User activity groups

pma111
pma111 used Ask the Experts™
on
I need some sort of general brain storming from you experts around user activity. Essentially there is a (slight/potential) allegation someone may have compromised another users domain username/password and logged into the domain from a PC with those credentials. In terms of “what they did” with that account what areas would you look to for clues, I could do with just a top 5 areas you’d review to see what kind of activity took place. Internet activity is the obvious but potentially many many more. If of any use the machines are XP.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Nobody?
Cris HannaSr IT Support Engineer

Commented:
If the user name/password were used by the alleged perpetrator, there is no particular method to differentiate that activity from the valid user.   Unless the activity was performed from a different PC that the one the actual user uses daily
Most Valuable Expert 2011
Commented:
It is extremely difficult to do anything unless you know exactly what you are looking for,...and where.

For somethings you can turn on auditing,...but it is not on by default,...can be a bit more complex than you might first think to deal with,....and excessive auditing buries everything in overly massive logs.

The best thing to do is just make the user changes their password,...end of story.   The person who stole them will fail from that point on.

Author

Commented:
>Unless the activity was performed from a different PC that the one the actual user uses daily

We beleive so.
Cris HannaSr IT Support Engineer
Commented:
Depending on what your workstations are connecting to and what level of auditing is turned on.

You should be able to check event logs for a particular user and see what machines that username has logged on to.

Here's a site that lists some free foresnic tools.  http://forensiccontrol.com/resources/free-software/   havent used them, can't vouch for them.

Don't know where your company is, but if you have any evidence at all, this is a personnel issue.   If you are in an "at will" employment state, you don't need a reason to let someone go.

Hopefully the compromised password has been changed.   In which case you should see failed logons for that account by the person trying to use it

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial