Well i guess since this is my first post i will introduce myself.

Hell@ from teh internetz! i am currently an IT technician with a love for security (greyhat). ive been doing lots of reading and some practical applications with backtrack, aircrack-ng, etc. i have learned lots but still have a long way to go and i know this.

I am a long time lurker and now my first post! here it is:

Today a employee came to me describing an issue he is having at home. Apperently someone have taken control of family members facebook and msn, not much i can do for him there; but the second thing he told me was the the hacker (its a skiddie) has actual control over the PC including webcam (which they demostrated for them) and from the sounds of it atleast a keylogger on top that.

This person with access has told them he(they) has been taken pics with the webcam and is threatning to use them in malicous ways. now what you need to understand is that this is all against some young children and its quite sickening to me.

I havent actually had access to the laptop yet so i have to be kinda vague for now. I know i can find the trojan and remove it (no problem there) but i would like to see what i can do about helping the police (there useless) im going to try and log the IP of the skiddie. its a windows XP system more than likely not update properly etc. (i will do this for them aswell) most of what im learning focuses on gaining access and not working from the other way around.

right now my plan is to get the laptop for a few days and see if {they} connect to it again and see what info i can pull, now other than an array of netstat commands when theyre connected and pulling the logs from the router, what else can i do to dig up more info?

Edit:
this still sounds like a skiddie to me, they flaunt there access to there webcam (really? what real hacker cares about a webcam), i wont be surprised to find Subse7en or some other torrent found tool on there. i just need to log some usefull info if i can.

Police have already been involved and they dont seem interested in helping in anyway (im in canada BTW).

Trust me, the last thing i want to do is go around and potentially "muck" with any evidence. After reading my first post i did make it sound like there were "indecent" pics taken but from what im told thats not the case, this person is supposedly going to use pics to " socially ruin" member of the family. i am going to clean and secure there laptop for them but first i would like more info from where its comming from in the first place.

i just need to know if theres something else i should be looking at to find more info on the hijacker.
ideas for logging info of an attacker is what i am after. They dont seem to be all that knowledgable (look whos talking right?) but if the police wont do anything then im going to do what i can for them.

im not trying to be some vigilante, im just trying to do what anyone else would do if they had the knowledge and opportunity. ive been focusing alot of my learning of gaining access to systems and not what to do on a system comprimised by someone else. i think this is going to be a great learning expierence for me, i just need a nudge in the right direction 

It doesnt sound like its going to become a civil matter, the family contacted the police for good measure and i really doubt there will be an legal action taken by the police or family.

Thank you for the help ketchup, my oringinal idea was to just dump all the log files i could router, firewall, log viewer etc and see what i could dig up. Unfortantly i dont have access to EnCase ( would love to have this tool) but then again i dont realy expect to find a valid IP and "hunt" this person down, im really just using this as a practical learning enviorment and to satisfy a curious mind.

is there anything you know of that could help me log an active connection to the PC? if the "hacker" has had active dialog with a user on the computer i must be able to see how or atleast what port there connecting to. Again from what info im getting so far is that this isnt anything more than someone causing mischief with basic tools. 

kk, So i will dump all the logs i can find and run some nmap scans and see what i come up with, i'll let you know what i find.

UPDATE:

Well it seems i was too late. I was supposed to get the laptop today and at the very least get an image from it, but it turns out that someone known by the family would "help out" and has already done a complete format/re-install.

I got my hopes up, i was really looking forward to trying the Mir-ror tool discussed here: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,4181.0/