±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 12
Overall: 26994
Visitors: 53

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

windows file server

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

windows file server

Post Posted: Thu Feb 07, 2013 4:43 pm

Hey guys

My group has been tasked with determining what user made unauthorized permission changes on a file server.

The server does not have auditing enabled we think based on past cases.

What tracking artifacts could we potentially look for?

I am thinking of looking at the $ usnjrnl and index files to see maybe we can narrow down a user changing files around the time of the of the incident.

The file server is windows  

taurean25
Senior Member
 
 
  

Re: windows file server

Post Posted: Sun Feb 10, 2013 8:07 am

- taurean25

My group has been tasked with determining what user made unauthorized permission changes on a file server.


Ok.

- taurean25

The server does not have auditing enabled we think based on past cases.


Don't ever assume...check. As an incident responder, I could see 50 systems in a row that didn't have auditing enabled, and if I assumed that number 51 was the same, I might be wrong. I wouldn't risk it. Check.

- taurean25

What tracking artifacts could we potentially look for?


I would do this...sit down with whomever reported this, and try to get a better idea of what it was that led to this "discovery".

Many times, technical incidents are reported by non-technical people. Years ago, I was working at a company, and HR thought that their systems had been hacked...a layoff list for an office in AZ had been leaked. We sat with HR and asked what happened, where the list had been created and stored, etc. Examining the HR rep's system, we found that the file in question had been sent to a network printer. The _real_ compromise was the fact that the rep had sent the file to the printer and gone to lunch...someone else had come along, found the file, and faxed a copy of it to the AZ office.

My point is that sometimes what is assumed to be the issue really isn't.

- taurean25

I am thinking of looking at the $ usnjrnl and index files to see maybe we can narrow down a user changing files around the time of the of the incident.


Again, look at what would need to be done in order to accomplish something like this...did a user login remotely and make the change via a GUI? You might find this in the UserAssist data, or in the shellbags, depending upon the version of Windows you're looking at. Did they do it using a CLI tool? Do you find indications that something like cacls.exe was run?

- taurean25

The file server is windows


Which version? One that supports Volume Shadow Copies?

HTH  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1