Evidence of remote ...
 
Notifications
Clear all

Evidence of remote desktop outside of Security log

12 Posts
5 Users
0 Likes
3,298 Views
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

I'm looking to find evidence that a user remotely logged into machine or prove the opposite.

Remote Desktop connections are enabled in the NTuser.dat, however the Secevt log has been wiped or never used. This is a Windows XP system.

I've checked windows firewall is on and RDP does not appear to be in list of allowed connections, but going to test this in a VM.

Any other artefacts that may I should be looking at?

 
Posted : 18/04/2015 8:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Any other artefacts that may I should be looking at?

Bit Map Cache? ?
http//www.forensicfocus.com/Forums/viewtopic/t=11287/
http//www.forensicfocus.com/Forums/viewtopic/t=11667/

Last working download link
https://turbolab.it/scarica/9

jaclaz

 
Posted : 18/04/2015 9:07 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Thanks for that, I'm not sure it will help me as I'm looking at the remote desktop target machine (server) and don't have the connecting machine (client).

 
Posted : 18/04/2015 11:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I thought it was the other way round, my bad.

Unless this was implemented
https://support.microsoft.com/en-us/kb/894565

I believe that the only log entry that you can find on the server side is a 528/10
http//www.tomshardware.co.uk/forum/145000-45-remote-desktop-connection-logs

If you have network logs (or firewall, etc.) you may look for connections through the "default" port 3389, or the "non-standard" port specified in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp

See
https://www.umanitoba.ca/about/media/IST_Securing_Remote_Desktop_on_XPpro.pdf

jaclaz

 
Posted : 18/04/2015 11:22 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Thanks for the quick reply, hoping I was missing something.

There is definitely no 528/10 entries, but then there are no entries at all!

I'll try for Windows Firewall log and see if that gets me anywhere.

 
Posted : 18/04/2015 11:39 pm
(@bitznpcz)
Posts: 11
Active Member
 

Is there anything in the Forwarded Events Log? I had a similar case and found the IP address of the client used for RDP. Then used Bitmap cache viewer to prove RDP usage.

Even though the logs were cleared, there should be an entry showing RDP was closed after the logs were cleared.

 
Posted : 19/04/2015 2:11 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm looking to find evidence that a user remotely logged into machine or prove the opposite.

..snip…

Remote Desktop connections are enabled in the NTuser.dat, however the Secevt log has been wiped or never used. This is a Windows XP system.

Well, Windows XP won't have the Forwarded Event Logs, and with the Secevent.evt file "wiped", you won't see Security/528 type 10 logins. If the log was cleared, you may be able to carve unallocated space for deleted Event Records.

Can you determine if the Security Event Log was cleared or if it was disabled?

RegRipper contains a plugin named auditpol.pl that lets you see the audit configuration on Windows XP and 2003 systems…this can be helpful.

Is this system a corporate system or a home user's system? I ask, as with the absence of the Security Event Log, this may provide you with some circumstantial information. What you'd want to look at is the activity available in the various profiles, and compare the times.

HTH

 
Posted : 19/04/2015 4:12 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Well, Windows XP won't have the Forwarded Event Logs, and with the Secevent.evt file "wiped", you won't see Security/528 type 10 logins. If the log was cleared, you may be able to carve unallocated space for deleted Event Records.

CCLeaner is installed and set to overwrite, so may not even be anything in unallocated.

Can you determine if the Security Event Log was cleared or if it was disabled?

RegRipper contains a plugin named auditpol.pl that lets you see the audit configuration on Windows XP and 2003 systems…this can be helpful.

Thanks, I'll have a look on monday see what I can dig out of that.

Is this system a corporate system or a home user's system? I ask, as with the absence of the Security Event Log, this may provide you with some circumstantial information. What you'd want to look at is the activity available in the various profiles, and compare the times.
HTH

Home user's system. I have quite a bit of circumstantial evidence relating to the activity I'm investigating, but I'm trying to prevent an RDP 'defence' before they use it.

 
Posted : 19/04/2015 4:55 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Update

Auditpol from regripper shows Auditing is not enabled.

Second update

Afte virtualising the machine, it appears none of the user accounts on the machine allow RDP, so the RDP connects but no logins are possible.

 
Posted : 20/04/2015 11:22 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

CCLeaner is installed and set to overwrite, so may not even be anything in unallocated.

Okay, but what is it configured to "overwrite"?

Home user's system. I have quite a bit of circumstantial evidence relating to the activity I'm investigating, but I'm trying to prevent an RDP 'defence' before they use it.

From what you've shared, you may not be able to do so.

 
Posted : 20/04/2015 4:18 pm
Page 1 / 2
Share: