So, a co-worker of mine found a pornographic picture in the root of one of the IT shares here at work. We have NO IDEA who put it there and are trying to figure out where it came from. It seems to have been there since August 2010...a while without anyone noticing.

Unfortunately, any sort of auditing was not enabled on this server...something I'm going to change very soon.

Is there any way what-so-ever we can figure out which user wrote the file to the share? Or are we SOL without object auditing? The server in question is running Windows Server 2003 R2.

 

Is this something that was obviously done intentionally, or something that could have been scrobbled in via a seemingly innocuous search?

 

if you right click the pic > properties and hit details, does not show anything under Author?

Or pic > properties > security > advanced > Owner

 

:inforresultsbecauseiwanttoseesomeonegetfired:

 

+1

 

The owner is "Administrators", unfortunately...the group all of us IT folks are in. Soo, that doesn't help.

Under > Summary > Advanced > the Author is blank.

 

http://www.youtube.com/watch?v=1ytCEuuW2_A

 

What sort of innocuous search would result in one saving a picture of a vagina on a server share? lol

FWIW, I work for a school district.

 

That's what I thought.

 

someone is going to get teh ban hammer.

 

Not familiar with servers, I didn't know if it was something that could have been accidentally done.


But as far as innocuous searches resulting in vaginas, you'd be surprised. Hell, one person here had an erupting one for an avatar one day.

 

It's possible it was an "accident"...but the file was written to the share on a Sunday at 8:25 PM. Even more confusing. I don't have the VPN log from our old VPN server...or else I'd check that to see if anyone was in during that time.

 

seems like you got nothing. delete it, and take necessary actions to make tracking available next time. really all you can do.

 

Well...a co-worker and I scowered the content filter logs. We didn't find anything in regards to that image.

 

idunno what it is, but you made me click the link.....

:ibITcomesintomyoffice:

 

The link in post 14 is NSFW. After some investigation I now know what it is. Mods: feel free to remove it (I'm sorry I posted it).

It looks like this guy may get canned.

 

What type of site was it? I thought it was a torrent site.

 

Closed networks once again FTMFW

 

 

interesting.....

 

The site was a "torrent" site along with a forum...with emphasis on pornography (Japanese Adult Video) and content around children. Although through the limited poking around I did, I didn't find any content with naked children and/or children with naked adults...but some were in very skimpy bathing suits. VERY VERY CREEPY. Disturbs me to no end.

Depending on what the lawyer says on Monday...we're most likely seizing his computers (he has a laptop and two desktops) and he'll be put on administrative leave until investigation is complete.

 

The person in question is resigning as of tomorrow. He was doing some bad things and fessed up to them. He even said that the vag jpeg on the server may have been from him.

We've confiscated his desktop and laptop, keys, and changed passwords and alarm codes. Although he's resigning and cooperating with our requests, we still have to poke around in case there is in fact child porn on any of his computers (which we're legally obligated to report).

 

Thunder, I do this for a living and highly recommend you do NOT poke around. Find someone who does this for a living and have them create a forensic image with Encase, FTK, etc.. NOT Ghost, etc.

If you find Child Porn on the computer, not only can the evidence be inadmissible in criminal court, but since you may gain from his termination (position open, you look like the hero) you have no defense to the argument that you put the picture there. He can say he confessed because he was scared and didn't mean it.

Feel free to PM me if you want. This is serious business.

If you prefer, I can find a local police for you who knows what they are doing to come and do a quick preview of the computer for images. That way, at least the person who finds the pics knows how to testify in court, which will be required.

 

I definitely do not gain in any way of his departure!! It only creates more work for me.

Don't worry, I'm not touching it with a 10ft pole. I meant we as in the district and not we as in the IT department...my bad.

Depending on what my supervisor decides, I may toss you a PM.

 

Do you guys have a Barracuda / any other Spam & Firewall?

You can always look through your Exchange server / E-mail server message logs and search for the image name as an attachment, that's if you're suspecting an adult got a hold of the image through e-mail.

 

Yeah, I have seen it happen many times and it sometimes works out and sometimes does not.

I am not soliciting for the work here. I wouldn't pretend to admin your systems, so your IT people shouldn't pretend to be computer forensics specialists. No shame in knowing your limitations. Truthfully, the PD should handle all this for you based on what the dude admitted to. I used to do it a lot for school districts when they had concerns about a teacher or IT guy back when I was LE. Let me know if you need any info.

 

Long shot. Could have been a thumbdrive, cd, right click and save as, FTP, Dropbox, included in a Powerpoint, IRC F-Serve, etc...

 

We've found all we need to find at this point. The next step is most likely what stogie suggests. I'm going to talk to my supervisor about it tomorrow. He was very shaken up about this event. Wasn't an easy thing to comprehend and handle for all of us. It's still disturbing. I worked with this guy for 4 years...trusted him. I saw signs of fishy stuff (he VPNed in a lot more than he needed to which was flag #1)...but I wanted to believe that he was a good guy.

 

We think the file on the server was a case of Firefox remembering the last place he downloaded. August-October is usually our busiest time of the year, and he could've been saving files to the tech share for us to access. He decided to do his naughty thing...went to download a pic..."where'd it go?!"...and forgot about it.

In any case, it doesn't really matter. Enough proof of anything will be on his laptop and/or desktop computer.

 

Sounds like you guys have it handles. Like I said, PM me if you need any advice or a resource local to you.

 

^Definitely. Thanks.

 

 

Ok, it was me...

 

^ Oh...well then. I guess we may be overreacting. It's all good!