Forensic Investigation

  • Thread starter Thread starter SteelCadman
  • Start date Start date
S

SteelCadman

This is a duplicate post, I have also posted this in Security and Admin board.

Ok, I have used a very specific title for the subject of this post, and
rightly so. The company I work for had a tech savy employee leave rather
suddenly. However there was activity on this individuals computer after her
departure. Files were accessed, not remotely as the workstation was
physically disconnected from the network.
Heres the query, what form of access was perfiormed on the files, were they
copied, were they just opened. If they were copied where to? USB, CD-Burner?

Now, if our IT guy was quick, he would have all systems running XP Pro with
Security policies set to Fort Knox Level. However we have XP Home, and now I
have been asked to figure out the answers to the above questions.

My question is, Is it possable after the fact? and if so how?
Ive tried everything I can think of.
 
if not remotely, then someone had to sit down at the pc and access them,
there is no way to tell what method was used. without some kind of security
monitoring software installed

Does the pc have a wireless NIC installed? and how do you know these files
were accessed?

"SteelCadman" wrote:

> This is a duplicate post, I have also posted this in Security and Admin board.
>
> Ok, I have used a very specific title for the subject of this post, and
> rightly so. The company I work for had a tech savy employee leave rather
> suddenly. However there was activity on this individuals computer after her
> departure. Files were accessed, not remotely as the workstation was
> physically disconnected from the network.
> Heres the query, what form of access was perfiormed on the files, were they
> copied, were they just opened. If they were copied where to? USB, CD-Burner?
>
> Now, if our IT guy was quick, he would have all systems running XP Pro with
> Security policies set to Fort Knox Level. However we have XP Home, and now I
> have been asked to figure out the answers to the above questions.
>
> My question is, Is it possable after the fact? and if so how?
> Ive tried everything I can think of.
 
If you must make identical posts to multiple newsgroups, please cross-post
one (1) message to all of them. Thank you.

Multiposting vs Crossposting:
http://www.blakjak.demon.co.uk/mul_crss.htm
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/

SteelCadman wrote:
> This is a duplicate post, I have also posted this in Security and Admin
> board.
>
> Ok, I have used a very specific title for the subject of this post, and
> rightly so. The company I work for had a tech savy employee leave rather
> suddenly. However there was activity on this individuals computer after
> her
> departure. Files were accessed, not remotely as the workstation was
> physically disconnected from the network.
> Heres the query, what form of access was perfiormed on the files, were
> they
> copied, were they just opened. If they were copied where to? USB,
> CD-Burner?
>
> Now, if our IT guy was quick, he would have all systems running XP Pro
> with
> Security policies set to Fort Knox Level. However we have XP Home, and now
> I
> have been asked to figure out the answers to the above questions.
>
> My question is, Is it possable after the fact? and if so how?
> Ive tried everything I can think of.
 
We know they were accessed because the "Last Accessed" Time stamp is 2 days
after the employees departure. So We are attempting to assetain if it was
done by someone remaining on staff on their behalf, or if they were in the
building.

Is there any way of getting a list of files that were accessed during a
cirtain time period?

No it doesnt have a wireless NIC.

"sgopus" wrote:

> if not remotely, then someone had to sit down at the pc and access them,
> there is no way to tell what method was used. without some kind of security
> monitoring software installed
>
> Does the pc have a wireless NIC installed? and how do you know these files
> were accessed?
>
> "SteelCadman" wrote:
>
> > This is a duplicate post, I have also posted this in Security and Admin board.
> >
> > Ok, I have used a very specific title for the subject of this post, and
> > rightly so. The company I work for had a tech savy employee leave rather
> > suddenly. However there was activity on this individuals computer after her
> > departure. Files were accessed, not remotely as the workstation was
> > physically disconnected from the network.
> > Heres the query, what form of access was perfiormed on the files, were they
> > copied, were they just opened. If they were copied where to? USB, CD-Burner?
> >
> > Now, if our IT guy was quick, he would have all systems running XP Pro with
> > Security policies set to Fort Knox Level. However we have XP Home, and now I
> > have been asked to figure out the answers to the above questions.
> >
> > My question is, Is it possable after the fact? and if so how?
> > Ive tried everything I can think of.
 
