The first step in attempting to determine the identity of the hacker was to search for clues in the directory containing the altered page. Interestingly enough, the process methodology mirrored standard troubleshooting procedures, or a police officer attempting to solve a crime. One must start at the scene of the crime and gather as many direct clues as possible, then work their way outward, examining the larger picture. Since the directory contained published Web pages, it existed as a subdirectory to the wwwroot directory (\inetpub\wwwroot). The first piece of useful information that appeared was the created and modified dates for the altered Hypertext Markup Language (HTML) file. Although these dates were not an absolute fingerprint, they provided a frame of reference to use in searching for other clues.
The next step was the examination of the _vti_cnf subdirectory, which on servers with FrontPage Extensions enabled, is used by FrontPage to store configuration information for files in the parent directory. Every directory available via the Web will have a _vti_cnf subdirectory, which contains configuration files for each HTML file in the parent directory. These configuration files will have the same filename and extension as their HTML counterparts, with the only difference being that when you view the configuration files in a browser, configuration information will be displayed, rather than the actual page they mirror. The configuration files residing in the _vti_cnf subdirectory contain some important information, including the file’s author, last timemodified, next to last time modified, and time created. (On a configuration note, it is highly recommended that the computer under examination be configured to view hidden files, as some of the files in the _vti_cnf directory may be hidden files). As they logically should, the dates and times listed in the configuration file for the altered page matched the dates and times discovered by viewing the properties on the altered page. The author’s name was the most important piece of information gained from the configuration file, and a crucial piece of the puzzle. The name was a valid account in the Active Directory for the server, and someone who would not be hacking servers and altering other people’s Web pages. At this point, the evidence seemed to suggest that someone had correctly guessed the password of a user that had access to the server and directory, connected to the directory, and altered the Web page

To Download this E-Book Click Here.