12.1. INVESTIGATIONS
[]Suppose a system administrator (SA) was performing a routine scan of network devices and found that a user had installed an unauthorized software program that is capable of extracting user IDs and passwords from the network and of using brute force to systematically determine most of the passwords. Suppose further that the user signed on to the network using a compromised SA user ID and password and then used the special SA privileges to extract all sorts of confidential information from the organization's network. Would the SA know what to do? Every organization should have an action plan for such discoveries. The action plan should adequately address how to handle computer evidence in such a way that it does not become tainted and include specific procedures on how to create a complete and accurate chain of evidence. The rest of this chapter focuses on these questions to help organizations become better prepared to investigate e-crime scenes before they happen.
Reality Check
The just-described scenario is not fiction. A freeware program called L0PHTCRACK (with the number 0, not the letter O), which has been around for several years, can extract the file containing the user IDs and passwords of Windows NT file servers and use brute force to determine many of them, especially the weak ones. The target files on NT operating systems are known as SAM files. Two former employees were recently charged with using L0PHTCRACK to illegally copy the SAM file from ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.