Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

WinXP pro local admin password 8

Status
Not open for further replies.
Speaker

Speaker

MIS
Sep 5, 2001
72
US
We've got a sticky situation here. I need to get onto the computer of an employee that is suspected of doing some Very Bad Things. He is a programmer who installed XP on his machine (without my knowledge or approval) with his own local admin password. Now I need to get onto that machine without him knowing. If I demand the local admin password he'll know he is suspected.

Any ideas?
 
Sort by date Sort by votes
Well if you want stealth, I would wait until he goes home, then pull his machine apart and clone the hard disk, so that you can study it at your leisure (with whatever tools you have).

If he leaves his machine on normally (and would suspect a reboot), announce that some "power maintenance" needs to be performed, and that all machines should be shut-down for the weekend.
 
Upvote 0 Downvote
Just use one of the Linux Bootable CDs, mount his partition, and then copy off the SAM file. You can crack it with l0phtcrack or john the ripper at your leisure.

Or use the ntpasswd disk that smah recommends and create a second account with administrator privileges. You'll need a very good understanding of the registry, but it can be done.


Knoppix is a bootable Linux CD that has a lot of good stuff on it, including NTFS and full networking support. Xwindows and OpenOffice are also included.


pansophic
 
Upvote 0 Downvote
Howdy:

Or, simply reformat his/her system and re-install the operating system of choice.

Then, advise them that any tampering WILL result in immediate dismissal.

Murray
 
Upvote 0 Downvote
I'd combine a couple of the recommendations given already... Firstly, IF it's likely to get legal, you should consider getting the disk cloned at least twice with the cloning witnessed by a legally independent person and then lodge one copy with your lawyers. This way if it has to go to court or elsewhere, you can show that no evidence has been created or altered during your investigation. (Depending on the size of the partition, you could use GHOST to take an image and then burn it to a WORM CD/DVD.)

Once this is done, use one of the tools mentioned above to access the local admin account. Bear in mind also that if the disk is NTFS, you could connect as a secondary device to another PC that already boots using a Windows 32bit OS (NT4, 2k or XP) and then view the contents that way.

Depending on what you're looking for, you may need other tools or utilities to ensure that your work is logged and that your investigation includes some of the more "popular" data concealment techniques. Do a search on google for "computer forensic tools" for more info.

Hope this helps,

HoinviP
 
Upvote 0 Downvote
Thanks for all the helpful suggestions.

It is a laptop that the guy takes home with him at night, so any *initial* steps I take must be done quickly. I think I'll try ghosting his drive up to the network during lunch (with a ghost boot disk) to get the sam/adminpw. Then I'll take it from there depending on what I find on the image...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
287
Johnkite
Johnkite
w5000
  • Locked
  • Question
password
Replies
0
Views
68
w5000
w5000
Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
291
AvivBes
AvivBes
jim_bmx
  • Locked
  • Question
sh proxy command
Replies
0
Views
213
jim_bmx
jim_bmx
sabin808
  • Locked
  • Question
TZ205 | Unable to ping WAN IP from LOCAL ZONE
Replies
0
Views
60
sabin808
sabin808

Part and Inventory Search

Sponsor

Back
Top