a forensic question
From: Doug Fox (dfox168@hotmail.com)
Date: 02/22/03
- Next message: Kevin Davisł: "Re: Network Hacking"
- Previous message: Mike: "username not logging just machine name"
- Next in thread: Steven L Umbach: "Re: a forensic question"
- Reply: Steven L Umbach: "Re: a forensic question"
- Reply: OneGuy: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Doug Fox" <dfox168@hotmail.com> Date: Sat, 22 Feb 2003 03:12:29 GMT
A user swore that she had powered down her NT 4.0 workstation before going
home. But she discovered that some important files on her workstation were
deleted this morning.
Checked:
The Event Viewer | Security Log, there was no entry as auditing was not
enabled.
The Event Viewer | System Log, the PC was powered down at 5:15 pm yesterday
and a DHCP request this morning. There was no activity in between these two
entries.
The Recyle Bin was empty.
Also checked //winnt/profiles directory. There was no unrecognizable
username.
Where else I can check for un-authorized access to this workstation? Could
it be "remote control" by a user with administrative priviledge? For
instance, net use //computername/c$. How can I find it out? From the
security log of the PDC?
Are there tools which help in-depth investigations?
Any pointers are appreciated.
Thanks,
- Next message: Kevin Davisł: "Re: Network Hacking"
- Previous message: Mike: "username not logging just machine name"
- Next in thread: Steven L Umbach: "Re: a forensic question"
- Reply: Steven L Umbach: "Re: a forensic question"
- Reply: OneGuy: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
