Hosting Provided By

re: Tracking a (potential) abuser?

From: H C <keydet89(at)yahoo.com>
Date: Thu Feb 06 2003 - 16:38:25 EST

Ralph,

Interesting situation you have on your hands...

> I was asked to come and investigate for signs of

Can you be more specific? For example, are you looking for students changing grades or files? Or running hacking tools? Or surfing porn sites?

> How would one go about analyzing a live system like
asked
> to catch the person/people involved in this
activity.
> Where would you start?

I'd start by disabling the object access logging...you're flooding yourself w/ a lot of confusing data. I'd go w/ searches for files (easy enough to script in Perl), and update the logging (log file size, etc), and include Process Tracking, Policy Change, and Privilege Use. I might add Account Management to track the creation of new user accounts. Also audit the accounts themselves for privileges and group membership...again, easy to do in Perl.

Perhaps once you narrow it down, you'd want to go w/ sniffing or a keylogger of some kind...

Carv

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Feb 6 21:28:04 2003

Do you need help?

This message: [ Message body ]
Next message: Ralph Los: "RE: Tracking a (potential) abuser?"
Previous message: Jason Powell: "Re: Tracking a (potential) abuser?"
In reply to Ralph Los: "Tracking a (potential) abuser?"
Next in thread: Chris DeVoney: "RE: Tracking a (potential) abuser?"
Reply: Chris DeVoney: "RE: Tracking a (potential) abuser?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT