IT: File Sharing & Auditing
#1
IT: File Sharing & Auditing
So, a co-worker of mine found a pornographic picture in the root of one of the IT shares here at work. We have NO IDEA who put it there and are trying to figure out where it came from. It seems to have been there since August 2010...a while without anyone noticing.
Unfortunately, any sort of auditing was not enabled on this server...something I'm going to change very soon.
Is there any way what-so-ever we can figure out which user wrote the file to the share? Or are we SOL without object auditing? The server in question is running Windows Server 2003 R2.
Unfortunately, any sort of auditing was not enabled on this server...something I'm going to change very soon.
Is there any way what-so-ever we can figure out which user wrote the file to the share? Or are we SOL without object auditing? The server in question is running Windows Server 2003 R2.
#6
Under > Summary > Advanced > the Author is blank.
Trending Topics
#8
FWIW, I work for a school district.
#9
#10
#11
But as far as innocuous searches resulting in vaginas, you'd be surprised. Hell, one person here had an erupting one for an avatar one day.
#12
It's possible it was an "accident"...but the file was written to the share on a Sunday at 8:25 PM. Even more confusing. I don't have the VPN log from our old VPN server...or else I'd check that to see if anyone was in during that time.
#19
#21
Depending on what the lawyer says on Monday...we're most likely seizing his computers (he has a laptop and two desktops) and he'll be put on administrative leave until investigation is complete.
Last edited by thunder04; 02-26-2011 at 10:52 AM.
#22
The person in question is resigning as of tomorrow. He was doing some bad things and fessed up to them. He even said that the vag jpeg on the server may have been from him.
We've confiscated his desktop and laptop, keys, and changed passwords and alarm codes. Although he's resigning and cooperating with our requests, we still have to poke around in case there is in fact child porn on any of his computers (which we're legally obligated to report).
We've confiscated his desktop and laptop, keys, and changed passwords and alarm codes. Although he's resigning and cooperating with our requests, we still have to poke around in case there is in fact child porn on any of his computers (which we're legally obligated to report).
#23
The person in question is resigning as of tomorrow. He was doing some bad things and fessed up to them. He even said that the vag jpeg on the server may have been from him.
We've confiscated his desktop and laptop, keys, and changed passwords and alarm codes. Although he's resigning and cooperating with our requests, we still have to poke around in case there is in fact child porn on any of his computers (which we're legally obligated to report).
We've confiscated his desktop and laptop, keys, and changed passwords and alarm codes. Although he's resigning and cooperating with our requests, we still have to poke around in case there is in fact child porn on any of his computers (which we're legally obligated to report).
If you find Child Porn on the computer, not only can the evidence be inadmissible in criminal court, but since you may gain from his termination (position open, you look like the hero) you have no defense to the argument that you put the picture there. He can say he confessed because he was scared and didn't mean it.
Feel free to PM me if you want. This is serious business.
If you prefer, I can find a local police for you who knows what they are doing to come and do a quick preview of the computer for images. That way, at least the person who finds the pics knows how to testify in court, which will be required.
#24
I definitely do not gain in any way of his departure!! It only creates more work for me.
Don't worry, I'm not touching it with a 10ft pole. I meant we as in the district and not we as in the IT department...my bad.
Depending on what my supervisor decides, I may toss you a PM.
Don't worry, I'm not touching it with a 10ft pole. I meant we as in the district and not we as in the IT department...my bad.
Depending on what my supervisor decides, I may toss you a PM.
#25
Do you guys have a Barracuda / any other Spam & Firewall?
You can always look through your Exchange server / E-mail server message logs and search for the image name as an attachment, that's if you're suspecting an adult got a hold of the image through e-mail.
You can always look through your Exchange server / E-mail server message logs and search for the image name as an attachment, that's if you're suspecting an adult got a hold of the image through e-mail.
#26
Yeah, I have seen it happen many times and it sometimes works out and sometimes does not.
I am not soliciting for the work here. I wouldn't pretend to admin your systems, so your IT people shouldn't pretend to be computer forensics specialists. No shame in knowing your limitations. Truthfully, the PD should handle all this for you based on what the dude admitted to. I used to do it a lot for school districts when they had concerns about a teacher or IT guy back when I was LE. Let me know if you need any info.
I am not soliciting for the work here. I wouldn't pretend to admin your systems, so your IT people shouldn't pretend to be computer forensics specialists. No shame in knowing your limitations. Truthfully, the PD should handle all this for you based on what the dude admitted to. I used to do it a lot for school districts when they had concerns about a teacher or IT guy back when I was LE. Let me know if you need any info.
#27
Long shot. Could have been a thumbdrive, cd, right click and save as, FTP, Dropbox, included in a Powerpoint, IRC F-Serve, etc...
#28
We've found all we need to find at this point. The next step is most likely what stogie suggests. I'm going to talk to my supervisor about it tomorrow. He was very shaken up about this event. Wasn't an easy thing to comprehend and handle for all of us. It's still disturbing. I worked with this guy for 4 years...trusted him. I saw signs of fishy stuff (he VPNed in a lot more than he needed to which was flag #1)...but I wanted to believe that he was a good guy.
#29
We think the file on the server was a case of Firefox remembering the last place he downloaded. August-October is usually our busiest time of the year, and he could've been saving files to the tech share for us to access. He decided to do his naughty thing...went to download a pic..."where'd it go?!"...and forgot about it.
In any case, it doesn't really matter. Enough proof of anything will be on his laptop and/or desktop computer.
In any case, it doesn't really matter. Enough proof of anything will be on his laptop and/or desktop computer.
Thread
Thread Starter
Forum
Replies
Last Post
MrHeeltoe
1G TSX Tires, Wheels, & Suspension
20
02-23-2023 01:54 PM
MrHeeltoe
2G TSX Tires, Wheels & Suspension
3
09-29-2015 10:43 PM
MrHeeltoe
3G TL Tires, Wheels & Suspension
0
09-28-2015 05:43 PM