PNP experts tell how to catch a hacker - INQUIRER.net, Philippine News for Filipinos

MANILA, Philippines?Just as criminals are identified through clues left on the scene, computer forensic experts may trace infiltration into computer networks and sites through ?digital fingerprints? hackers leave in a target?s hard drive.

Computer forensic experts from Camp Crame national police headquarters need only to look into the hard drive of a ?compromised? computer of the Department of Foreign Affairs (DFA) to see whether hackers have indeed penetrated the system.

Chief Insp. Efren Fernandez II, computer forensics chief of the Philippine National Police, said Monday that hackers may be traced through digital imprints they leave on target computers.

Registered as logs, these records of access tell experts of unauthorized entry into a website or a computer network.

Experts could also detect and trace the location of a suspected hacker through an IP (Internet protocol) address, a numerical ID of a computer terminal engaged in online communication.

?If it?s a hacking case, the suspect [computer] used tools that register as logs into a target computer ? In computer forensics, those are mathematical, digital fingerprints,? said Fernandez, head of the PNP Criminal Investigation and Detection Group?s Cyber Crime and Computer Forensics Unit.

?You capture tools in a victim?s machine and those in a suspect computer, and when they actually match ? Just like in a regular crime ? a crowbar that was used to open the door [in a crime scene] matched the crowbar a suspect is in possession of,? he told the Philippine Daily Inquirer (parent company of INQUIRER.net).

There has yet to be a request from the DFA for Fernandez?s unit to check reports that Chinese cyber-spies have infiltrated Philippine government computers and gained access to confidential files.

If asked, PNP computer experts may use EnCase, a digital investigation software used to track computer activity through information that an average user would be unable to retrieve from a computer memory.

?You seize the computer (main computer hosting the website or administering the network) and conduct forensics. You?ll find traces of hacking or if the machine is compromised,? Fernandez said.

The special software could trace ?if there was communication between network (or in-house) computer and an outside computer penetrating the machine,? he said.

Investigators may also check the identity of the infiltrator with the Internet service provider?the telecommunications companies providing Internet service to households and offices?as they also keep logs of IP addresses tapping into each other.

Hackers usually infiltrate websites and networks to gain confidential information or else deface a particular site. Some even leave digital graffiti and mess with a website?s layout, Fernandez said.