Normally I would do that, except I am at work and our IT guy has limited our
access to newsgroups to nil. So I had to use the nifty web based newreader.

"PA Bear" wrote:

> If you must make identical posts to multiple newsgroups, please cross-post
> one (1) message to all of them. Thank you.
>
> Multiposting vs Crossposting:
> http://www.blakjak.demon.co.uk/mul_crss.htm
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin http://aumha.net
> DTS-L.ORG http://66.39.69.143/
>
> SteelCadman wrote:
> > This is a duplicate post, I have also posted this in Security and Admin
> > board.
> >
> > Ok, I have used a very specific title for the subject of this post, and
> > rightly so. The company I work for had a tech savy employee leave rather
> > suddenly. However there was activity on this individuals computer after
> > her
> > departure. Files were accessed, not remotely as the workstation was
> > physically disconnected from the network.
> > Heres the query, what form of access was perfiormed on the files, were
> > they
> > copied, were they just opened. If they were copied where to? USB,
> > CD-Burner?
> >
> > Now, if our IT guy was quick, he would have all systems running XP Pro
> > with
> > Security policies set to Fort Knox Level. However we have XP Home, and now
> > I
> > have been asked to figure out the answers to the above questions.
> >
> > My question is, Is it possable after the fact? and if so how?
> > Ive tried everything I can think of.
>
>
 
That doesn't preclude crossposting: Click on "Advanced Options" in the Reply
window.

SteelCadman wrote:
> Normally I would do that, except I am at work and our IT guy has limited
> our
> access to newsgroups to nil. So I had to use the nifty web based
> newreader.
>
> "PA Bear" wrote:
>
>> If you must make identical posts to multiple newsgroups, please
>> cross-post
>> one (1) message to all of them. Thank you.
>>
>> Multiposting vs Crossposting:
>> http://www.blakjak.demon.co.uk/mul_crss.htm
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE, OE, Security, Shell/User)
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L.ORG http://66.39.69.143/
>>
>> SteelCadman wrote:
>>> This is a duplicate post, I have also posted this in Security and Admin
>>> board.
>>>
>>> Ok, I have used a very specific title for the subject of this post, and
>>> rightly so. The company I work for had a tech savy employee leave rather
>>> suddenly. However there was activity on this individuals computer after
>>> her
>>> departure. Files were accessed, not remotely as the workstation was
>>> physically disconnected from the network.
>>> Heres the query, what form of access was perfiormed on the files, were
>>> they
>>> copied, were they just opened. If they were copied where to? USB,
>>> CD-Burner?
>>>
>>> Now, if our IT guy was quick, he would have all systems running XP Pro
>>> with
>>> Security policies set to Fort Knox Level. However we have XP Home, and
>>> now
>>> I
>>> have been asked to figure out the answers to the above questions.
>>>
>>> My question is, Is it possable after the fact? and if so how?
>>> Ive tried everything I can think of.
 
You can check event viewer if you have logons audited it wil list last
sucessful logons, but without some type of video security system, you won't
be able to prove who it was that actually used that account to logon, If you
haven't already done so, disable that logon, audit all logons both sucessful
and non.
if the pc has no internet access then someone has to have been setting at
the keyboard to access the pc.
I would also check applications event log during that period, see what
applications were running, unless you have certain events set to be captured
in the event log, I can't see where you would look to find this evidence. if
you suspect there would be future access install a keylogger and audit more
events.

