Re: a forensic question
From: Doug Fox (dfox168@hotmail.com)
Date: 02/27/03
- Next message: Doug Fox: "Re: a forensic question"
- Previous message: megan: "Re: [urgent] which OSI layer is SSL located?"
- In reply to: OneGuy: "Re: a forensic question"
- Next in thread: OneGuy: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Doug Fox" <dfox168@hotmail.com> Date: Thu, 27 Feb 2003 03:00:41 GMT
Thanks, OneGuy!
"OneGuy" <OneGuy@hotmail.com> wrote in message
news:b3am44$1k6ein$1@ID-102870.news.dfncis.de...
> Doug,
>
> I got in here late but consider this. I can't tell you how many times over
> the last 12 years that a user "swore the file was there" or "swore someone
> was on their computer". Probably 95 percent of the time the user is in
error
> (mistaken). It makes no difference what level the user is either be it a
VP,
> Engineer or Security Guard.
>
> The most important thing you can do is to get the exact facts about the
> missing files pertaining to the names or naming conventions and the exact
> (alleged) location of those files. If the user is wishy-washy about either
> of those items then the end-user possibly does not know enough about
> computers to "swear" someone else had removed those important files.
>
> Typically the user inadvertently moved, deleted of forgot the location of
> the file(s) or was not logged into the server where they were stored and
> therefore the files "disappeared". Users tend to drag and drop complete
> directory structures and files to other locations without knowing it too.
> Your job is to find them.
>
> The files witch hunt starts by automatically assuming the user
accidentally
> did it them self without telling them this. Once you know the file names
in
> question scour the local drive for the files using DOS commands or
> findstring then do the same for any network drive access they have.
>
> If you determine the files are truly deleted, pull the hard drive and make
> it the slave on a machine with Easy Recovery Pro installed. I always keep
> one in the shop ready for data recovery. ERP will find any files deleted
no
> matter how, even on ntfs partitions.
>
> Good luck,
> OneGuy
>
> "Doug Fox" <dfox168@hotmail.com> wrote in message
> news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > A user swore that she had powered down her NT 4.0 workstation before
going
> > home. But she discovered that some important files on her workstation
> were
> > deleted this morning.
> >
> > Checked:
> >
> > The Event Viewer | Security Log, there was no entry as auditing was not
> > enabled.
> > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> yesterday
> > and a DHCP request this morning. There was no activity in between these
> two
> > entries.
> > The Recyle Bin was empty.
> >
> > Also checked //winnt/profiles directory. There was no unrecognizable
> > username.
> >
> > Where else I can check for un-authorized access to this workstation?
> Could
> > it be "remote control" by a user with administrative priviledge? For
> > instance, net use //computername/c$. How can I find it out? From the
> > security log of the PDC?
> >
> > Are there tools which help in-depth investigations?
> >
> > Any pointers are appreciated.
> >
> > Thanks,
> >
> >
> >
>
>
- Next message: Doug Fox: "Re: a forensic question"
- Previous message: megan: "Re: [urgent] which OSI layer is SSL located?"
- In reply to: OneGuy: "Re: a forensic question"
- Next in thread: OneGuy: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
