Re: a forensic question

From: OneGuy (OneGuy@hotmail.com)
Date: 02/27/03 

From: "OneGuy" <OneGuy@hotmail.com>
Date: Wed, 26 Feb 2003 23:11:00 -0500

Glad to learn the data is found. After all that is what is really important.
As far as the workstation being "on" in the morning....

Wake on LAN? Ring any bells? :-)

Does your environment have helpdesk personnel doing machine maintenance
after normal business hours like mine does?

Just some thoughts.

OneGuy

"Doug Fox" <dfox168@hotmail.com> wrote in message
news:Zgf7a.100208$Zr%.49692@news01.bloor.is.net.cable.rogers.com...
> It turns out that you are correct.
>
> Another question:
>
> The user also swore that he turned off the PC before leaving the
workplace.
> When he came back the office the next day, the PC was on. Checked Event
> Viewer | System Log and Security Log. The System Log shows that the PC
was
> actually turned off and on as he said, but the Security Log does not have
> any entry concerning user logging in.
>
> Any suggestions?
>
> Thanks again.
>
>
>
>
> "OneGuy" <OneGuy@hotsnail.com> wrote in message
> news:b3dv9d$1lg428$1@ID-102870.news.dfncis.de...
> > Doug,
> >
> > Any word on the final outcome of this situation?
> >
> > OneGuy
> >
> > "Doug Fox" <dfox168@hotmail.com> wrote in message
> > news:xUB5a.36937$UXa.28377@news02.bloor.is.net.cable.rogers.com...
> > > A user swore that she had powered down her NT 4.0 workstation before
> going
> > > home. But she discovered that some important files on her workstation
> > were
> > > deleted this morning.
> > >
> > > Checked:
> > >
> > > The Event Viewer | Security Log, there was no entry as auditing was
not
> > > enabled.
> > > The Event Viewer | System Log, the PC was powered down at 5:15 pm
> > yesterday
> > > and a DHCP request this morning. There was no activity in between
these
> > two
> > > entries.
> > > The Recyle Bin was empty.
> > >
> > > Also checked //winnt/profiles directory. There was no unrecognizable
> > > username.
> > >
> > > Where else I can check for un-authorized access to this workstation?
> > Could
> > > it be "remote control" by a user with administrative priviledge? For
> > > instance, net use //computername/c$. How can I find it out? From the
> > > security log of the PDC?
> > >
> > > Are there tools which help in-depth investigations?
> > >
> > > Any pointers are appreciated.
> > >
> > > Thanks,
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: a forensic question
    ... As far as the workstation being "on" in the morning.... ... The System Log shows that the PC ... > actually turned off and on as he said, but the Security Log does not have ... > any entry concerning user logging in. ...
    (comp.security.misc)
  • Re: a forensic question
    ... > findstring then do the same for any network drive access they have. ... > it the slave on a machine with Easy Recovery Pro installed. ... But she discovered that some important files on her workstation ... >> security log of the PDC? ...
    (comp.security.misc)
  • Re: Event ID 560 Problem
    ... >Error 560s usually refer to object access. ... >whenever a user makes a connection to something out on ... >> this repeated event in my security log that I can't ... Whenever someone log off their workstation, ...
    (microsoft.public.win2000.security)
  • Re: Security Event logs dont match
    ... I am not saying that the DC log is untrustworthy; ... The DC's log says that it was accessed remotely from his workstation from ... >> The primary domain controller security log says that Steve ... >> that time, but contains login info from that morning, and ...
    (microsoft.public.security)
  • Re: account lockout fails
    ... In my domain controller security log I received the following events ... Address is the workstation IP address. ... each other in the security log until there were a total of 24. ... domain lockout policy did not take effect and lock the account. ...
    (microsoft.public.win2000.security)