Security Basics mailing list archives
Donning an investigative hat
From: "WALI" <hkhasgiwale () gmail com>
Date: Fri, 17 Aug 2007 18:17:11 +0400
Hi AllWant to investigate an issue that seems to delve a bit into IT Forensics and seek your help.
Here's the scenario.A windows 2000 networked PC belonging to abc domain, is in posession of a secretary, has a confidential Excel file (password protected) lying on her local HDD.
This file is suddenly found on the desktop of a PC meant for general internet access, usually logged in as Administrator and is lying on the desktop of local admin profile. This pc is alsoconnected to the same abc domain. The file is now in pdf format.
When I checked doc properties of this file, it's created using the domain username profile of the same secretary.
I check secretary's local hard disk and this pdf doc exists on local HDD but secretary maintains that she cannot recollect converting excel to doc.
Findings: Secretary has lots of share enabled and has admin access to her win2k PC. It's not patched and has lots of vulnerabilties when I did a nessus scan. Challenge.How to find, the IP from where the file reached general access PC is it was shifted thru a network drive? If secretary did not convert this excel file to doc, then someone first cracked excel password and then converted to pdf. Why would someone convert to pdf if the information has been already obtained via cracked excel file. Seems like the secretary hersself forgot.
How can I go forward in this investigation?
Current thread:
- Network Misuse Mohamad Mneimneh (Aug 16)
- Re: Network Misuse Kurt Buff (Aug 16)
- Re: Network Misuse Tima Soni (Aug 17)
- RE: Network Misuse Hayden Searle (Aug 17)
- Donning an investigative hat WALI (Aug 17)
- Re: Network Misuse Nikhil Wagholikar (Aug 17)
- RE: Network Misuse Kevin Ortloff (Aug 17)
- <Possible follow-ups>
- Re: Network Misuse vordemkrieg (Aug 20)
- RE: Network Misuse Dereck Martin (Aug 20)
- Re: Network Misuse Kurt Buff (Aug 16)