CRIME [fwd] IT forensics advice

From: Mark Morrissey (markem@private)
Date: Thu Feb 19 2004 - 08:44:54 PST

  • Next message: George Heuston: "CRIME Good Friend's Retirement"

    This email was bounced because the sender address (JRedding@private) is
    not subscribed to crime. Please reply to the original sender, not me.
    crime owner
    Date: Wed, 18 Feb 2004 14:52:14 -0800
    From: "Jacob E. Redding" <JRedding@private>
    Reply-to: Jredding@private
    To: crime@private
    Subject: IT forensics advice
      Could anyone help out with some advice on how to track down an internal "hacker".
      At this point we know that someone was able to enable the Guest account AND
    add that account to the administrators group. Also there is "new" additional
    mail relaying through our SMTP servers. Also the person in question has gained
    physical access to the servers as we have found evidence of an additional
    machine being connected in our DMZ for a short period of time.
      Now while we have some evidence as to the machine and IP address we need
    advice on how to reference that information to a physical person and we would
    like "legal" evidence (for reasons I wont' go into, but let's just say some
    people are not happy).
      Thanks in advance for any tips, suggestions and advice you can lend.
    -Jacob Redding

    This archive was generated by hypermail 2b30 : Thu Feb 19 2004 - 09:11:42 PST