>> we actually did catch him in the act. we watched the adversaries for a number of days and weeks. >> security experts say it's possible to catch the cyber criminals after the act as well. >> most of the time when we respond to an engagement we have a number of elements we can find ranging from ip addresses to user names, the actual tools that the individuals used while they're breaking into the systems. >> hackers often leave behind digital bread crumbs, everything from complex crews to circumstantial evidence. something as easy as the hours they worked. >> when we see attackers inside the network, does it happen at certain times of the day that you could line up with shift work in china or russia or the united states. do the people take holidays? >> the calling cards, recognizable evidence left behind by known criminals. >> the code that they use to build their malware samples.