We help IT Professionals succeed at work.

Client Security Risk - Logs of users activies? Logs of deleted files? Recover?

697 Views
Last Modified: 2012-02-14
I have a client - has 1 PC but its very critical to a community of high end homes

Client has an admin account in Windows XP and has sensitive data on it

When manager is not there, the employee (24/7 staffed)  will use a limited user XP account


We have reason to believe the system was compromised. Client fired an employee that has some potential hacking capability.

A folder of sensitive data was found copied to a different location that the limited account could access.

1) The Administrator "Back Door" account has been possibly reset. I want to know if there is a log of when/if the Back Door account password was changed??

2) The folder that was copied shows a date with a timestamp of 2009. I want to know if theres a way to verify if that time stamp is accurate. For example, the hacker could just reset windows time to that date, create the folder, then copy the files over and it would keep that time stamp.

3) Is there any 3rd party companies that the hard drive could be sent too, that charge a fee, to see if files have been deleted or modified? For example there is a copy of an XLS file that may have goes to a certain date in 2009. We want to know if the information after that was deleted, or if it was actually copied in 2009.

Any help would be appreciated I know this is a pretty random thing, but it is critically important.
Comment
Watch Question

CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Thanks Masqueraid.

SOS_Support, could you now click the "Request Attention" link.  In my opinion the recent change to Experts-Exchange site has made it less than ideal for experts to immediately see what new questions have been asked in their preferred zones (topic areas).  Requesting attention will alert those experts subscribed to the Digital Forensics area that your question needs attention.

Bill
CERTIFIED EXPERT

Commented:
Aaah, good.  Cheers Masqueraid.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Jason KidmanIT Consultant & CEO

Author

Commented:
ChopOMatic

Thanks for the message.  If you provide a 3rd party service for this, I am interested. I am not a "specialist" in this regards.

Breadtan: those are things I could try. It will depend on what my client wants to do and what expense they want to go with, (a 3rd party or having me just try some things like you mentioned). Regarding the information you provided breadtan, would it need to be XP Pro? The OS on this is XP Home.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Hi SOS, my personal email is like my EEname. And I use that service that Google provides.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not available in XP home though, as of now, do not ise the machine further so as to avoid losing evidence inadvertently...checking via the cloned version is needed then.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Though it audit logging is not configurable in xp home, the audit logon event and policy changes are enabled by default.

 http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx?mfr=true
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.