Using multiple user ID's

I have a small practical question???

How can i investigate the possible fraud which some member of the staff logged to the organization system using multiple user id's ??

Assume company uses raid system for there servers???

Any comment on this 8)

Sorry but for me you will need to provide a lot more information than this.

What type of organization? Bank, Shop etc ?
What type of fraud? removing data, transfering money etc
What is the general set up of the network?
What is the OS?
How many machines did they log on to ?

Thats just a few things that I can think of from the top of my head.

cheers

Mark D

Yeah here is the informations,

01. Organization is software development firm
02. Type of fraud? Stole Data
03. Network setup? 1 Linux server and 2 windows server.
04. OS? MAC (3) & windows(around 34)

there are more than 25 client computers.suspicious activity using MAC with the Linux server which Raid system

I have a small practical question???

How can i investigate the possible fraud which some member of the staff logged to the organization system using multiple user id's ??

Assume company uses raid system for there servers???

Any comment on this 8)

As the issue appears to be theft of data, I would suggest looking for

1. Use of removable storage devices.
2. Use of web-based resources, such as email, online storage, etc.
3. Use of network-based transport (HTTP, FTP, etc).

Consider the type and volume of data, where it exists (should exist, as well as where it is found to exist), etc.

Thx for comments..

can i get any clue from the raid system.i mean anything using raid technique except you guys suggestions????

Thx for comments..

can i get any clue from the raid system.i mean anything using raid technique except you guys suggestions????

What do you mean? What "raid technique" are you referring to? RAID is a disk management technology
http//en.wikipedia.org/wiki/RAID

Yeah i know about raid but i thought i cud get some help from those things.anyway thx for the tip.

and also where can i get the details about removable storage deveices on mac os.because i dun have through knowledge about MAC os…

Yeah i know about raid but i thought i cud get some help from those things.anyway thx for the tip.

and also where can i get the details about removable storage deveices on mac os.because i dun have through knowledge about MAC os…

Greetings,

I'm fairly new to Mac forensics so take this with a grain of salt.

1) All removable storage will show up under /Volumes if you've got disk arbitration turned on, which is the default.
2) /var/log/daily.out will show you what volumes were mounted when it ran daily.
3) While mounted, the device appears in various locations but vanishes when removed.

And, at the moment, that appears to be it for logging. I'm a bit surprised, actually, I'd expect mount and diskarbitration to be more chatty. I just inserted a USB thumb drive in a OS 10.4 system and no record appeared in /var/log of the event at all.

You can start diskarbitration with the -d flag and it will log events, but this isn't the default.

Read the man page on diskarbitration for more detail. Bear in mind that, at least on 10.4, it is out of date 'cause it references /etc/fstab which no longer exists.

-David

I have a small practical question???

How can i investigate the possible fraud which some member of the staff logged to the organization system using multiple user id's ??

Assume company uses raid system for there servers???

Any comment on this 8)

Greetings,

I think you're going to need to analyze many systems to get the information you're looking for. Some more questions which come to mind

1) Why do you believe they used multiple IDs?
2) Can you show that they're the only one who could use those IDs?
3) What "organizational system" did they use? (Windows, OSX, Linux)
4) How are the accounts authenticated? Locally, AD, LDAP, NIS?
5) Where are the logs kept, how are they managed, how far back do they go?
6) What was removed, how do you think it was removed, what other ways could it have been removed, …?
7) What systems did they have access to?

The fact that (one of?) the underlying file systems is on RAID probably will have little bearing on your investigation.

-David