The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis 2/e", "Windows Registry Forensics", "Windows Forensic Analysis Toolkit 3/e",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Sunday, February 12, 2006
What do you do when...??
Sometimes you find yourself in one of those situations, where the customer calls you and wants to know:
Who copied or modified a file, or
Who created or modified a user account
When you get on-site, you find that the system in question had no auditing enabled, that the admins use a group account (and they all use the password) for administration functions, and that there are simply no protections in place at all.
So, what do you do? After all, if it wasn't important, the customer wouldn't have called you, right? What do you tell them?