SecureArtisan

My Road to Digital Forensics Excellence

«
»

The Time and Attendance Investigation contd.

Posted by Paul Bobby on June 17, 2009

1. Local Account Login – Successful

The computer has booted in to the OS and is sitting at the Login Prompt. Type in the password correctly for a Local Account.

  1. 680 Account Logon – Success Audit
  2. 528 Type 2 – Success Audit – Login ID Created
  3. 576 Special Privileges assigned to the Login ID in 1.2

2. Local Account Login – Unsuccessful

The computer has booted in to the OS and is sitting at the Login Prompt. Type in the password incorrectly for a Local Account.

  1. 680 Account Logon – Failure Audit
  2. 529 Type 2 – Failure Audit – Unknown Username or password

3. Local Account Logoff

The user clicks Start->Log Off

  1. 551 User Initiated Logoff – Login ID matches 1.2
  2. 680 Account Logon – Failure Audit
  3. 529 Type 2 – Failure Audit – Unknown username or password
  4. 538 Type 2 – User Logoff – Login ID matches 1.2 – This event appears a few minutes after actual logoff

4. Idle until System Lock

Allow the computer to idle so that the screensavers kicks in. The screensaver option of locking the computer has been enabled.

  1. 680 Account Logon – Failure Audit
  2. 529 Type 7 – Failure Audit – Unknown username or password

5. Unlock the screensaver – Successful

Enter the correct password for the local account to unlock the screensaver.

  1. 680 Account Logon – Success Audit
  2. 528 Type 7 – Success Audit – Login ID Created
  3. 576 Special privileges assigned to the Login ID in 5.2
  4. 538 Type 7 – Success Audit – User logoff – Login ID matches 5.2 – This event appears immediately, unlike the 3.4 logoff event

6. Manually lock the computer

Using the local account, manually lock the computer before walking away.

  1. 680 Account Logon – Failure Audit
  2. 529 Type 2 – Failure Audit – Unknown username or password

7. Remote Login – No account logged in

The computer is at the User Login prompt. Make an RDP connection to the computer, and successfully log in using a Local Account.

  1. 680 Account Logon – Success Audit
  2. 528 Type 10 – Login ID Created
  3. 576 Special Privileges assigned to the Login ID in 7.2

8. Remote Login – Account already logged in

The computer is being used by a local account. The screensaver is not locked. Make an RDP connection to the computer, and successfully take control of the session using that Local Account.

  1. 680 Account Logon – Success Audit
  2. 528 Type 10 – Success Audit – Login ID created
  3. 576 Special Privileges assigned to the Login ID in 8.2
  4. 683 Session Disconnected – Login ID matches 1.2 – Session name = Console
  5. 682 Session Reconnected – Login ID matches 1.2
    1. Client Name = hostname of remote computer
    2. Client Address = May contain the IP address of the remote computer
  6. 538 Type 10 – Success Audit – User logoff – Login ID matches 8.2
  7. 680 Account Logon – Failure Audit
  8. 529 Type 2 – Failure Audit – Unknown username or password

9. Remote Login – User initiated logoff

From an RDP session, click Start->Logoff

  1. 531 User initiated logoff – Login ID matches 1.2 (if account was already logged in) or matches 7.2 (if no account was logged in)
  2. 538 Type 10 – User logoff – Login ID matches the same criteria as specified in 9.1 – This event appears several minutes after the actual logoff

10. Remote Login – Get control back at the console

While an RDP session is in progress – go back to the console and correctly enter the password to get control back at the console.

  1. 680 Account Logon – Success Audit
  2. 528 Type 2 – Success Audit – Login ID created
  3. 576 Special privileges assigned to the Login ID in 10.2
  4. 683 Session disconnected – Login ID matches 1.2
    1. Client name = hostname of remote machine
    2. Client address = may contain IP address of remote machine\
  5. 682 Session reconnected – Login ID matches 1.2 – Session name = Console
  6. 538 Type 2 – User Logoff – Login ID matches 10.2

11. User initiated shutdown

While logged in, click Start->Shutdown

  1. 551 User initiated logoff
  2. 538 Type 2 – User logoff – Login ID matches 1.2
  3. 6006 – System Event Log – Event log service has stopped

12. User initiated Standby Mode

While logged in, the user puts the computer in to standby mode.

  1. 680 Account Logon – Failure Audit
  2. 529 Type 2 – Failure Audit – Unknown username or password
  3. W32Time events – System Event log – w32time events appear at the same timestamp as 12.2

13. Return from Standby Mode

The user wakes up the computer and logs in correctly.

  1. 680 Account Logon – Success Audit
  2. 528 Type 2 – Success Audit – Login ID Created
  3. 576 Special Privileges assigned to Login ID in 13.2
  4. 538 Type 2  – User Logoff – Login ID in 13.2
  5. The actual login ID for this session is the one assigned in 1.2

    This entry was posted on June 17, 2009 at 3:30 pm and is filed under Forensics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Leave a Reply

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    «
    »