This email was bounced because the sender address (JRedding@private) is not subscribed to crime. Please reply to the original sender, not me. --mark crime owner ----------------------------------------------------------------------- Date: Wed, 18 Feb 2004 14:52:14 -0800 From: "Jacob E. Redding" <JRedding@private> Reply-to: Jredding@private To: crime@private Subject: IT forensics advice Could anyone help out with some advice on how to track down an internal "hacker". At this point we know that someone was able to enable the Guest account AND add that account to the administrators group. Also there is "new" additional mail relaying through our SMTP servers. Also the person in question has gained physical access to the servers as we have found evidence of an additional machine being connected in our DMZ for a short period of time. Now while we have some evidence as to the machine and IP address we need advice on how to reference that information to a physical person and we would like "legal" evidence (for reasons I wont' go into, but let's just say some people are not happy). Thanks in advance for any tips, suggestions and advice you can lend. -Jacob Redding
This archive was generated by hypermail 2b30 : Thu Feb 19 2004 - 09:11:42 PST