Home page logo
/

basics logo Security Basics mailing list archives

Donning an investigative hat
From: "WALI" <hkhasgiwale () gmail com>
Date: Fri, 17 Aug 2007 18:17:11 +0400

Hi All

Want to investigate an issue that seems to delve a bit into IT Forensics and seek your help.

Here's the scenario.

A windows 2000 networked PC belonging to abc domain, is in posession of a secretary, has a confidential Excel file (password protected) lying on her local HDD.

This file is suddenly found on the desktop of a PC meant for general internet access, usually logged in as Administrator and is lying on the desktop of local admin profile. This pc is alsoconnected to the same abc domain. The file is now in pdf format.

When I checked doc properties of this file, it's created using the domain username profile of the same secretary.

I check secretary's local hard disk and this pdf doc exists on local HDD but secretary maintains that she cannot recollect converting excel to doc.

Findings:

Secretary has lots of share enabled and has admin access to her win2k PC.
It's not patched and has lots of vulnerabilties when I did a nessus scan.

Challenge.

How to find, the IP from where the file reached general access PC is it was shifted thru a network drive? If secretary did not convert this excel file to doc, then someone first cracked excel password and then converted to pdf. Why would someone convert to pdf if the information has been already obtained via cracked excel file. Seems like the secretary hersself forgot.

How can I go forward in this investigation?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault