This paper concerns the protection of a software program and/or the content that the program protects. Software piracy and digital media piracy have cost industries billions of dollars each year. The success of the content/software security technologies in a large part depends on the capability of protecting software code against tampering and detecting the attackers who distribute the pirate copies. In this paper, we focus on the attacker detection and forensis analysis. We shall talk about a proactive detection scheme for defeating an on-going attack before the compromise has occurred. We shall also briefly explain another detection scheme for post-compromise attacker identification. In particular, we consider real world scenarios where the application programs connect with their vendors periodically, and where a detection of attacking can bar a hacker user from further business.