Hi everyone,
Got another project that I need some help with. An end user has claimed that while on vacation that someone has tampered with their PC. Our support teams have looked at the Event Logs but did not find any entries during the user's absence.
I now have a ghost image of the machine. I'm trying to find out if there is a way to search the registries that might give indication that someone had used this person's machine. I've been trying to use Harlan's RegRipper and RipXp, and more specifically running the UserAssist plugin… I have also analyzed the Administrator's NTUSER.DAT as well.. I've looked for activity (timestamps when the user was gone,) but nothing pops up .. is this enough to say no one logged in? What other plugin should I run if using RegRipper/RipXP?
Thanks in advance!
Check the SAM hive for things like last login date, etc. Logon count may or may not be useful.
Your idea to check the UserAssist keys for the user accounts is a good one…look for activity in the range where the user was absent. Also look for other indications, in the RecentDocs key, etc.
It might be helpful to know what kind of tampering the user claims took place.
Thanks Harlan! I ran the officedocs plugin as well.. nothing suspicious seems to be coming up…
The user claims that while they were away, that someone tampered with their Exchange Mail account. At first they claimed that some folders (messages) were missing, but it was later found on a .pst file on a server… The user claims that they didn't put it there, and someone else did. Unfortunately, we don't have any auditing turned on at the Exchange Server level. More questions were asked of the user, and turns out that Exchange was sending out messages indicating that their mailbox was full. My team suspected that maybe someone moved some of their mail onto the pst while the user was away… But our Exchange administrators did not find any information that confirmed this.
My boss is asking me to analyze the Ghost image to see if someone may have compromised the user's pc to do this mail tampering..
Thanks Harlan! I ran the officedocs plugin as well.. nothing suspicious seems to be coming up…
The user claims that while they were away, that someone tampered with their Exchange Mail account. At first they claimed that some folders (messages) were missing, but it was later found on a .pst file on a server… The user claims that they didn't put it there, and someone else did. Unfortunately, we don't have any auditing turned on at the Exchange Server level. More questions were asked of the user, and turns out that Exchange was sending out messages indicating that their mailbox was full. My team suspected that maybe someone moved some of their mail onto the pst while the user was away… But our Exchange administrators did not find any information that confirmed this.
My boss is asking me to analyze the Ghost image to see if someone may have compromised the user's pc to do this mail tampering..
My boss is asking me to analyze the Ghost image to see if someone may have compromised the user's pc to do this mail tampering..
That's one approach, I'm sure. However, there may be others…for example, what is the quota on the Exchange server? If the user is away, then they weren't answering emails, right? The emails could have built up to the quota on the server the voicemails build up…
B0dhi,
The things to consider are this…
The user claims that something odd was done to their email while they were gone, so the way to interact with email from the user perspective is most often OutLook. Therefore, start by determining if OutLook was launched during the time that the user was out.
B0dhi,
The things to consider are this…
The user claims that something odd was done to their email while they were gone, so the way to interact with email from the user perspective is most often OutLook. Therefore, start by determining if OutLook was launched during the time that the user was out.
Thanks Harlan.. any particular plugin from RipXP/RegRipper that I should be running to determine Outlook running in that timeframe? Thx!!
UserAssist.
Think about it…how it Outlook run? Does someone log into the system in safe mode, with just a command prompt, and run Outlook? No…you log into the shell and either click though the programs menu, or double-click an icon on the desktop.
Does the organization have OWA available? If someone knew the employee's credentials, they might have been able to log in remotely…
OWA is available. I've been trying to get a hold of the Exchange sys admins to see what kind of logging/auditing is on the servers..They looked through some logs and said no one had logged in with that user's credentials since they were on holidays..
I think unless our Exchange sys admins can find some stuff in the logs, this user is sol…
I'd get the IIS web server logs myself and verify…that is, unless you're willing to stake the answer you provide on what they told you.