Re: a forensic question
From: OneGuy (OneGuy@hotmail.com)
Date: 02/27/03
- Previous message: Doug Fox: "Re: Oracle Directconnect (ODC) Security - is it ok?"
- In reply to: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "OneGuy" <OneGuy@hotmail.com> Date: Wed, 26 Feb 2003 23:11:00 -0500
Glad to learn the data is found. After all that is what is really important.
As far as the workstation being "on" in the morning....
Wake on LAN? Ring any bells? :-)
Does your environment have helpdesk personnel doing machine maintenance
after normal business hours like mine does?
Just some thoughts.
OneGuy
"Doug Fox" <dfox168@hotmail.com> wrote in message
news:Zgf7a.100208$Zr%.49692@news01.bloor.is.net.cable.rogers.com...
> It turns out that you are correct.
>
> Another question:
>
> The user also swore that he turned off the PC before leaving the
workplace.
> When he came back the office the next day, the PC was on. Checked Event
> Viewer | System Log and Security Log. The System Log shows that the PC
was
> actually turned off and on as he said, but the Security Log does not have
> any entry concerning user logging in.
>
> Any suggestions?
>
> Thanks again.
>
>
>
>
> "OneGuy" <OneGuy@hotsnail.com> wrote in message
> news:b3dv9d$1lg428$1@ID-102870.news.dfncis.de...
> > Doug,
> >
> > Any word on the final outcome of this situation?
> >
> > OneGuy
> >
> > "Doug Fox" <dfox168@hotmail.com> wrote in message
> > news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > > A user swore that she had powered down her NT 4.0 workstation before
> going
> > > home. But she discovered that some important files on her workstation
> > were
> > > deleted this morning.
> > >
> > > Checked:
> > >
> > > The Event Viewer | Security Log, there was no entry as auditing was
not
> > > enabled.
> > > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> > yesterday
> > > and a DHCP request this morning. There was no activity in between
these
> > two
> > > entries.
> > > The Recyle Bin was empty.
> > >
> > > Also checked //winnt/profiles directory. There was no unrecognizable
> > > username.
> > >
> > > Where else I can check for un-authorized access to this workstation?
> > Could
> > > it be "remote control" by a user with administrative priviledge? For
> > > instance, net use //computername/c$. How can I find it out? From the
> > > security log of the PDC?
> > >
> > > Are there tools which help in-depth investigations?
> > >
> > > Any pointers are appreciated.
> > >
> > > Thanks,
> > >
> > >
> > >
> >
> >
>
>
- Next message: Lassi Hippeläinen: "Re: security at banks"
- Previous message: Doug Fox: "Re: Oracle Directconnect (ODC) Security - is it ok?"
- In reply to: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
