Re: a forensic question
From: OneGuy (OneGuy@hotmail.com)
Date: 02/23/03
- Next message: Walter Roberson: "Re: What to see if you computer is hacked/owned, read this!"
- Previous message: Lars M. Hansen: "Re: What to see if you computer is hacked/owned, read this!"
- In reply to: Doug Fox: "a forensic question"
- Next in thread: Alun Jones: "Re: a forensic question"
- Reply: Alun Jones: "Re: a forensic question"
- Reply: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "OneGuy" <OneGuy@hotmail.com> Date: Sun, 23 Feb 2003 09:35:17 -0500
Doug,
I got in here late but consider this. I can't tell you how many times over
the last 12 years that a user "swore the file was there" or "swore someone
was on their computer". Probably 95 percent of the time the user is in error
(mistaken). It makes no difference what level the user is either be it a VP,
Engineer or Security Guard.
The most important thing you can do is to get the exact facts about the
missing files pertaining to the names or naming conventions and the exact
(alleged) location of those files. If the user is wishy-washy about either
of those items then the end-user possibly does not know enough about
computers to "swear" someone else had removed those important files.
Typically the user inadvertently moved, deleted of forgot the location of
the file(s) or was not logged into the server where they were stored and
therefore the files "disappeared". Users tend to drag and drop complete
directory structures and files to other locations without knowing it too.
Your job is to find them.
The files witch hunt starts by automatically assuming the user accidentally
did it them self without telling them this. Once you know the file names in
question scour the local drive for the files using DOS commands or
findstring then do the same for any network drive access they have.
If you determine the files are truly deleted, pull the hard drive and make
it the slave on a machine with Easy Recovery Pro installed. I always keep
one in the shop ready for data recovery. ERP will find any files deleted no
matter how, even on ntfs partitions.
Good luck,
OneGuy
"Doug Fox" <dfox168@hotmail.com> wrote in message
news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> A user swore that she had powered down her NT 4.0 workstation before going
> home. But she discovered that some important files on her workstation
were
> deleted this morning.
>
> Checked:
>
> The Event Viewer | Security Log, there was no entry as auditing was not
> enabled.
> The Event Viewer | System Log, the PC was powered down at 5:15 pm
yesterday
> and a DHCP request this morning. There was no activity in between these
two
> entries.
> The Recyle Bin was empty.
>
> Also checked //winnt/profiles directory. There was no unrecognizable
> username.
>
> Where else I can check for un-authorized access to this workstation?
Could
> it be "remote control" by a user with administrative priviledge? For
> instance, net use //computername/c$. How can I find it out? From the
> security log of the PDC?
>
> Are there tools which help in-depth investigations?
>
> Any pointers are appreciated.
>
> Thanks,
>
>
>
- Next message: Walter Roberson: "Re: What to see if you computer is hacked/owned, read this!"
- Previous message: Lars M. Hansen: "Re: What to see if you computer is hacked/owned, read this!"
- In reply to: Doug Fox: "a forensic question"
- Next in thread: Alun Jones: "Re: a forensic question"
- Reply: Alun Jones: "Re: a forensic question"
- Reply: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
