He's put his backdoor into place and installed some additional software to make it harder for anyone to find the port that's listening for him to come in. Had he needed to, he could have left a permanent connection to another system he controlled. This would have allowed him to tunnel back into this system, though the firewall. That connection would have been, perhaps, more obvious, but hiding his connections is always necessary. Fortunately, he has tools that can do that for him. Anyone who is also on the system won't see his network connections.

He also worried about someone else coming into the system he now possesses. Fixing some of the broken software packages by patching them would keep others from making use of any vulnerabilities that existed. While he was able to get into this system by way of an e-mail, he has had to use vulnerabilities to get into other systems. There is no need for a turf war here. Just fix the vulnerable software so he would have this system all to himself.

The challenge with host-based analysis is that you can't trust the host operating system if the system has been compromised. We've talked about this in earlier chapters of this book, but it's worth repeating. The best place to gather information ...