HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 50 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow Need to determine the computer a user account is coming from
EH-Net
May 22, 2013, 10:09:47 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: 1 [2]   Go Down
« previous next »
  Print  
Author Topic: Need to determine the computer a user account is coming from  (Read 10979 times)
0 Members and 1 Guest are viewing this topic.
zeroflaw
Full Member
***
Offline Offline

Posts: 208



View Profile
« Reply #15 on: March 05, 2010, 04:07:21 PM »
Quote from: JerichoJones on March 04, 2010, 11:46:35 AM
I can the username and ip from the security log but there is no way to tie them together conclusively.

Quote from: JerichoJones on March 05, 2010, 01:21:27 PM
The crux of the issue is:

Nothing in the event log ties a user to a computer. If I have the Same ID logging on at the same time there is no way (that I see) to tie them together conclusively.

You can get the user name and IP from the logs. You can tie the IP to a certain computer. Then you know the computer and user that were used to delete the files on the server. You won't see that in the logs (as you said), but you can tie them together using the commands that were mentioned earlier in this thread. You still won't be able to see who actually did it though.

Maybe you can somehow monitor network activity and see who's doing it. But you would have to come up with something to capture the event and make some kind of alarm go off, then quickly check who's at the computer. This means you would have to catch the guy in the act.

I would just permanently ban shared accounts. You won't catch the guy responsible, but you will prevent this from happening again. I know you said you're not allowed to change it, but still.
Logged
ZF
unsupported
Sr. Member
****
Offline Offline

Posts: 318


Unofficial Newbie Moderator


View Profile
« Reply #16 on: March 05, 2010, 06:39:25 PM »
Quote from: awesec on March 05, 2010, 01:27:16 PM
If the scenario is that many different persons use the same user account on a computer, then there should be hardly a possibility to determine which person is at the moment using the account. One solution would be a webcam which is enabled or some sort of spy cam. If you know each person very well you could analyze logs and look for visited websites etc. as you could maybe match it to a certain person.

Wow, those are all good suggestions!  I wish I would have thought about that. Smiley Smiley Smiley Smiley Smiley (I'm just teasing you)
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #17 on: March 05, 2010, 07:33:25 PM »
I just ran a small experiment, and the IP or Computer Name did NOT appear in my Object Access audit logs.   Only the user name was available. 

Here is what I would do:

1.  Make a business case why shared user accounts are ridiculous.

2.  If you fail at number 1, deploy some sort of host-based IDS to monitor sensitive directories.  (Tripwire, GFI, etc).

3.  Write something yourself.
Logged
~~~~~~~~~~~~~~
Ketchup
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #18 on: March 06, 2010, 01:14:26 AM »
Quote from: unsupported on March 05, 2010, 06:39:25 PM
Wow, those are all good suggestions!  I wish I would have thought about that. Smiley Smiley Smiley Smiley Smiley (I'm just teasing you)

Seems I should have read again the already given answers and not only read it once at the very beginning. Lips sealed
Logged
Pages: 1 [2]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.069 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.