Where is Network Hi...
 
Notifications
Clear all

Where is Network History or VPN profiles

5 Posts
3 Users
0 Likes
1,743 Views
(@neghvar)
Posts: 9
Active Member
Topic starter
 

I have a SSD image of a Windows 7 SP 1 64-bit OS. I am using Autopsy 4.5. I need to know if this unit used a VPN connection at any point. This unit was a DVR for a motel in the US. Someone repurposed it without authorization as an Office PC including Office 365. There are multiple OST files with .nz and .au. I figure that for a system at a motel in the US with these OST files would have to use a VPN to connect to the exchange server in Australia and New Zealand. Where would a VPN profile be located and/ or network history. I need to find an explanation as to how these OST files got on this system.

Thanks

 
Posted : 22/02/2018 11:43 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Have a look at Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
to see all interfaces on the PC. If there was a VPN, it was registered as a network adapter. And check for Prefetch files indicating the execution of a VPN software, for example vpngui.exe for AnyConnect.

best regards,
Robin

 
Posted : 23/02/2018 12:51 pm
(@neghvar)
Posts: 9
Active Member
Topic starter
 

Have a look at Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
to see all interfaces on the PC. If there was a VPN, it was registered as a network adapter. And check for Prefetch files indicating the execution of a VPN software, for example vpngui.exe for AnyConnect.

best regards,
Robin

No luck
Any ideas as to how these OST files from could have gotten on this system without an VPN connection? The OST files were in the correct folders in each user account. I'm open to possibilities. No servers on-site, just other client systems. The router provides DHCP and NAT (don't know the settings).

 
Posted : 23/02/2018 5:49 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

No luck
Any ideas as to how these OST files from could have gotten on this system without an VPN connection? The OST files were in the correct folders in each user account. I'm open to possibilities. No servers on-site, just other client systems. The router provides DHCP and NAT (don't know the settings).

I would not assume that a VPN is necessary for the suspect computer to connect to an Exchange Server. I suggest that you take a look at the mail profiles configured on the computer and see which Exchange servers correspond to the OST files in question.

 
Posted : 23/02/2018 11:21 pm
(@neghvar)
Posts: 9
Active Member
Topic starter
 

No luck
Any ideas as to how these OST files from could have gotten on this system without an VPN connection? The OST files were in the correct folders in each user account. I'm open to possibilities. No servers on-site, just other client systems. The router provides DHCP and NAT (don't know the settings).

I would not assume that a VPN is necessary for the suspect computer to connect to an Exchange Server. I suggest that you take a look at the mail profiles configured on the computer and see which Exchange servers correspond to the OST files in question.

I founf the profiles and the .xml files. The OST files are from Outlook.office365.com. Due to cached Exchange mode being enabled, it saved all their emails to this DVR/ now office PC used at the motel. Big security risk to access Outlook.office365.com from a public system.

Thanks,

 
Posted : 24/02/2018 12:17 am
Share: