Forensic Investigation

[SteelCadman]

This is a duplicate post, I have also posted this in Security and Admin board.

Ok, I have used a very specific title for the subject of this post, and
rightly so. The company I work for had a tech savy employee leave rather
suddenly. However there was activity on this individuals computer after her
departure. Files were accessed, not remotely as the workstation was
physically disconnected from the network.
Heres the query, what form of access was perfiormed on the files, were they
copied, were they just opened. If they were copied where to? USB, CD-Burner?

Now, if our IT guy was quick, he would have all systems running XP Pro with
Security policies set to Fort Knox Level. However we have XP Home, and now I
have been asked to figure out the answers to the above questions.

My question is, Is it possable after the fact? and if so how?
Ive tried everything I can think of.

 

[sgopus]

if not remotely, then someone had to sit down at the pc and access them,
there is no way to tell what method was used. without some kind of security
monitoring software installed

Does the pc have a wireless NIC installed? and how do you know these files
were accessed?

 

[PA Bear]

If you must make identical posts to multiple newsgroups, please cross-post
one (1) message to all of them. Thank you.

Multiposting vs Crossposting:
http://www.blakjak.demon.co.uk/mul_crss.htm

 

[SteelCadman]

We know they were accessed because the "Last Accessed" Time stamp is 2 days
after the employees departure. So We are attempting to assetain if it was
done by someone remaining on staff on their behalf, or if they were in the
building.

Is there any way of getting a list of files that were accessed during a
cirtain time period?

No it doesnt have a wireless NIC.

 

[SteelCadman]

Normally I would do that, except I am at work and our IT guy has limited our
access to newsgroups to nil. So I had to use the nifty web based newreader.

 

[PA Bear]

That doesn't preclude crossposting: Click on "Advanced Options" in the Reply
window.

 

[sgopus]

You can check event viewer if you have logons audited it wil list last
sucessful logons, but without some type of video security system, you won't
be able to prove who it was that actually used that account to logon, If you
haven't already done so, disable that logon, audit all logons both sucessful
and non.
if the pc has no internet access then someone has to have been setting at
the keyboard to access the pc.
I would also check applications event log during that period, see what
applications were running, unless you have certain events set to be captured
in the event log, I can't see where you would look to find this evidence. if
you suspect there would be future access install a keylogger and audit more
events.

 

[sgopus]

Check out this article on turning on various events within system event viewer.
basically it says unless you have this already turned on, your SOL.
and if you turn on too much detail it will bog down your pc, and most of the
more useful detail requires a lan and a Active Domain Controller server to
track the events.

http://www.ultimatewindowssecurity.com/ebookChapter2.html

 

[M.I.5¾]

We know they were accessed because the "Last Accessed" Time stamp is 2
days
after the employees departure. So We are attempting to assetain if it was
done by someone remaining on staff on their behalf, or if they were in the
building.

Actually interrogating the file properties constitutes an access, so the
'Last Accessed' time stamp will show the last activity on the file even if
it was just to check the time stamp itself. 'Last Accessed' has to rate as
one of the most stupid features of Windows for this reason.