mailing list archives
Donning an investigative hat
From: "WALI" <hkhasgiwale () gmail com>
Date: Fri, 17 Aug 2007 18:17:11 +0400
Want to investigate an issue that seems to delve a bit into IT Forensics and
seek your help.
Here's the scenario.
A windows 2000 networked PC belonging to abc domain, is in posession of a
secretary, has a confidential Excel file (password protected) lying on her
This file is suddenly found on the desktop of a PC meant for general
internet access, usually logged in as Administrator and is lying on the
desktop of local admin profile. This pc is alsoconnected to the same abc
domain. The file is now in pdf format.
When I checked doc properties of this file, it's created using the domain
username profile of the same secretary.
I check secretary's local hard disk and this pdf doc exists on local HDD but
secretary maintains that she cannot recollect converting excel to doc.
Secretary has lots of share enabled and has admin access to her win2k PC.
It's not patched and has lots of vulnerabilties when I did a nessus scan.
How to find, the IP from where the file reached general access PC is it was
shifted thru a network drive?
If secretary did not convert this excel file to doc, then someone first
cracked excel password and then converted to pdf. Why would someone convert
to pdf if the information has been already obtained via cracked excel file.
Seems like the secretary hersself forgot.
How can I go forward in this investigation?