Re: a forensic question

From: Doug Fox (dfox168@hotmail.com)
Date: 02/27/03 

From: "Doug Fox" <dfox168@hotmail.com>
Date: Thu, 27 Feb 2003 03:06:33 GMT

It turns out that you are correct.

Another question:

The user also swore that he turned off the PC before leaving the workplace.
When he came back the office the next day, the PC was on. Checked Event
Viewer | System Log and Security Log. The System Log shows that the PC was
actually turned off and on as he said, but the Security Log does not have
any entry concerning user logging in.

Any suggestions?

Thanks again.

"OneGuy" <OneGuy@hotsnail.com> wrote in message
news:b3dv9d$1lg428$1@ID-102870.news.dfncis.de...
> Doug,
>
> Any word on the final outcome of this situation?
>
> OneGuy
>
> "Doug Fox" <dfox168@hotmail.com> wrote in message
> news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > A user swore that she had powered down her NT 4.0 workstation before
going
> > home. But she discovered that some important files on her workstation
> were
> > deleted this morning.
> >
> > Checked:
> >
> > The Event Viewer | Security Log, there was no entry as auditing was not
> > enabled.
> > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> yesterday
> > and a DHCP request this morning. There was no activity in between these
> two
> > entries.
> > The Recyle Bin was empty.
> >
> > Also checked //winnt/profiles directory. There was no unrecognizable
> > username.
> >
> > Where else I can check for un-authorized access to this workstation?
> Could
> > it be "remote control" by a user with administrative priviledge? For
> > instance, net use //computername/c$. How can I find it out? From the
> > security log of the PDC?
> >
> > Are there tools which help in-depth investigations?
> >
> > Any pointers are appreciated.
> >
> > Thanks,
> >
> >
> >
>
>

Relevant Pages

  • Re: a forensic question
    ... the last 12 years that a user "swore the file was there" or "swore someone ... But she discovered that some important files on her workstation ... > The Event Viewer | Security Log, there was no entry as auditing was not ... > security log of the PDC? ...
    (comp.security.misc)
  • Re: a forensic question
    ... The user also swore that he turned off the PC before leaving the workplace. ... Viewer | System Log and Security Log. ... any entry concerning user logging in. ... But she discovered that some important files on her workstation ...
    (microsoft.public.win2000.security)
  • Re: a forensic question
    ... > findstring then do the same for any network drive access they have. ... > it the slave on a machine with Easy Recovery Pro installed. ... But she discovered that some important files on her workstation ... >> security log of the PDC? ...
    (comp.security.misc)
  • Re: Why are my workstations changing their passwords?
    ... One question about the machines, are they cloned without sysprepping them? ... single workstation every 1-2 minutes. ... Always test ANY suggestion in a test environment before ... in the security log on all domain controllers for Event 565. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID 560 Problem
    ... >Error 560s usually refer to object access. ... >whenever a user makes a connection to something out on ... >> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ...
    (microsoft.public.win2000.security)