"SteelCadman" wrote:

> We know they were accessed because the "Last Accessed" Time stamp is 2 days
> after the employees departure. So We are attempting to assetain if it was
> done by someone remaining on staff on their behalf, or if they were in the
> building.
>
> Is there any way of getting a list of files that were accessed during a
> cirtain time period?
>
> No it doesnt have a wireless NIC.
>
> "sgopus" wrote:
>
> > if not remotely, then someone had to sit down at the pc and access them,
> > there is no way to tell what method was used. without some kind of security
> > monitoring software installed
> >
> > Does the pc have a wireless NIC installed? and how do you know these files
> > were accessed?
> >
> > "SteelCadman" wrote:
> >
> > > This is a duplicate post, I have also posted this in Security and Admin board.
> > >
> > > Ok, I have used a very specific title for the subject of this post, and
> > > rightly so. The company I work for had a tech savy employee leave rather
> > > suddenly. However there was activity on this individuals computer after her
> > > departure. Files were accessed, not remotely as the workstation was
> > > physically disconnected from the network.
> > > Heres the query, what form of access was perfiormed on the files, were they
> > > copied, were they just opened. If they were copied where to? USB, CD-Burner?
> > >
> > > Now, if our IT guy was quick, he would have all systems running XP Pro with
> > > Security policies set to Fort Knox Level. However we have XP Home, and now I
> > > have been asked to figure out the answers to the above questions.
> > >
> > > My question is, Is it possable after the fact? and if so how?
> > > Ive tried everything I can think of.
 
Check out this article on turning on various events within system event viewer.
basically it says unless you have this already turned on, your SOL.
and if you turn on too much detail it will bog down your pc, and most of the
more useful detail requires a lan and a Active Domain Controller server to
track the events.

http://www.ultimatewindowssecurity.com/ebookChapter2.html



"SteelCadman" wrote:

> We know they were accessed because the "Last Accessed" Time stamp is 2 days
> after the employees departure. So We are attempting to assetain if it was
> done by someone remaining on staff on their behalf, or if they were in the
> building.
>
> Is there any way of getting a list of files that were accessed during a
> cirtain time period?
>
> No it doesnt have a wireless NIC.
>
> "sgopus" wrote:
>
> > if not remotely, then someone had to sit down at the pc and access them,
> > there is no way to tell what method was used. without some kind of security
> > monitoring software installed
> >
> > Does the pc have a wireless NIC installed? and how do you know these files
> > were accessed?
> >
> > "SteelCadman" wrote:
> >
> > > This is a duplicate post, I have also posted this in Security and Admin board.
> > >
> > > Ok, I have used a very specific title for the subject of this post, and
> > > rightly so. The company I work for had a tech savy employee leave rather
> > > suddenly. However there was activity on this individuals computer after her
> > > departure. Files were accessed, not remotely as the workstation was
> > > physically disconnected from the network.
> > > Heres the query, what form of access was perfiormed on the files, were they
> > > copied, were they just opened. If they were copied where to? USB, CD-Burner?
> > >
> > > Now, if our IT guy was quick, he would have all systems running XP Pro with
> > > Security policies set to Fort Knox Level. However we have XP Home, and now I
> > > have been asked to figure out the answers to the above questions.
> > >
> > > My question is, Is it possable after the fact? and if so how?
> > > Ive tried everything I can think of.
 
"SteelCadman" <SteelCadman@discussions.microsoft.com> wrote in message
news:FD477247-7385-4594-9D99-9A021038E26C@microsoft.com...
> We know they were accessed because the "Last Accessed" Time stamp is 2
> days
> after the employees departure. So We are attempting to assetain if it was
> done by someone remaining on staff on their behalf, or if they were in the
> building.
>

Actually interrogating the file properties constitutes an access, so the
'Last Accessed' time stamp will show the last activity on the file even if
it was just to check the time stamp itself. 'Last Accessed' has to rate as
one of the most stupid features of Windows for this reason.
 

Similar threads

AWS
Experience Microsoft Surface for hybrid work
Replies
0
Views
126
AWS
AWS
AWS
Unified Update Platform with ConfigMgr – Questions from the Field
Replies
0
Views
133
AWS
AWS
AWS
Why Surface can support a more robust cyber resiliency strategy
Replies
0
Views
285
AWS
AWS
AWS
Microsoft launches Defender for Business to help protect small and medium businesses
Replies
0
Views
247
AWS
AWS
AWS
Secure access for a connected world—meet Microsoft Entra
Replies
0
Views
229
AWS
AWS
Back
Top