M.O., yet the sheer difficulty of the task certainly was. If it was really Phaser, and not an impostor setting him up, then Carl had some serious questions for him. Like, what in the world was his game? Why sign the hack? Why not hide his trail? That's what Carl was trying to find out.
His coffee had gone cold by then, but he sipped it anyway. The sun was up outside, the office getting busier. He heard the shuffling of his cubicle-mate, the man that worked on the other side of the partition, suggesting his arrival. A face peered over the top of Carl's work station, but Carl didn't look up.
"Hey Kincaid. Hell of a night, wouldn't you say?"
Carl mumbled and nodded.
"You working on something?"
He frowned, "Yah. I'm onto something here. Now shut up and leave me alone," that final bit was defused by a crooked smile. Chuckling followed and the man fell back down below sight. The sounds of fingers tapping on keys soon followed.
Carl was looking through the hospital's filesystems by then. When a hacker gained access to a network, they always left bits of themselves behind, like a kid trailing breadcrumbs. The better hackers knew to delete their own breadcrumbs, hiding the traces of their presence. But a good forensic strategist could recover those files. Carl was doing the trace. Phaser, the real phaser, should have deleted his own files. But then again, he also signed the images. Maybe he wanted to be found? Why?
Carl browsed the Master File Tables for for areas available to be overwritten, a sign that a file had recently been deleted. When they were overwritten, and the new file was not as long as the previous file, the difference in space, or slack space, showed up. That was his in to find the breadcrumbs. It was like replacing a baguette with a biscuit; the biscuit wasn't big enough to fill in the space that the baguette once occupied.
Yes, he confirmed the hacker's presence. Now to determine if Phaser and the Borg's location was real or set up as an impostor.
Next, he opened regedit in the network, the registry that logged everything about everyone that accessed the server and what they did while inside. Users, the time they used the system, the software used, devices connected, wireless access points, what and when the files were accessed, searches performed and more. Manipulating this data could reroute a hacker's location to anywhere he chose. For instance, an Anonymous member, John Borrell III, hacked into the computer systems of the Salt Lake City police department and the Utah Chiefs of Police. The FBI was called in to investigate and they traced the hacker back to the IP address of Blessed Sacrament Church's Wi-Fi AP in Toledo, Ohio. The hacker had apparently cracked the password of the church's wireless AP and was using it to hack "anonymously" on the Internet. In the end, Borell was caught because he bragged about the hack on social media, the idiot. Surely Phaser wasn't doing something similar? Surely the signature wasn't bragging? Or was it?