Originally Posted by Crazy Chainsaw
Well, not quite. When a computer is hacked via a network, the hacker leaves digital fingerprints on the HDD that a computer forensics expert can find, even if the hacker was very, very careful to clean up after themselves. Often, it is the clean up effort that is actually detected first, and that leads them to the network, and gives the investigators clues as to what to look for when the come to examine copies of the stolen files.
For example, In the DNC hack, Crowdstrike examined stolen files published by Wikileaks. Their metadata showed that they contained text converted from the Russian Cyrillic alphabet to the Latin alphabet. Also, they were able to determine that the hacker, Guccifer 2.0 was lying when he said he was Romanian, because he had difficulty speaking the language fluently - a problem that a native speaker would not have.
However, the clues that led them to this came from evidence found on the server HDDs, so having the hardware is a necessary step. As Crowdstrike themselves have said
"When cyber investigators respond to an incident, they capture that evidence in a process called “imaging.” It involves making an exact byte-for-byte copy of the hard drives. They do the same for the machine’s memory, capturing evidence that would otherwise be lost at the next reboot, and they monitor and store the traffic passing through the victim’s network."
Trump's assertion that "Once they hack, if you don't catch them in the act you're not going to catch them"
is completely false. Yes, its difficult, but its not impossible.
"Obviously there are cases where we cannot come to a clear conclusion in digital forensics. It’s always a question of what evidence did you get," https://www.wired.com/2016/12/hacker...ution-problem/
"But there is still this 'attribution is impossible' knee jerk reaction that occasionally pops up, which really doesn’t make much sense. The idea that attribution is not possible really doesn’t carry any weight in the technically informed community any more."
- Thomas Rid (a cybersecurity-focused professor in the department of War Studies at King’s College London)
In any case, Crowdstrike did actually catch the Russians in the act