You've been hacked. What do you do? Who do you call?

It's good to know before time, because you can waste a lot of time, and do a lot of damage to your systems and your organisation if you don't, according to Paul Craig, the lead forensic incident responder at

There are people out there who will hack into your system with criminal intent.

There are people who do it for fun, or so they can skite about it on sites like - which will point other people to your servers, your databases and your credit card numbers if you don't move fast to secure them.

Craig says most hacking now starts with web applications, because the firewalls that aim to stem other types of network intrusion are now almost ubiquitous.

Once a server has been hacked, people need to work out what the hacker has done in the system, whether they have taken anything or made queries on the database, whether they have left any back doors so they can come in later.

Craig says a common response to being hacked is the worst one.

"People say, 'We've reformatted the servers, reinstalled from back-ups, the crisis was averted.'

"What they've actually done is destroyed forensic evidence, and they have no way to find out what the hacker has done."

He says in one New Zealand government agency where was called in, the security manager was unaware the website had been defaced.

The content manager was, but just restored from back-ups whenever it happened.

Craig says once he ran all the available data through his tools and in effect recreated what had happened by automatically sifting through gigabytes of logs to find out what, when and who, he discovered eight separate hackers had exploited a vulnerability in the DotNetNuke web content management system.

Hacker five had listed his exploit on, where hacking government sites earns extra points, and hackers six, seven and eight followed the link in.

He recommends organisations sort out their business processes and technical response before they get hacked.

If they identify a preferred forensic supplier, one with the trained staff, the equipment and the processes to do the job right, they can have emergency response numbers, pre-signed non-disclosure agreements and to-do lists in place if the worst happens.

Digital evidence degrades over time, so it's important to move fast.

Craig says if a server is hacked, leave it on and connected to the internet. That means the forensic examiner can look at logs and routing tables and get an accurate picture.

Action may need to be taken so the machine does not restart. That means disabling any automated shut-downs or patch routines.

If the incident responder can't get there for a few days, get a new one - and rip the power cord out of the wall.

"Don't do a shut down. When Windows shuts down, it clears a lot of volatile information," Craig says.

It's good if organisations know what their incident responder needs and have it ready. They will be paying big money for forensics, maybe $2000-plus a day, so why waste it by having the person wandering the building chasing up network topography maps and server logs.

Craig says he is still waiting for the job that leads to a successful prosecution.

If the hack came from New Zealand or Australia, that would be relatively simple, but most hacks come from places where local law enforcement doesn't seem inclined to chase down the culprits - such as when he identified a United States-based hacker who was even using his smartphone to grab credit card numbers.

And if the hacker comes from China, there may be a prosecution - but the sentence is to be drafted in to the army's cyberwar division.