Ralph, Interesting situation you have on your hands... > I was asked to come and investigate for signs of > mis-use, abuse, or "hacking". Can you be more specific? For example, are you looking for students changing grades or files? Or running hacking tools? Or surfing porn sites? > How would one go about analyzing a live system like > this? I can't arouse too many suspicions as I was asked > to catch the person/people involved in this activity. > Where would you start? I'd start by disabling the object access logging...you're flooding yourself w/ a lot of confusing data. I'd go w/ searches for files (easy enough to script in Perl), and update the logging (log file size, etc), and include Process Tracking, Policy Change, and Privilege Use. I might add Account Management to track the creation of new user accounts. Also audit the accounts themselves for privileges and group membership...again, easy to do in Perl. Perhaps once you narrow it down, you'd want to go w/ sniffing or a keylogger of some kind... Carv __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 18:25:41 PST