Hi all, I have question for you and here is the scenario
I have a warehouse shop desktop with several usernames on it. Six usernames are the actual usernames assigned to each person through the company-last name, first letter of first name. There is also one username that is the name of the asset (the computer name-all numbers) (each asset at the company is assigned an asset tag) so it seems like a dummy account to me. It does not appear (via the ntuser.dat files for each) that the employees use their own usernames (at least not for a couple years) and instead use the dummy account username when logging into this computer.
Company proxy logs indicate that the dummy account was viewing pornography which is against company policy. I have been tasked with trying to find out which person was logged into the dummy account and viewing the pornography.
Does anyone have any suggestions as to some artifacts, locations, methods to possibly find out who it was? I’ve viewed the proxy logs, event logs to no avail. I’m now processing the forensic image (which I collected remotely while the computer was running) in IEF, XWays and FTK. I’m beginning to think it may be impossible to find out who the person was but thought I would see if anyone has any suggestions….thanks in advance for your input!
LB
Be VERY cautious about linking a person to an access to a "common" computer system authenticated only by user/password.
In such (seemingly) informal environments it is not unusual that the login credentials of "user A" are known to all other users (and viceversa).
But from what you report, seemingly you are in a situation where everyone logged in with the same account/credentials.
So, unless you find some info (like - say - a username) in the browser cache/history or similar that can be linked to a given person actually used at the same time or very near the time the "improper" access has been recorded (let's say "User B" that checked his/her gmail account immediately before or after that time) you won't be able to identify the culprit.
And even if such a piece of info can be gathered, it is well possible that "User A" viewed the p0rn and immediately after "user B" used the PC to access a personal account, without any logout/login).
jaclaz
Any security footage or entry logs available?
Company proxy logs
No unique IPs in the proxy log? That would be odd.
No DNS logs/captures?
No cookies?
No artifacts on disk?
No artifacts from accessing the page? (i.e. included javascript from some specific site)
I think jaclaz is right; you need to be very careful here and some of the indicators you might find to point you at a particular person (e.g. because of Gmail access) could be misleading.
Can you get more outside information to help you? It would be very helpful to know when these users were working or whether they no longer work in that area or have left the company. For example, if only Bob and Tom work the late shift and all of the bad activity is on the late shift, you've narrowed it down to two instead of six.
I think jaclaz is right; you need to be very careful here and some of the indicators you might find to point you at a particular person (e.g. because of Gmail access) could be misleading.
Can you get more outside information to help you? It would be very helpful to know when these users were working or whether they no longer work in that area or have left the company. For example, if only Bob and Tom work the late shift and all of the bad activity is on the late shift, you've narrowed it down to two instead of six.
… and if you have three "p0rn viewing sessions" over three different shifts when different people were on duty
1) Tom and Bob
2) Tom and Joe
3) Tom and Carl
There must be a reason why it is called "Peeping Tom" wink
Now, seriously, if not all the same people are at work with the same timetable, crossing a timeline with work shifts may help to narrow down the list of suspects, but you need several "incidents" coinciding.
jaclaz
Hi all, I have question for you and here is the scenario
I have a warehouse shop desktop with several usernames on it.
Last year i had a similar case. A team of five Administrators in a hospital complex and all of them used the account "Administrator" (Domain Administrator!!!) for maintenance and administration tasks on all servers and clients- what a security nightmare! One of those five guys made a "digital amok run", he deleted files and backups, rebooted servers and clients as nonsense and - really - moved all user accounts from the "Domain Users" group to the "Domain Administrators" group.
I could identify him by timelining all logins from the account "Administrator" from the Security Event Logs from all Domain Controllers and then matching this timeline with the work times of this team. And there was an IP adress in the Event Logs which directly lead me to his Workstation- these Admins used fixed IP adresses where all other Workstations had dynamic ones.
So my advice check the Event Logs for all login and logout actions and make a table from it. To make it easier for you, i can recommend this tool
http//
best regards,
Robin
If the users have different roles within the organisation you might be able to build a pattern of events. i.e if Tom deals with goods inwards and Bert deals with goods out then if you can correlate an event to the workstation of interest you may be able to say who would have likely been sat at it.
Wow! Thanks for all the great info and suggestions! Good stuff! Some I've already thought of and some I haven't…….so I'm looking into everyone's reply.
LB