Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

windows xp network may be compromised 3

Status
Not open for further replies.
normm

normm

Programmer
Dec 9, 2004
46
GB
Hi all This is my first post on this forum, hopefully you will be able to make some suggestions for me.

Background.

Ok the story is that an old peoples home ran by family friends Employed a young man.

This young man, as he was the most computer literate employee, was given the task of installing configuring and running a small network of PC's running windows XP with a broadband internet connection.

This was 6 months ago and it has recently been discovered that he has been stealing from residents by using their credit cards online - He was promptly sacked and reported to the authorities.

I am unsure of his technical ability and therefore I have no idea what he has done to this network (if anything) however I do know that he has set up password protection on the computers and is unwilling to give the home the passwords, I'm unsure If the passwords are on user accounts or on the admin account.


Suggestions Please.

This is literaly all the information I have to go on so far, as mentioned above, the staff are completely computer illiterate.

I would appreciate any recomendations on what action to take when investigating this situation, along with any software that could aide me as I live over 50 miles away from the location..

I have a degree in software engineering but have had little exposure to OS security and releated fields so any help would be appreciated.

Thanks in advance...

Normm.
 
Sort by date Sort by votes
normm,

Quite a dilema...... as this is a "small network" it is plausible that it is peer-to-peer (P2P) using one XP station as a server. Or it could be a flavor of a networking OS i.e. Microsoft or Linux.

This information is crucial in providing a solution. If you determine that it is P2P (and this applies to the workstations also) find and delete the *.pwl files that contain the passwords (only for P2P) or you can recover them with:


Password Recovery


NOTE: This should be addressed post-haste as the individual could maintain access remotely.

Once you have this under control you can use the remote desktop feature to administer remotely with some limitations.

Remote Desktop

rvnguy
"I know everything..I just can't remember it all
 
Upvote 0 Downvote
If you determine that it is P2P (and this applies to the workstations also) find and delete the *.pwl files that contain the passwords (only for P2P) or you can recover them ..."

There are not .pwl files in XP.
 
Upvote 0 Downvote
Sorry I seem to have confused the matter slightly - I believe the 'network' is simply 4 workstations connected to a broadband router/modem.

all information on these computers is stored in spreadsheets - therefore could i do it the brute force way by booting using a linux distro from a cd and then making copies of these files before doing a clean install?

any further help appreciated

Normm
 
Upvote 0 Downvote
bcastner,

Thank You for the catch. I do have mental lapses now and again.

rvnguy
"I know everything..I just can't remember it all
 
Upvote 0 Downvote
normm,

If they are not connected via a win workgroup and these passwords are not what you require but need passwords for the files created you can still look to the recovery programs as they address passworded fles also.

rvnguy
"I know everything..I just can't remember it all
 
Upvote 0 Downvote
rvnguy....are you asking if its the files password protected or the PC's?

Its the PC's for note...the problem would appear to be he cant log onto them at all as any type of user...i`m a mate of his

from what i can gather they are 4 PC's that simply share a broadband connection thru a router. Thereby the passwords are individual passwords on each machine...altho they are probably the same for each accountname
 
Upvote 0 Downvote
Can you login as administrator? If not then the password recovery links are probably your best bet. if you can then you should be able to change the admin password and delete any accounts that the culprit may be using. I would suggest physically disconnecting the network before doing this in case of any malware that may be on the PC's.

"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy"
Albert Einstein
 
Upvote 0 Downvote
I have worked for a local police dept. as evidence forensics. you need to make sure that it is clear for you to wipe passwords and such as you could jeopardize a criminal case against the guy. so find out first out from the police and prosecutor then (if they don't take the computers) use a decent program to change the password for ADMINISTRATOR account. the easiest and a sure way to make sure there are no Identity theft type programs running hidden in the background is to wipe and reload each computer.
 
Upvote 0 Downvote
Normm,
update to posts:

TheGrifter:
are you asking if its the files password protected or the PC's?
Click to expand...
This is what I mistakenly was refering to, but these applications will recover either.

firewolfrl:
Great advice on the evidence implications.

rvnguy
"I know everything..I just can't remember it all
 
Upvote 0 Downvote
I am a great fan of Knoppix. It is a "Live CD" version of linux. You can put it in a Windows box and when you boot it, it will load linux into memory.
Knoppix will automatically mount your hard drive to the desktop. Then you can copy files off the hard drive and if you are clever, you can also get into the SAM file and change the users passwords.
Then you pull the CD out, reboot and it will put you right back to Windows without leaving a trace of itself on the machine.
 
Upvote 0 Downvote
Thanks for the Advice superjet -

I actualy tried that one on my windows desktop last night - it pretty much serves my needs.

I knew that I bought Linux Format this month for some reason. It just happened to be a bootable Knoppix DVD install.

I have also just found out that the job is Paying for a day I think im gonna do a complete re - install for them after backing up the data needed.

Should keep me busy!

Normm.;)
 
Upvote 0 Downvote
Fire Wolf thanks also for the advice on the law but my soon to be brother in law - unless I can continue to avoid it, is a Rozzer (police orificer).
He is the son of the care home owners and he will be assisting me - if we mess something up (legaly) I will blame him!

But It is very sound advice in general

Normm
 
Upvote 0 Downvote
normm,
LOL... I don't think that is quite what I had in mind for the Law thing.
when collecting evidence on a computer for law enforcement.

I use a uniformed officer as witness and I also have someone take notes as I work. I use a video camera to document as I work and I document EVERYTHING...(even potty breaks)

I use a mandated standard that is approved by the court system. and I follow a check list.

after I do the intial forensics I send the entire computer to the state patrol crime lab and they get to pull the hard drive apart and look for any deleted stuff on the platters in a clean room. so nothing gets missed.

the only true way to completely clean a HD is to zero it out 7 times (government standard) with a good low format software.

I have seen even a HD that a person ran a drill through the drive come back and put the person in jail. he ran the drill only once through and they pulled the data from the platter away from the drill site and reconstructed the missing data from the data pattern

As for the future brother in law. as you quoted "He is the son of the care home owners" that is enough to legally put a real bind to any court case if the computers are touched by him.

for forensics you have to be impartial and you CAN NOT be tied in anyway to anyone or anything in the case. otherwise you have to excuse yourself from the investigaion.

as for the Identity theft type programs. the reason I said to wipe the computers and start over is because these type of programs can run in the background as a hidden service and you would never know it is running and it is easy enough to put the program in the exclusion list for antivirus and antispyware software. the good programs run as an hidden attached object to EXPLORER.EXE so even looking for the software in the background with the Task manager can be difficult
 
Upvote 0 Downvote
Fire Wolf -

I think I should be fine - it was the officer in question asked me to come and examine the system - he recomended me to his parents so I am assuming that the computers are not implicated in the trial of this ex employee, In fact I believe he has already been given a community service order ( Lets hope it doesn't involve caring for the elderly!).

Thanks again

Normm.
 
Upvote 0 Downvote
that is good. I still think you should just wipe the machines and start over
good luck and update your progress
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

K
  • Locked
  • Question
Recover Data Windows 10 1
Replies
2
Views
3K
Rick998
Rick998
pjw001
  • Locked
  • Question
Latest Windows Update - End of Service
Replies
2
Views
2K
pjw001
pjw001
VicM
  • Locked
  • Question
Problem updating Windows Explorer
Replies
1
Views
669
Nancycaf
Nancycaf
pjw001
  • Locked
  • Question
Windows 11 Screen Colours have changed (slightly) 3
Replies
14
Views
3K
pjw001
pjw001
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
597
pjw001
pjw001

Part and Inventory Search

Sponsor

Back
Top