proof of connection...
 
Notifications
Clear all

proof of connection to server

8 Posts
4 Users
0 Reactions
533 Views
pronie2121
(@pronie2121)
Estimable Member
Joined: 18 years ago
Posts: 117
Topic starter   [#3370]

Is there a way by looking at the event logs on a Windows XP machine to show an event for that machine connecting to a particular server? I know also to look at link files and MRU files to see if any of the paths are on that server, but I was checking to see if there was an event recorded when a user connects to a particular server or a write in registry that is recorded, thanks in advance.

Logging on server was disabled



   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 22 years ago
Posts: 3568
 

Pronie,

To the best of my knowledge, there are no such events recorded in the Event Log; however, there is information recorded in the Registry, particularly within the hive file for the user. RegRipper includes a plugin to check the MountPoints2 entries. There are also keys available for things such as Terminal Services client connections.

HTH



   
ReplyQuote
pronie2121
(@pronie2121)
Estimable Member
Joined: 18 years ago
Posts: 117
Topic starter  

Thank you for the help



   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 20 years ago
Posts: 700
 

I agree with Harlan. How do you define "connect to a server"? The type of connection that you suspect would help you to identify what to look for as artifacts.



   
ReplyQuote
pronie2121
(@pronie2121)
Estimable Member
Joined: 18 years ago
Posts: 117
Topic starter  

basically to show at in any point in time the user established a connection with the server and would have access to the materials located on that server. I know it is not very in depth this questions was brought in from a detective working on a case. They have said that there are no link files referencing a path to the server as well the most recently used office files. I have referred Harlan's RegRipper for them to use possibly to check for mapped network drives, etc. Thanks.



   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 22 years ago
Posts: 3568
 

basically to show at in any point in time the user established a connection with the server and would have access to the materials located on that server.

I think what Sean's referring to is the method of connection…mapped shares is only one. There's Terminal Services, VNC, etc. Was the server running IIS and MS SQL, and did the user use SQL injection?



   
ReplyQuote
(@Anonymous 6593)
Joined: 18 years ago
Posts: 1158
 

Is there a way by looking at the event logs on a Windows XP machine to show an event for that machine connecting to a particular server? I know also to look at link files and MRU files to see if any of the paths are on that server, but I was checking to see if there was an event recorded when a user connects to a particular server or a write in registry that is recorded, thanks in advance.

Logging on server was disabled

You probably need to secure all DC security logs for the time in question as well.

You may find authentication events from the server (which indicates that the user is trying to gain access), or logs about kerberos service tickets for the server (which is not a 100% guarantee that they were used, of course, but may be taken as an indication of intent to do so).

This stuff is covered in reasonably great detail in for instance Windows Security Server 2003 Securty Log Revealed by Randy Franklin Smith.

I can't find any obvious mention that server access is logged on the client, though.



   
ReplyQuote
pronie2121
(@pronie2121)
Estimable Member
Joined: 18 years ago
Posts: 117
Topic starter  

Thank you I will refer this information along, much appreciated.



   
ReplyQuote
Share: