What do the following conditions lead you to believe?

From: boo boo ball (boo_boo_ballat_private)
Date: Fri May 17 2002 - 10:44:36 PDT

Next message: H C: "re: What do the following conditions lead you to believe?"

Previous message: Peter W. Jones: "RE: Tools and Tips - Exchange"
Next in thread: H C: "re: What do the following conditions lead you to believe?"
Reply: H C: "re: What do the following conditions lead you to believe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a question.  Given the following conditions what would you think 
happened?

Subject computer=MS NT Workstation 4.0 service pack 6a

1. Several profiles under c:\winnt\profiles\ were accessed at 3 am, but not 
the profile of the user who was logged on at the time.

2. The workstation is in a building where everyone is at home at that time.  
The user typically locks his/her account and leaves the computer on all 
night.

3. When a user logs on an SMS batch job is also run and it shows the last 
entry in its logs being from the day before.  A user was logged onto the 
workstation when it was confiscated so it seems to indicate that the user 
was logged in a day before the odd 3 am access and a day afterwards as well 
without interruption due to power loss, or someone else logging on.

4. Evidence was acquired with write blocks placed on the subject drive so 
the time stamps should be unaltered by the acquisition process.  The 
software used to acquire was Encase v3.9 and when the workstation was 
confiscated it was not shutdown gracefully but rather the power cord was 
unplugged.  It was hoped this would leave the workstation HD in a state 
equal to the state it was in when in use.

5. The workstation had the local time settings set correctly.

6. Other than Outlook, the user doesn't have programs running when they lock 
the workstation for the night.

7. The workstation is behind a firewall without known direct connections to 
the Internet.

My question is, does this actually mean anything?  Could it be that there's 
some file or program on MS NT systems that periodically look through the 
files under winnt\profiles\ and that's why the access times are showing 
access at 3 am?  Or, does all of this mean that someone had to have accessed 
the workstation and done some action which would cause the access time 
stamps to read a last access of 3 am?

I'm not a MS wiz by any means having spent most of my time on *nix boxen so 
am not completely familiar with the programs NT runs.  Do the standard MS NT 
programs periodically access the files in /winnt/profiles of the profiles 
not logged on at that time?



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "re: What do the following conditions lead you to believe?"
Previous message: Peter W. Jones: "RE: Tools and Tips - Exchange"
Next in thread: H C: "re: What do the following conditions lead you to believe?"
Reply: H C: "re: What do the following conditions lead you to believe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 17 2002 - 11:25:54 PDT