How can I find out if some one haked into my computer for sure without spending money?

Answer 1

Well... I do this for a living, and all I can say is - if you need to know *for sure*, it's going to get expensive. It's usually pretty easy to tell if some clueless newbie hacked in, because they'll leave *all* sorts of digital fingerprints all over the system. If you've gotten *possibly* hit by a really talented black hat, proving it didn't happen can be a challenge. Before you get paranoid, please note that there's several tens of thousands of clueless newbies hacking into things (mostly because most computers aren't really secure), and probably only 50 to 100 really top-level "leave no traces at all" black hats currently active in the world...

There's plenty of information on how to handle an incident already online - googling for 'computer incident handling handbook' gets a lot of hits, and everything on the first page is a good source. But pretty much all of them will start off the same place:

Why do you think you may have been hacked? Is it a big "You've been hacked" sign on your webpage, as has happened to many defaced sites, or was it a small 27 cent discrepancy in an accounting form, as Cliff Stoll found (His book "The Cuckoo's Egg" is a great read about the chase after some East German hackers after US military sites)? Or something else?

Word of advice: If you have *serious* reason to think you've been hacked, do as little as possible to change the state of the machine, and get help from somebody who really knows security (and don't settle for "The guy next door knows a bit", unless he's actually doing it for a living. If his first reaction isn't "Take a full forensics-level backup, you don't want him ;)

And yes,the first thing to do *is* get a full forensics-level backup (which means *all* the bits, not just the ones that are in files now - often, a *lot* of data can be recovered from "slack space", the places where files were before they were deleted...