Re: a forensic question
From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/22/03
- Next message: Karl Levinson [x y] mvp: "Re: LM HASHES"
- Previous message: Karl Levinson [x y] mvp: "Re: Window2000 Server Kernel Security"
- In reply to: Steven L Umbach: "Re: a forensic question"
- Next in thread: Peter L: "Re: a forensic question"
- Reply: Peter L: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com> Date: Sat, 22 Feb 2003 08:45:58 -0500
Also, you have to ask yourself whether it is likely that someone deleted
those files. Are they important? Would anyone gain anything by deleting
them? Would someone with malicious intent be more likely to copy the files
or do something else to cause more damage? IMHO, usually file deletions
like this turn out to be user error, though without auditing logs all you've
got is guesses [and the information to make changes to prevent this from
happening next time].
"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:sQC5a.196004$tq4.5077@sccrnsc01...
> Hi Doug. If the computer had file and print sharing enabled on it then
> someone who had administrator privileges could have deleted files
remotely,
> but if auditing was not enabled it will be impossible to find out who it
> was. Did the computer have a floppy drive and if so was it bootable from
it
> or perhaps the cmos was not password protected? The files may have been
> deleted from a bootable floppy and that would leave no trace. -- Steve
>
> "Doug Fox" <dfox168@hotmail.com> wrote in message
> news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > A user swore that she had powered down her NT 4.0 workstation before
going
> > home. But she discovered that some important files on her workstation
> were
> > deleted this morning.
> >
> > Checked:
> >
> > The Event Viewer | Security Log, there was no entry as auditing was not
> > enabled.
> > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> yesterday
> > and a DHCP request this morning. There was no activity in between these
> two
> > entries.
> > The Recyle Bin was empty.
> >
> > Also checked file://winnt/profiles directory. There was no
unrecognizable
> > username.
> >
> > Where else I can check for un-authorized access to this workstation?
> Could
> > it be "remote control" by a user with administrative priviledge? For
> > instance, net use file://computername/c$. How can I find it out? From
the
> > security log of the PDC?
> >
> > Are there tools which help in-depth investigations?
> >
> > Any pointers are appreciated.
> >
> > Thanks,
> >
> >
> >
>
>
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
- Next message: Karl Levinson [x y] mvp: "Re: LM HASHES"
- Previous message: Karl Levinson [x y] mvp: "Re: Window2000 Server Kernel Security"
- In reply to: Steven L Umbach: "Re: a forensic question"
- Next in thread: Peter L: "Re: a forensic question"
- Reply: Peter L: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
