Security Basics mailing list archives

RE: help with forensics on a desktop computer

From: "dave kleiman" <dave () isecureu com>
Date: Fri, 12 Nov 2004 16:04:32 -0500

Yes,

It is called the Security Event Log, and it is built into the OS. It will
tell you how, who and from where somebody logged in.

Look for EventID 528; 538; 540; 551; 552

Login types:
'2=Interactive' 
'3=Network'
'4=Batch'
'5=Service'
'6=Proxy'
'7=Unlock'
'8=NetworkCleartext'
'9=NewCredentials'
'10=RemoteInteractive'
'11=CachedInteractive'
'13=CachedRemoteInteractive'
'14=CachedUnlock'

For instance you would see 528 and a type 10 for a terminal service logon.

But, you have to turn on the Security Auditing in your Local Security
Policy: Local Policy: Audit Policy: Turn on Success and Failure for those
things you want to audit.

______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com


-----Original Message-----
From: Undisclosed [mailto:private () somewhere com] 
Sent: Thursday, November 11, 2004 12:33
To: Security Basics[List]
Subject: help with forensics on a desktop computer

an XP box (home edition) the client feels that it has been compromised from
remote.
The evidence for this they have gathered from Norton Tools (I am unfamilar
with any logging feature though I do not use Norton Tools). I disabled
remote desktop support in services and they called me and said again there
is evidence of access from remote.
Now, the location of the computer in their house is in a small secured room
(access doesnt happen  from anyone except the client from there [that they
know of!]. Yes others live in the house.

Question is there any effective free or inexpensive (under $100) that
monitors access both local and from remote. Something that can be installed
via administrative account and not detected by anyone else using the
computer? Or tell me if I am dreaming but can be run from a floppy or a
CDROM rather than installed? If I am on the right track maybe something that
puts a log on the A: drive.

Also, Is there any software which anyone might have put on it to compromise
it from remote?
I am aware of PCAnywhere and remote assistance (now disabled).

Current thread:

help with forensics on a desktop computer Undisclosed (Nov 12)
- Re: help with forensics on a desktop computer music2myear (Nov 15)
- RE: help with forensics on a desktop computer dave kleiman (Nov 15)
- Re: help with forensics on a desktop computer xyberpix (Nov 15)
- Re: help with forensics on a desktop computer Anthony J. Cogan (Nov 15)
- <Possible follow-ups>
- RE: help with forensics on a desktop computer Beauford, Jason (Nov 15)
- RE: help with forensics on a desktop computer adisegna (Nov 15)
- RE: help with forensics on a desktop computer Jeff Gercken (Nov 15)
- RE: help with forensics on a desktop computer Horn Michael (Nov 16)
  - Re: help with forensics on a desktop computer Josh Nerius (Nov 16)
- Re: help with forensics on a desktop computer H Carvey (Nov 16)