Notifications
Clear all

Remote Access Logs

10 Posts
6 Users
0 Likes
2,253 Views
(@forensicpursuit)
Posts: 11
Active Member
Topic starter
 

I have a client who has decent circumstantial evidence that an unknown person has been accessing his PC remotely. We would like to find some harder evidence in order to generate a complaint through the courts. Is anyone aware of a log or logs that would record remote access activity? I can start poking through Windows event and security logs but I’ve never had particularly good success trolling through those. This computer in question would be a Windows laptop computer connected to the Internet through a simple home-type network.

Thanks in advance for your thoughts.

 
Posted : 04/08/2009 4:00 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is anyone aware of a log or logs that would record remote access activity?

Well, it depends on the type of access.

Have you looked at running processes and installed services? If someone is accessing the system via a backdoor or IRC bot, I doubt that anything is recorded. Bad guys don't often create tools that record their accesses and activities on the victim system.

What is the nature of the activity that your client is seeing that makes him think that someone is accessing his system remotely. I ask, only because I recently worked with a customer who thought that if his Windows systems were infected with a file infector virus, his Linux system should be infected by the same virus…otherwise, something was "mystifying".

I can start poking through Windows event and security logs but I’ve never had particularly good success trolling through those.

Well, "trolling" through the Event Logs can be a pain, particularly when they aren't configured to record anything useful, or they're configured such that they're overwritten fairly quickly.

 
Posted : 04/08/2009 4:37 am
(@forensicpursuit)
Posts: 11
Active Member
Topic starter
 

Hi. Thanks for your response.

We are not thinking of an ultra-sneaky type of remote access, like a backdoor or IRC bot? I was more thinking of the standard kind of remote access programs that a IT group would use to help their employees with IT-related issues.

 
Posted : 04/08/2009 4:46 am
(@seanmcl)
Posts: 700
Honorable Member
 

If the Audit policy is set to Audit Login Events (success,failure), you'd be able to see successful and attempted Remote Desktop logins in the Event Viewer (Event 528 Logon Type 10).

Depending upon which version of Windows you are running, Remote Assistance events are also logged in the Event Viewer, although with early versions of XP, logging was minimal.

With Windows Vista, more complete remote assistance logging information can be found in the users Documents\Remote Assistance Logs.

To see if Remote Assistance was enabled, look at

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole for the String EnableDCOM=Y

If it is set to N, Remote Assistance will not work.

As Harlan mentioned, however, you may be limited by the default settings for the Windows event logs.

 
Posted : 04/08/2009 6:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Hi. Thanks for your response.

We are not thinking of an ultra-sneaky type of remote access, like a backdoor or IRC bot? I was more thinking of the standard kind of remote access programs that a IT group would use to help their employees with IT-related issues.

Sean's right…look for RDP connections in the Security Event Log, with the caveat that if the system isn't configured to record/audit logins, then they won't appear.

IT groups use other remote desktop tools such as VNC and its variants, as well.

Finally, remote access to the Explorer shell (via Terminal Services/RDP) will leave artifacts within the NTUSER.DAT file for the user profile used to access the system, so look to the contents of the UserAssist key, etc., for indications of activity, as well as any pertinent timestamps.

 
Posted : 04/08/2009 6:30 pm
(@bwhittaker)
Posts: 8
Active Member
 

You may want to see if you can get any network logs to assist with this. Is this coming from the inside of the network or is someone getting though a hole in a firewall?

 
Posted : 04/08/2009 8:48 pm
(@forensicpursuit)
Posts: 11
Active Member
Topic starter
 

OK, thanks guys. I'll look around based on your recommendations. Thanks!

 
Posted : 04/08/2009 8:57 pm
(@forensicpursuit)
Posts: 11
Active Member
Topic starter
 

"Is this coming from the inside of the network or is someone getting though a hole in a firewall?"

I don't believe there was any real network security to speak of. This is a guy that left his company on bad terms with potential lawsuits brewing. Over the next few months after he left the company, he thinks IT staff from the old company were remote accessing his computer in order to access his gmail or other private information. IT staff had regularly remote accessed his computer while he was working for the company for helpdesk kind of things. So I'm picturing that his computer was just sitting around his house connected to a wireless network and IT staff came in the same way they always had when the guy worked for the company.

 
Posted : 04/08/2009 9:06 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

was the laptop connection a WiFi connection at the home network?

I found this to be a very tempting target for prying eyes. Getting a connection to such WLAN would require no connection or software on the laptop and would leave no artifacts on the laptop.

 
Posted : 05/08/2009 12:46 am
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

OK guys…any suggestions for the following will be greatly welcomed;

Image of a client workstation to hand
RAID5 server - 1 drive failed and no success at reconstructing images of the remaining 2 drives from parity bit
Domain log ons
Need to ascertain whether remote access of an employee has occured
Remote Assistance enabled on client
Client SecEvent log empty

Can any other remote log-on artefacts be left on the client machine?

Or am I requesting access to the client site to examine the live server?

Thanks in anticipation.

 
Posted : 24/03/2010 8:55 pm
Share: