To the OP (you didn't sign your post, and I get the giggles every time I see "boo boo ball"...)...I've added my comments inline... > I have a question. Given the following conditions > what would you think happened? > > Subject computer=MS NT Workstation 4.0 service pack 6a > > 1. Several profiles under c:\winnt\profiles\ were > accessed at 3 am, but not the profile of the user who > was logged on at the time. Can you be more specific about what you mean by that? Are you saying that the last access times for the directories each show the same last access time, except for the logged in user? Are are you referring to the files in each directory? What time was the profile directory of the logged in user last accessed? > 2. The workstation is in a building where everyone is > at home at that time. The user typically locks > his/her account and leaves the computer on all night. > > 3. When a user logs on an SMS batch job is also run > and it shows the last entry in its logs being from the > day before. A user was logged onto the workstation > when it was confiscated so it seems to indicate that > the user was logged in a day before the odd 3 am > access and a day afterwards as well without > interruption due to power loss, or someone else > logging on. > > 4. Evidence was acquired with write blocks placed on > the subject drive so the time stamps should be > unaltered by the acquisition process. The software > used to acquire was Encase v3.9 and when the > workstation was confiscated it was not shutdown > gracefully but rather the power cord was unplugged. > It was hoped this would leave the workstation HD in a > state equal to the state it was in when in use. > > 5. The workstation had the local time settings set correctly. > > 6. Other than Outlook, the user doesn't have programs > running when they lock the workstation for the night. What about when the workstation was confiscated? Was any attempt made to collect volatile data from the workstation prior to shutting it down? > 7. The workstation is behind a firewall without known > direct connections to the Internet. Was any information regarding network connections collected from the system prior to it being shut down? > My question is, does this actually mean anything? Perhaps, perhaps not. It's pretty clear to me that we don't have all of the information. For example, what was the event that required that the system to be confiscated? Surely the system would not have been confiscated and a dupe made of the drive simply because the last access times of some profiles were at 3am. That's a lot of time and effort (and expense) for something that could simply have been FindFast...after all, this is an NT4.0SP6 workstation, right? Is/was MSOffice installed? Since no process information seems to have been collected from the system prior to shutdown, we don't know if findfast.exe was running at the time...but you could tell us, from the image, whether findfast is set to run via the StartUp directory or Registry. > Could it be that there's some file or program on MS NT > systems that periodically look through the files under > winnt\profiles\ and that's why the access times are > showing access at 3 am? Yes, sure, it could. But without a more comprehensive view of the system, we won't know. Forensics analysts don't hang their analyses on one piece of information...there needs to be corroborating evidence to support the analysis. As I said above, it could be anything. FindFast, perhaps some other application had been installed...but we don't know. In fact, all we can do is wildly speculate...we don't know what was running when the system was shutdown. In order to recreate this, you'd have to re-start the system, and perform all of the tasks that the user did prior to the system being confiscated. > Or, does all of this mean > that someone had to have accessed the workstation and > done some action which would cause the access time > stamps to read a last access of 3 am? Depends...was logging enabled? If so, was the system recording logins via the EventLog? Was Process Tracking enabled? If so, maybe a process initiated just prior to 3am that would account for the activity. Was the Task Scheduler running? If so, have you interviewed the user or the admins to see if they regularly use the Task Scheduler for anything? You mentioned SMS...was there an SMS job running at 3am? > I'm not a MS wiz by any means having spent most of my > time on *nix boxen so am not completely familiar with > the programs NT runs. Do the standard MS NT programs > periodically access the files in /winnt/profiles of > the profiles not logged on at that time? I think that given the information you've presented, that's really too narrow a view to take...forgive the bluntness, please. I'm not going to make any comments on the reasons why EnCase was used here, as there isn't enough information. However, I will suggest that a forensics analysis of a system involves a lot more than simply making an image and then analyzing it...interviewing the user, as well as the admins, may be necessary. Getting an idea of what was running on the system, etc...but then, it isn't clear what you're trying to prove. To answer your overall question...sure, there is quite a bit that *could* have happened to cause what you saw. However, there just isn't enough information available in your post to do anything except speculate. HTH...if there is anything I can do to help, just drop me a line... __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 06:19:23 PDT