Re: a forensic question
From: OneGuy (OneGuy@hotsnail.com)
Date: 02/24/03
- Next message: swift: "Re: Lost control of server"
- Previous message: Jim: "Group Policy Database is corrupt"
- In reply to: Doug Fox: "a forensic question"
- Next in thread: Doug Fox: "Re: a forensic question"
- Reply: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "OneGuy" <OneGuy@hotsnail.com> Date: Mon, 24 Feb 2003 15:33:02 -0500
Doug,
Any word on the final outcome of this situation?
OneGuy
"Doug Fox" <dfox168@hotmail.com> wrote in message
news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> A user swore that she had powered down her NT 4.0 workstation before going
> home. But she discovered that some important files on her workstation
were
> deleted this morning.
>
> Checked:
>
> The Event Viewer | Security Log, there was no entry as auditing was not
> enabled.
> The Event Viewer | System Log, the PC was powered down at 5:15 pm
yesterday
> and a DHCP request this morning. There was no activity in between these
two
> entries.
> The Recyle Bin was empty.
>
> Also checked //winnt/profiles directory. There was no unrecognizable
> username.
>
> Where else I can check for un-authorized access to this workstation?
Could
> it be "remote control" by a user with administrative priviledge? For
> instance, net use //computername/c$. How can I find it out? From the
> security log of the PDC?
>
> Are there tools which help in-depth investigations?
>
> Any pointers are appreciated.
>
> Thanks,
>
>
>
- Next message: swift: "Re: Lost control of server"
- Previous message: Jim: "Group Policy Database is corrupt"
- In reply to: Doug Fox: "a forensic question"
- Next in thread: Doug Fox: "Re: a forensic question"
- Reply: Doug Fox: "Re: a forensic question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
