Sorry to sound callous, but stolen property really is more of a matter for law enforcment than for hackers. I'd get the fuzz on it. However, working in the IT industry as well, my advice to you is to learn from the experience and move on; you probably arent going to see those laptops again. More than likely they've been sold for drugs several times now. Even if you did find out what time the laptops were stolen, it probably wont help you much. If they were in a 'secure' area, have your facilities manager check the door logs to see who came in and out of that area. Other than that, file a police report, pause and reflect, then get two new laptops.

Agreed, I have no problem with the callousness and it has been reported and is being investigated. The area is not very secure and I have been in the area, therefore I have a vested interest in finding the perpetrators.

As for hackers, let me try it this way: If you were a suspect and you wanted to make sure that every avenue was being investigated, as a hacker, what would you do? And, if knowing the exact time the laptop in question was removed could help eliminate certain person(s), how would you retrieve that information. Is it available?

Thanks for responding, maybe I hould have posted in security forum.

If the laptops could be determined to have been taken during the weekend or any particular time, it could eliminate several suspects as they would have airtight alibi's.

Going back to google, will check back often.








The laptops are not really the issue. b

Noid addressed the police part so I'll skip that.

Obviously, if you have not done this yet, remove the stolen laptops from the AD/Domain and change the passwords on the accounts which were "logged in to the server."

Expire all passwords or require users to change them on next login.

Check all machines which the thief had physical access for trojans. (Not likely they installed any since theft of hardware suggests less skill to get information without being noticed.)


With Windows NT, things like login are recorded by default in the system logging and should be available with the system logging tool. (Don't recall what it is called in 2000 ATM.) As such, it takes an effort to disable them.

If you have policies or domain logins set to store user files on the server upon login (such as desktop, etc) then it may be possible to examine the files which are created/modified on the server by the client to find the most recent file updated. That may help to figure when the laptop was disconnected.

Some filesystems support dates for "access" "modify" and "create" times/dates. See if yours does. If so, one of these may help you to identify a date/time when the laptop was removed.

Does your networking equipment log port connections/disconnections? Check it. If so, see when a disconnection from the port in use by the laptop took place.

Does your DHCP server still have a lease for the latops in question? When was the last time they asked for a renewal of their IP address? (Search for laptops by MAC Address.)

Do your servers run web servers? Any of them show connections from the laptop's IP? When was it?

Got to go to work now.

[Edit: added content below here]

Switches often have MAC/Port lookup tables with timers. Most of the time, these timers are set in minutes not days. However, you could check to see what your switch says it has for the MAC/Port in use by the laptop. If you somehow (not likely) have 3 or 4 days for each MAC address/port entry, then you can look to see how much time is left on the timer and perform date math to find when the last ethernet frame was sent through the switch by that laptop.

Passed along and thanks.

More than likely a crackhead smash and grab.

According to lead Detective, the original server guy (who is gone, of course) disabled all admin/audit log filling because it had to be monitored and occasionally purged(?).

Will pass along.

YES, Trillion has been contacted and we are waiting on reponse.

Got me on this one, dont have any idea what this is, but I will pass along.

NO


Thank you for taking your time to respond.

Some of what you suggested is being looked into, the other suggestions will be passed along.

Would you mind altering your quoting style for posts? The way you quoted the replies makes it look like the person being quoted as forming your replies is me.

Also, the last line "off to work" can just be removed.

It has been a while, but I seem to recall that MS Windows loging services and application supports log file limits. This means you can tell it that log files should be no bigger tha X MB.

You're welcome.

Crap, fixed it......sorry.


I am sure you are correct, but for some reason it was disabled.

Thanks.


Incompetence? Audit trails are one of the three most important parts to security and are often overlooked. To go beyond overlooking logging and choose to disable it is SOOOO STUPID! (Quote from UHF -- the movie.)

Now, like noid said:
Now is the time to review policy, and set new procedures or requirements for servers and logging. Perhaps review physical access, and password management. Maybe you can go out and hire a local security person to perform an audit of your site. Maybe you should consider replacing the present Admin.

True, in defense of the new guy, he is in the process of physically moving the servers in order to get control and on a limited budget.

Very good idea on site audit.

I understand the ramifications of having the servers set up the way they were, but that was out of my control.

My primary concern for now is: With audit/admin logging disabled, is there a way to determine exactly what time the "connected" laptop was disconnected from the net.

Thanks again.

This is not a valid excuse. Logs can be auto-rotated out, or setup to purge by date or setup to have a limit in size where older logs fall into the bit bucket.

DHCP is a method by which larger organizations and some residences use to hand out IP Addresses, gateway (router IP), DNS and other network information to clients as they boot and desire network access. DHCP Servers hand out leases based on MAC Address reported by clients (hosts on your network) and these leases are time sensitive. The DHCP Server should have lease information to show the last time the client renewed its lease (date/time.) If you associate the MAC of the laptops(s) to the leases they used, you can see the last time they asked for a lease renewal or new lease.

If logging was disabled on the DHCP Server as well, then you probably do not have much time left to check the leases before the leases for these laptops EXPIRE and then new leases are handed out to a new machine. (Of course, YMMV on leases and their duration and how DHCP was being used on your site, assuming it was used at all.)

Other ideas:
(I included this in my earlier post as an edit, so you may have overlooked it)

Another idea:
Do you have a caching proxy like squid? A SOCKS 4/5 proxy? Are clients configured to use it? Can you see if the caching web proxy in use has tracking to show what clients were visiting what URL when. Find the IP address of the latop and see if it is in the logs as well as date/time.

[Edit: added content]
If they are part of a domain, log into the PDC and/or BDC and before you remove them from the AD/Domain see if there is information about the greyed out machine. Maybe it will include a date/time when the machine last logged into the network.

Windows does keep a large number of logs of various things. If you really need those computers, then you should probably make an image (copy) of the server, so that Windows does not erase the logs during its natural function. If law enforcement really wanted to, I'm sure they could find traces. However, using the MACs is probably the best way.

I'm not sure if Windows server keeps network logs in the event viewer, but you could check.

And there is a chance that the theif will try to use the laptops to hack your network. Therefore, you may want to consider previous suggestions, and create a honeypot as well.

What you need is better securty guards. If some crackhead can simply enter and take the computers, you will have a big problem maintaining network security.