Solved

Recent File List - Corruption or Invasion?

Posted on 2006-12-01
7
239 Views
Last Modified: 2013-12-04
One of my users opened Word today to find that all of her most recent documents under the File menu were documents she hadn't touched in ages, and worse, they were of a personal nature.

She was logged on as herself, and left the computer deserted for a time, but after 10 minutes the screen saver kicks in, and is password protected.  It's possible one of her students snuck in, but that's unlikely - the timing would have to be perfect.  The only other explanation I can think of it this:  I needed to use the computer, so I had to log her off with the administrator password, ending her session ("This will log off the current user").  Does anyone know if this potentially causes corruptions in the recent documents list?

The only other alternative I can think of is that one of the students DID manage to sneak in, which is distressing.  I'm hoping for a different answer that makes sense, because sadly I believe she thinks I did this, and I couldn't offer her any other legitimate solutions :-(.

Thanks
K
0
Comment
Question by:stormsurge
7 Comments
 
LVL 9

Expert Comment

by:FixingStuff
ID: 18058233
Look for any remote control software on the machine... like VNC, rAdmin and the like.  Could be a smart student that was able to sneek in via remote control.
Is this machine accessable via the internet? Could it have been hacked from via the internet? Scan it for malware.
The only way I know to populate the Recent Docs list is for someone actually using that user profile.
FS-
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 18058649
There are 2 different, but completely plausible theories:
1- Corruption -- When you logged her off, she was on file explorer, you hit [Enter] or the select mouse button, launched the documents, and the system kicked her off.
2- Invasion -- Someone came in and read her personal files.

Occam's razor theory states, "All things being equal, the simplest solution tends to be the best one."

So scenario 2 (Invasion) seems to be the most simple answer, even beyond remote control software because this would/should have happened before this series of events and your interaction on her system.

AKA, you're trying to explain away something that is very plausible from a physical sense (she's logged in, walks away...for probably more than 10 mins, someone reads stuff from her system, and then locks the screen when they are done) versus you doing a typical admin function, logging her off her system, that is NOT known to mess with files.

Also, you probably need to remind her that personal documents probably shouldn't be on campus systems or brought on campus for this type of privacy violation and/or, if this was on her personal system, to consider using encryption technology to prevent privacy violations.

All in all, the situation sounds horrific on all sides and I'm sorry you're caught in the middle of it as an admin.
0
 
LVL 1

Author Comment

by:stormsurge
ID: 18058740
Thanks for the quick replies - it IS sort've a horrific situation, and it obviously bothers me.  The worst part is that even if I find out exactly what happened, it's unlikely to be believed.

However, for clarification, I didn't log her off "typically" from her account.  Her computer was locked, so I logged her off using the administrative password, which resulted in the "This will log off the current user. Any unsaved work will be lost." message.  Because I don't do this very often, I was wondering (hoping :-)) that somehow this was the cause of the corruption.

For extra-clarification, she was actually logged on to two machines at the same time, so...

1)  She logs onto machine A
2)  She logs onto machine B (laptop)
3)  She logs off machine B, shuts down and leaves
4)  Machine A locks after 10 minutes
5)  I come in and log her off Machine A using Administrator password
6)  I log in as Admin and perform necessary tasks
7)  I log out

I realize the issues of logging on to two machines at once, but it's not an uncommon occurrence and if anything bad happens, usually it's a profile corruption and not something like recent docs.  These are all XP machines on a 2003 domain.

Thanks again for the words.

K
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:stormsurge
ID: 18058750
Sorry, last update.  We use roaming profiles, BUT redirect the My Documents folder to a network share.

K
0
 
LVL 19

Expert Comment

by:pheidius
ID: 18058779
I quite agree with the above response from a technical point of view but, as you know that you did not peek and that corruption that just happens to put the most sensitive documents on most recent viewed is wildly implausible then I hear you asking how do I convince my user that I am trustworthy. It seems to me that a very quick demonstration could be made to her that shows her how many ways an admin could peak without her ever having a clue that anything was done. This would  also perhaps convince her of the fooolishness of having personal documents on a work environment. Once she realizes the peeking could only have been done by an amature perhaps she might be inclined to set up the sting to catch the real perps. Or you could reject the very idea of being dragged into her territorial female angst and use your internal Gutman emotional memory shredder to eliminate any emotional attachment to the sets of circumstances and get on with your major work projects at hand.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 18060152
This requires the soft skills that most IT people do not have.

You have a couple of options that a technical response will not solve:
- I would approach it this way, let it go now because you have already stated your position and the facts of the case. Unfortunately, now it's a question of your integrity. This is something that doesn't happen overnight and something that you have to build. More words cannot gain/lose whatever trust she has with you and your integrity.
- You CAN show her that admins have much more power and any admin could have violated any user's privacy on systems they manage, it's part of the job, but as an honest admin you do not invade others' privacy.  Here is your opporunity to restate that personal info should NOT be on business equipment.

I think the latter just furthers that you are proving your innocence, a position of weakness and, perhaps, guilt in my mind.

So again, there is no technical response to explain away that someone "opened" her personal files. There are no absolutes if someone actually read her files.
0
 
LVL 1

Author Comment

by:stormsurge
ID: 18139865
Ok, here's the scoop, just as an FYI.  This has turned into something of a "As The World Turns" drama.  But technologically it's interesting.

After checking her recent document shortcuts, I noticed that on Sunday (5 days before she approached me - on Friday), the documents in question were opened, and the shortcuts created.  Since it was a Sunday, few people were in the building, so I grabbed a record of security entries from our security company (we type a code to enter the building).  Turns out the only person here was on Sunday at the time the shortcuts were created was - her.

Also, at the same time were visits to Fantasy Football sites to set line-ups, checking of mail, etc., etc. (thank God for cookies).  So, tactfully, I mentioned that I'd done some further investigation, and noticed that the files were opened at that time, and was it possible she had inadvertantly opened them - maybe looking for something else - and just forgotten.  I reminded her of the sites that were visited to jog her memory.

She said it was possible, but she had no recollection of it.  She also said it was unusual that she wouldn't notice the recent documents until Friday when they'd have been there all week long.  I couldn't come up with an answer for that, other than "maybe you just didn't notice?"  She opens almost all documents with the recent shortcuts, though, and used word quite a bit throughout the week, so that didn't make sense.  Also, I had no idea of who could have opened them, if she hadn't - so I asked her if she was the only one in the building.

Here it all comes together.  Turns out she brought her husband in, and logged him on to a desktop with her profile, while she logged on to her laptop.  He peeked at a few documents, and then left with her.  BUT!  Rather than logging out, he just locked the desktop (while she actually logged off of the laptop).  When I needed to use the desktop machine later that week (Thursday), I logged off the active account - which then wrote the recent documents to her profile, ready for her to read the next day.

It took forEVER to find this, but it looks like it all turned out well in the end.  Thanks to all for help, but I'm awarding the points to Phil for the help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now