Recently y laptop was taken away from me for "security" examination at JFK
Airport at the security check for a flight to a destination in the Middle
East (known for its stringent security procedures). Given my employment, the
interest in the contents of laptop by these particular security agents was
not entirely surprising.

The logbooks give strong reason for me to believe that security agents
hacked into my (Windows password protected) laptop. I also suspect that my
laptop was connected to the internet given that the Adobe Acrobat Updater had
started and the last "offline content" webpage was the login webpage to my
internet email account whilst I had not recently visited that page. I had
absolutely nothing to hide but feel nevertheless that, absent any probable
cause, this represents a gross invasion of privacy unjustified by any law
enforcement rationale.

How do I confirm that my laptop was hacked into and that it was connected to
the internet? The logbooks have a series of entries which I find difficult
to understand.
Can anybody explain "translate" this particular logbook entry (copied below)
into regular non-IT English? (I've translated some of this into English from
another European language so some of this may not be standard IT-speak.)

Event Type: Control of succesful events
Origin of event: Security
Category of event: Use of authorizations
Event-ID: 576
Date: [deleted for privacy considerations]
Time: [deleted for privacy considerations]
User: NT AUTHORITY\Netwerkservice
Computer: [deleted for privacy considerations]
Description:
Special authorizations granted to a new logon user:
User name: Netwerkservice
Domein: NT AUTHORITY
Logon-ID: (0x0,0x3E4)
Priviledges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

Is this evidence that my laptop was hacked into?

Many thanks.

From: "Ms. Blond 2007" <Ms. Blond (E-Mail Removed)>

| Recently y laptop was taken away from me for "security" examination at JFK
| Airport at the security check for a flight to a destination in the Middle
| East (known for its stringent security procedures). Given my employment, the
| interest in the contents of laptop by these particular security agents was
| not entirely surprising.
|
| The logbooks give strong reason for me to believe that security agents
| hacked into my (Windows password protected) laptop. I also suspect that my
| laptop was connected to the internet given that the Adobe Acrobat Updater had
| started and the last "offline content" webpage was the login webpage to my
| internet email account whilst I had not recently visited that page. I had
| absolutely nothing to hide but feel nevertheless that, absent any probable
| cause, this represents a gross invasion of privacy unjustified by any law
| enforcement rationale.
|
| How do I confirm that my laptop was hacked into and that it was connected to
| the internet? The logbooks have a series of entries which I find difficult
| to understand.
| Can anybody explain "translate" this particular logbook entry (copied below)
| into regular non-IT English? (I've translated some of this into English from
| another European language so some of this may not be standard IT-speak.)
|
| Event Type: Control of succesful events
| Origin of event: Security
| Category of event: Use of authorizations
| Event-ID: 576
| Date: [deleted for privacy considerations]
| Time: [deleted for privacy considerations]
| User: NT AUTHORITY\Netwerkservice
| Computer: [deleted for privacy considerations]
| Description:
| Special authorizations granted to a new logon user:
| User name: Netwerkservice
| Domein: NT AUTHORITY
| Logon-ID: (0x0,0x3E4)
| Priviledges: SeAuditPrivilege
| SeAssignPrimaryTokenPrivilege
| SeChangeNotifyPrivilege
|
| Is this evidence that my laptop was hacked into?
|
| Many thanks.

No !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Ms. Blond 2007 wrote:
> Recently y laptop was taken away from me for "security" examination
> at JFK Airport at the security check for a flight to a destination
> in the Middle East (known for its stringent security procedures).
> Given my employment, the interest in the contents of laptop by
> these particular security agents was not entirely surprising.
>
> The logbooks give strong reason for me to believe that security
> agents hacked into my (Windows password protected) laptop. I also
> suspect that my laptop was connected to the internet given that the
> Adobe Acrobat Updater had started and the last "offline content"
> webpage was the login webpage to my internet email account whilst I
> had not recently visited that page. I had absolutely nothing to
> hide but feel nevertheless that, absent any probable cause, this
> represents a gross invasion of privacy unjustified by any law
> enforcement rationale.
>
> How do I confirm that my laptop was hacked into and that it was
> connected to the internet? The logbooks have a series of entries
> which I find difficult to understand.
> Can anybody explain "translate" this particular logbook entry
> (copied below) into regular non-IT English? (I've translated some
> of this into English from another European language so some of this
> may not be standard IT-speak.)
>
> Event Type: Control of succesful events
> Origin of event: Security
> Category of event: Use of authorizations
> Event-ID: 576
> Date: [deleted for privacy considerations]
> Time: [deleted for privacy considerations]
> User: NT AUTHORITY\Netwerkservice
> Computer: [deleted for privacy considerations]
> Description:
> Special authorizations granted to a new logon user:
> User name: Netwerkservice
> Domein: NT AUTHORITY
> Logon-ID: (0x0,0x3E4)
> Priviledges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege
>
> Is this evidence that my laptop was hacked into?
>
> Many thanks.

No.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Unfortunately I imagine that you have been using the laptop since the
incident. As such you have oblitherated most of what might be evidence.
Computer forensics depends on having access to an unmolested system sooner
rather than later after the incident.

If the nature of your business is of such a critical nature that you are
concerned about your system being accessed, you should be using one of the
many full disk encryption products on the market. These are programs that
run and prevent access to the system pre-bios so that the system cannot even
get booted from a floppy/CD/USB drive. If you are not, and your data is that
sensitive, shame on you.

"Ms. Blond 2007" wrote:

> Recently y laptop was taken away from me for "security" examination at JFK
> Airport at the security check for a flight to a destination in the Middle
> East (known for its stringent security procedures). Given my employment, the
> interest in the contents of laptop by these particular security agents was
> not entirely surprising.
>
> The logbooks give strong reason for me to believe that security agents
> hacked into my (Windows password protected) laptop. I also suspect that my
> laptop was connected to the internet given that the Adobe Acrobat Updater had
> started and the last "offline content" webpage was the login webpage to my
> internet email account whilst I had not recently visited that page. I had
> absolutely nothing to hide but feel nevertheless that, absent any probable
> cause, this represents a gross invasion of privacy unjustified by any law
> enforcement rationale.
>
> How do I confirm that my laptop was hacked into and that it was connected to
> the internet? The logbooks have a series of entries which I find difficult
> to understand.
> Can anybody explain "translate" this particular logbook entry (copied below)
> into regular non-IT English? (I've translated some of this into English from
> another European language so some of this may not be standard IT-speak.)
>
> Event Type: Control of succesful events
> Origin of event: Security
> Category of event: Use of authorizations
> Event-ID: 576
> Date: [deleted for privacy considerations]
> Time: [deleted for privacy considerations]
> User: NT AUTHORITY\Netwerkservice
> Computer: [deleted for privacy considerations]
> Description:
> Special authorizations granted to a new logon user:
> User name: Netwerkservice
> Domein: NT AUTHORITY
> Logon-ID: (0x0,0x3E4)
> Priviledges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege
>
> Is this evidence that my laptop was hacked into?
>
> Many thanks.