Resend my activation email : Register : Log in 
BCF: Bike Chat Forums


Windows Event Log Information

Reply to topic
Bike Chat Forums Index -> The Geek Zone
View previous topic : View next topic  
Author Message

tatters
Exxon Valdez



Joined: 05 Jan 2004
Karma :

PostPosted: 19:24 - 14 Apr 2017    Post subject: Windows Event Log Information Reply with quote

Hi,

I have been asked to look into some suspicious activity on a windows 7 computer which was in a locked office. While the owner was away on holiday a colleague had the office door broken into and the locks changed. The locks to the building were due to all be changed after the person was back from Holiday, but the colleague had the lock smith come in a week early without permission, and this persons believes that this was done to access their computer. When they returned Microsoft office had two documents showing in the recently opened sidebar which had not been accessed by this person for over two years (screen shot taken), and theses documents had information that the colleague is not allowed to have access.

I had a look though the windows event log and can see that when the Microsoft office application is run a few events are created for the office software protection platform service. This also corresponds up to when the person last used office on the computer before going away.

Now while they were away the computer was idle with only a few background events occurring until when Microsoft office software protection platform service events started occurring again when we believe this person was accessing theses documents.

Would this information on the events log be enough for them to use as proof of someone accessing their computer? Or is there anything else that can be looked into?


Thanks,
____________________
Past:NRG50,AF1125(x2),NSR125RR,ZZR250,CX500,VFR400,KR-1S,ZZR600(x2),CB400N,YZF1000(x2),KH125,Z200,FX400R,CBR954RR(x2)GPZ500S,
GT550,VFR750F(x2),RD350N,XR650R,CBR600F,CB250,KDX250,YZF750R,CRM250,KTM400EXC,KLR650,TTR600RE,DR350S,R100GSPD,RGV250Present:G650XC,VMAX,BSA C12
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

Rogerborg
nimbA



Joined: 26 Oct 2010
Karma :

PostPosted: 08:25 - 15 Apr 2017    Post subject: Re: Windows Event Log Information Reply with quote

tatters wrote:
Would this information on the events log be enough for them to use as proof of someone accessing their computer?

For what purpose?

Criminal, beyond a reasonable doubt? I can't see it, and you wouldn't be investigating it anyway if it were criminal.

Civil, balance of probability? Employment tribunal? It would contribute towards it. You'd have to suck it and see. If things were open and shut, we wouldn't need courts to arbitrate.

Usual question before action: what loss occurred, or what remedy is being sought?

Mental situation sounds mental, I'd be careful about getting any crazy on you.
____________________
Biking is 1/20th as dangerous as horse riding.
GONE: HN125-8, LF-250B, GPz 305, GPZ 500S, Burgman 400 // RIDING: F650GS (800 twin), Royal Enfield Bullet Electra 500 AVL, Ninja 250R because racebike
 Back to top
View user's profile Send private message You must be logged in to rate posts

M.C
World Chat Champion



Joined: 29 Sep 2015
Karma :

PostPosted: 08:29 - 15 Apr 2017    Post subject: Reply with quote

I have nothing to add except keep us updated Pass the popcorn
 Back to top
View user's profile Send private message You must be logged in to rate posts

Pjay
World Chat Champion



Joined: 18 Jan 2016
Karma :

PostPosted: 09:33 - 15 Apr 2017    Post subject: Reply with quote

Someone's being stitched up.
____________________
struan80 - I'll go first - satisfied tick 1
 Back to top
View user's profile Send private message You must be logged in to rate posts

dydey90
World Chat Champion



Joined: 01 Oct 2013
Karma :

PostPosted: 10:03 - 15 Apr 2017    Post subject: Reply with quote

The office was locked but the computer wasn't?
____________________
This post is probably not serious and shouldn't be taken literally.
Past: CBR125,ER6f NINJA 650 Current: ZZR600
 Back to top
View user's profile Send private message You must be logged in to rate posts

Hong Kong Phooey
World Chat Champion



Joined: 30 Apr 2016
Karma :

PostPosted: 22:46 - 20 Apr 2017    Post subject: Reply with quote

Any cctv, electronic door entry system in use?

Event / sys logs will only show when a program or doc was opened, not by who as it sounds like the pc doesn't have user accounts.
____________________
HKP currently riding; urmum, CBR600F4 (fx)
 Back to top
View user's profile Send private message You must be logged in to rate posts

subpardave
Derestricted Danger



Joined: 18 Jan 2017
Karma :

PostPosted: 12:52 - 21 Apr 2017    Post subject: Reply with quote

Was the PC locked during the period in question, or was it left logged in?
Any group policy in play (thinking possible audit settings)?

Any idea if UserAssist registry tracking is enabled or disabled?
Have a rummage in \Windows\Prefetch

How serious is this going to be however - if we're talking say, legal intervention, all the above do not apply as you'll need to preserve the evidence properly, which is a very different kettle of fish to 'find idiot at work who did it, perform percussive maintenance' type outcomes.
 Back to top
View user's profile Send private message You must be logged in to rate posts
Display posts from previous:   

Post new topic   Reply to topic    Bike Chat Forums Index -> The Geek Zone All times are GMT + 1 Hour
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Read the Terms of Use! - Powered by phpBB © phpBB Group
 

Debug Mode: ON - Server: discovery (www) - Page Generation Time: 0.08 Sec - Server Load: 1 - MySQL Queries: 17 - CDN Objects: 36 - Page Size: 54.97 Kb