Re: a forensic question

From: Doug Fox (dfox168@hotmail.com)
Date: 02/27/03 

From: "Doug Fox" <dfox168@hotmail.com>
Date: Thu, 27 Feb 2003 03:06:33 GMT

It turns out that you are correct.

Another question:

The user also swore that he turned off the PC before leaving the workplace.
When he came back the office the next day, the PC was on. Checked Event
Viewer | System Log and Security Log. The System Log shows that the PC was
actually turned off and on as he said, but the Security Log does not have
any entry concerning user logging in.

Any suggestions?

Thanks again.

"OneGuy" <OneGuy@hotsnail.com> wrote in message
news:b3dv9d$1lg428$1@ID-102870.news.dfncis.de...
> Doug,
>
> Any word on the final outcome of this situation?
>
> OneGuy
>
> "Doug Fox" <dfox168@hotmail.com> wrote in message
> news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > A user swore that she had powered down her NT 4.0 workstation before
going
> > home. But she discovered that some important files on her workstation
> were
> > deleted this morning.
> >
> > Checked:
> >
> > The Event Viewer | Security Log, there was no entry as auditing was not
> > enabled.
> > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> yesterday
> > and a DHCP request this morning. There was no activity in between these
> two
> > entries.
> > The Recyle Bin was empty.
> >
> > Also checked //winnt/profiles directory. There was no unrecognizable
> > username.
> >
> > Where else I can check for un-authorized access to this workstation?
> Could
> > it be "remote control" by a user with administrative priviledge? For
> > instance, net use //computername/c$. How can I find it out? From the
> > security log of the PDC?
> >
> > Are there tools which help in-depth investigations?
> >
> > Any pointers are appreciated.
> >
> > Thanks,
> >
> >
> >
>
>

Relevant Pages

  • Re: a forensic question
    ... the last 12 years that a user "swore the file was there" or "swore someone ... But she discovered that some important files on her workstation ... > The Event Viewer | Security Log, there was no entry as auditing was not ... > security log of the PDC? ...
    (comp.security.misc)
  • Re: a forensic question
    ... The user also swore that he turned off the PC before leaving the workplace. ... Viewer | System Log and Security Log. ... any entry concerning user logging in. ... But she discovered that some important files on her workstation ...
    (comp.security.misc)
  • Re: a forensic question
    ... > findstring then do the same for any network drive access they have. ... > it the slave on a machine with Easy Recovery Pro installed. ... But she discovered that some important files on her workstation ... >> security log of the PDC? ...
    (comp.security.misc)
  • Re: Event ID 560 Problem
    ... >Error 560s usually refer to object access. ... >whenever a user makes a connection to something out on ... >> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ...
    (microsoft.public.win2000.security)
  • Re: Security Event logs dont match
    ... I am not saying that the DC log is untrustworthy; ... The DC's log says that it was accessed remotely from his workstation from ... >> The primary domain controller security log says that Steve ... >> that time, but contains login info from that morning, and ...
    (microsoft.public.security)