Re: a forensic question

From: Steven L Umbach (n9rou@attbi.com)
Date: 02/22/03 

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Sat, 22 Feb 2003 04:16:24 GMT

 Hi Doug. If the computer had file and print sharing enabled on it then
someone who had administrator privileges could have deleted files remotely,
but if auditing was not enabled it will be impossible to find out who it
was. Did the computer have a floppy drive and if so was it bootable from it
or perhaps the cmos was not password protected? The files may have been
deleted from a bootable floppy and that would leave no trace. -- Steve

"Doug Fox" <dfox168@hotmail.com> wrote in message
news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> A user swore that she had powered down her NT 4.0 workstation before going
> home. But she discovered that some important files on her workstation
were
> deleted this morning.
>
> Checked:
>
> The Event Viewer | Security Log, there was no entry as auditing was not
> enabled.
> The Event Viewer | System Log, the PC was powered down at 5:15 pm
yesterday
> and a DHCP request this morning. There was no activity in between these
two
> entries.
> The Recyle Bin was empty.
>
> Also checked //winnt/profiles directory. There was no unrecognizable
> username.
>
> Where else I can check for un-authorized access to this workstation?
Could
> it be "remote control" by a user with administrative priviledge? For
> instance, net use //computername/c$. How can I find it out? From the
> security log of the PDC?
>
> Are there tools which help in-depth investigations?
>
> Any pointers are appreciated.
>
> Thanks,
>
>
>

Relevant Pages

  • Re: a forensic question
    ... someone who had administrator privileges could have deleted files remotely, ... but if auditing was not enabled it will be impossible to find out who it ... But she discovered that some important files on her workstation ... > security log of the PDC? ...
    (comp.security.misc)
  • Re: a forensic question
    ... Would anyone gain anything by deleting ... like this turn out to be user error, though without auditing logs all you've ... But she discovered that some important files on her workstation ... >> security log of the PDC? ...
    (comp.security.misc)
  • Re: a forensic question
    ... Would anyone gain anything by deleting ... like this turn out to be user error, though without auditing logs all you've ... But she discovered that some important files on her workstation ... >> security log of the PDC? ...
    (microsoft.public.win2000.security)
  • Re: Authentication Auditing
    ... > only show in the security log of the domain computer itself - not the ... > it indeed does show that auditing of logon events is enabled for success ... It is enabled but the effective setting dispalys as "No Auditing". ...
    (microsoft.public.win2000.security)
  • Re: Audit Failures/READ_CONTROL SYNCHRONIZE
    ... You're auditing File and Object Access; you've enabled Auditing on the files ... and you're complaining about audit events ... You can't mask events out of the security log in Event Viewer. ... > Client Domain: HEX21 ...
    (comp.os.ms-windows.nt.admin.security)