Hi, i'm working on a case where an x-employee of a company allegedly gained unauthorised access to the company network. He gained this access via Remote Desktop Connection, once logged on as a certain user he knew the password for the person in question connected to the main network domain controller using an internal RDP connection. From this point the intruder created a new account within the Active Directory named (for the sake of this post) "Backup2". He then logged off the first account and then re-connected to log onto the new account he created.
There is a lot of evidence i have found myself. However my question is
Is it possible to locate and retrieve any records of the time and date for which the user account “Backup2†was created? I suspect that it is. If so can anyone point me in the right direction to find this evidence?
Thanks in advance for any help guys
> Is it possible to locate and retrieve any records of the time and date for
> which the user account “Backup2†was created? I suspect that it is. If so can
> anyone point me in the right direction to find this evidence?
Depending on how logging was configured in AD, you may be able to find that information in the event log, under "account management".
Another option would be to go to each machine that the intruder logged into and check the creation date of the NTUSER.DAT file in the "Backup2" profile. While less exact than an event record in your Event Log showing when the account was created, by going to the first machine the intruder logged into, you'll be able to get an approximation.
HTH,
H
Look for event id 624 in the security log of the DC. This event will be accompanied by at least 2 subsequent event ID 642s and one 627.
627 - Change Password Attempt
642 - User Account Changed
HTH,
CnX
BTW people, how do we know folks that ask some of these questions aren't simply people who are trying to reverse engineer the very issue which he now seeks help with? It would seem useful to me to probe more and ask questions which would hopefully sort out the "good guys" from the bad, so to speak, so we don't actually help too much.
I can't tell you how many civil cases I have had where I discovered that someone had an axe to grind against my client and did a whole bunch of Scooby sleuthing to attempt to re-create the facts as they wanted the to exist. Thankfully most of these people are crazy idiots and fail to check other things which are readily evident to most of us, but you get my point.
No offense forenz, and hopefully you recognize that in many civil cases involving employees, there is almost always more involved than meets the eye. When I handle these, I make sure I fully understand the facts in and outside the box. One of these facts may include the possibility of sabotage or set-up by someone other than the so called bad guy you've been hired to go after. Don't let the thrill of the hunt obscure your vision. If so, you will do so at your own peril, especially with so many computer experts being sued for failing to do some of the things I just mentioned.
While not a huge fan of Jason Coombs, I concur with some of his observations about this sort of issue.
Cheers everyone.
Verdad,
Interesting position…I think that most of us are fully aware of the potential you raise, but this is a public forum, of which you're now a member. If you do not agree with what transpires, you do not have to join. However, my guess is that you joined this forum in order to get information…which is the same purpose others join.
> It would seem useful to me to probe more and ask questions…
Such as? What questions would you ask. I see that you make the suggestion that others do the asking, yet you ask none of your own.
How do we know that *you* don't have nefarious intentions?
Look for event id 624 in the security log of the DC. This event will be accompanied by at least 2 subsequent event ID 642s and one 627.
627 - Change Password Attempt
642 - User Account ChangedHTH,
CnX
Should there definately be an event id of 624 in the security log? i take it this event id relates to the creation of new accounts.
If the accout still exists within AD, you can also look on the object tab for the user account. It will tell you when the account was created, but you need to ensure that the "Advanced Features" option is turned on under the View menu in AD users and computers.
Nefarious intentions…I like that one. Intentions like what? Asking people to ponder the advice they give in a public forum, before they give it. Yup, you got me. Actually I peruse the forums every couple of months or so because while I don't take the advice directly, it often sparks or spins off other things I ought to consider in my case reviews.
First of all, this is not an attack of you, or anyone else trying to help others. I do not mean to offend. However, it makes sense to me, to exercise the same degree of caution in giving out advice over the internet as we do in rendering an opinion to a client.
Call me cynical, but I can't imagine that 100% of people that ask these questions here, or on any other public forum, are just nice, good-intentioned folks trying to do their jobs. I think we all know better than that. Moreover, if you acknowledge that there are passive lurkers, roaming your posts and looking for information for their nefarious activities, then that is all the more reason to consider what is posted to answer questions.
As this is indeed a public forum, I think we need to make sure we self-monitor our responses, to some extent. How one does that is up to the person answering the question and is fact sensitive. If you don't feel you need to, godspeed to you. Given the litigious climate we find ourselves in, it makes sense to at least consider it.
(And this is putting all the chain of custody issues aside, of course….).
Hi,
It's worth pondering a moment on what we post on public forums because our remarks will end up out there to be found by all and sundry for years or decades to come. You can stumble into these forums from Google for example.
The dim-witted questions we asked, the dim-witted answers we gave may come back to haunt us but that shouldn't put anyone off seeking help or trying to offer help.
Very slightly off topic but I used to write reviews of DVDs I had seen having hired them from a subscription based DVD rental club. I was surprised to learn that the company shares their customer reviews with about 10 other companies. So my reviews are now being read by a much larger customer base that I had previously thought. I can just imagine how easy it becomes for any person to research me the more I put out there in the public domain.
Cue to stop typing now.
Steve