Evidence of remote ...
 
Notifications
Clear all

Evidence of remote desktop outside of Security log  

  RSS
(@minime2k9)
Active Member

I'm looking to find evidence that a user remotely logged into machine or prove the opposite.

Remote Desktop connections are enabled in the NTuser.dat, however the Secevt log has been wiped or never used. This is a Windows XP system.

I've checked windows firewall is on and RDP does not appear to be in list of allowed connections, but going to test this in a VM.

Any other artefacts that may I should be looking at?

Quote
Posted : 18/04/2015 9:55 pm
(@jaclaz)
Community Legend

Any other artefacts that may I should be looking at?

Bit Map Cache? ?
http//www.forensicfocus.com/Forums/viewtopic/t=11287/
http//www.forensicfocus.com/Forums/viewtopic/t=11667/

Last working download link
https://turbolab.it/scarica/9

jaclaz

ReplyQuote
Posted : 18/04/2015 10:07 pm
(@minime2k9)
Active Member

Thanks for that, I'm not sure it will help me as I'm looking at the remote desktop target machine (server) and don't have the connecting machine (client).

ReplyQuote
Posted : 19/04/2015 12:00 am
(@jaclaz)
Community Legend

I thought it was the other way round, my bad.

Unless this was implemented
https://support.microsoft.com/en-us/kb/894565

I believe that the only log entry that you can find on the server side is a 528/10
http//www.tomshardware.co.uk/forum/145000-45-remote-desktop-connection-logs

If you have network logs (or firewall, etc.) you may look for connections through the "default" port 3389, or the "non-standard" port specified in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp

See
https://www.umanitoba.ca/about/media/IST_Securing_Remote_Desktop_on_XPpro.pdf

jaclaz

ReplyQuote
Posted : 19/04/2015 12:22 am
(@minime2k9)
Active Member

Thanks for the quick reply, hoping I was missing something.

There is definitely no 528/10 entries, but then there are no entries at all!

I'll try for Windows Firewall log and see if that gets me anywhere.

ReplyQuote
Posted : 19/04/2015 12:39 am
bitznpcz
(@bitznpcz)
New Member

Is there anything in the Forwarded Events Log? I had a similar case and found the IP address of the client used for RDP. Then used Bitmap cache viewer to prove RDP usage.

Even though the logs were cleared, there should be an entry showing RDP was closed after the logs were cleared.

ReplyQuote
Posted : 19/04/2015 3:11 am
(@keydet89)
Community Legend

I'm looking to find evidence that a user remotely logged into machine or prove the opposite.

..snip…

Remote Desktop connections are enabled in the NTuser.dat, however the Secevt log has been wiped or never used. This is a Windows XP system.

Well, Windows XP won't have the Forwarded Event Logs, and with the Secevent.evt file "wiped", you won't see Security/528 type 10 logins. If the log was cleared, you may be able to carve unallocated space for deleted Event Records.

Can you determine if the Security Event Log was cleared or if it was disabled?

RegRipper contains a plugin named auditpol.pl that lets you see the audit configuration on Windows XP and 2003 systems…this can be helpful.

Is this system a corporate system or a home user's system? I ask, as with the absence of the Security Event Log, this may provide you with some circumstantial information. What you'd want to look at is the activity available in the various profiles, and compare the times.

HTH

ReplyQuote
Posted : 19/04/2015 5:12 pm
(@minime2k9)
Active Member

Well, Windows XP won't have the Forwarded Event Logs, and with the Secevent.evt file "wiped", you won't see Security/528 type 10 logins. If the log was cleared, you may be able to carve unallocated space for deleted Event Records.

CCLeaner is installed and set to overwrite, so may not even be anything in unallocated.

Can you determine if the Security Event Log was cleared or if it was disabled?

RegRipper contains a plugin named auditpol.pl that lets you see the audit configuration on Windows XP and 2003 systems…this can be helpful.

Thanks, I'll have a look on monday see what I can dig out of that.

Is this system a corporate system or a home user's system? I ask, as with the absence of the Security Event Log, this may provide you with some circumstantial information. What you'd want to look at is the activity available in the various profiles, and compare the times.
HTH

Home user's system. I have quite a bit of circumstantial evidence relating to the activity I'm investigating, but I'm trying to prevent an RDP 'defence' before they use it.

ReplyQuote
Posted : 19/04/2015 5:55 pm
(@minime2k9)
Active Member

Update

Auditpol from regripper shows Auditing is not enabled.

Second update

Afte virtualising the machine, it appears none of the user accounts on the machine allow RDP, so the RDP connects but no logins are possible.

ReplyQuote
Posted : 20/04/2015 12:22 pm
(@keydet89)
Community Legend

CCLeaner is installed and set to overwrite, so may not even be anything in unallocated.

Okay, but what is it configured to "overwrite"?

Home user's system. I have quite a bit of circumstantial evidence relating to the activity I'm investigating, but I'm trying to prevent an RDP 'defence' before they use it.

From what you've shared, you may not be able to do so.

ReplyQuote
Posted : 20/04/2015 5:18 pm
(@minime2k9)
Active Member

From what you've shared, you may not be able to do so.

From last post
After virtualising the machine, it appears none of the user accounts on the machine allow RDP, so the RDP connects but no logins are possible.

This should counter that defence

ReplyQuote
Posted : 20/04/2015 7:19 pm
honeyjew
(@honeyjew)
New Member

After virtualising the machine, it appears none of the user accounts on the machine allow RDP, so the RDP connects but no logins are possible.

As I understand it only Administrators or users within the Remote Desktop Users group an connect remotely to a computer which is RDP enabled. You could check the users and their groups to confirm your findings.

ReplyQuote
Posted : 29/04/2015 8:11 pm
Share: