Hotmail Proxy Details (Whodunnit)

Discussion in 'Internet, Connectivity and Communications' started by Fergal1982, Jun 25, 2008.

  1. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    We've got a situation at work, where someone accessed hotmail, created an account, and sent someone a nasty email, signing it from someone else.

    Apparently, checking the proxy logs, they've narrowed it down to two people who were accessing hotmail at around the time the email was sent.

    Does anyone know of any way to categorically tell who sent the email? I was hoping that the hotmail querystring would contain the username, but I believe that hotmail encrypts that.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  2. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    It's possible, but improbable, that someone has ticked 'remember this username/password' when logging onto hotmail.

    Could you check to see if the username details are already entered on the hotmail website of the machines of those two people, whilst logged in as them?
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  3. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    you could be on to it Luddym the default Behavior of windows live is

    Remember me on this computer - Ticked
    Remember my password - Not Ticked
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Do your proxy logs not contain the IP address that the request was made from? They should do - which would enable you to trace back to the workstation the user was logged on to and, through judicious investigation of security logs, you should be able to find the culprit
     
    Certifications: A few
    WIP: None - f*** 'em
  5. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    Yeah they do. But two users were on at the same time as the email was sent.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  6. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    Basically, you can pretty much work out it is ONE of those two, but are unable to work out which via the proxy logs.

    Is checking both users PC's whilst they are logged on, an option? To see if they have accidentally ticked the remember logon details button?
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  7. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    You are spot on there Luddym

    Possible. But I think they would rather get evidence prior to confronting either party.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  8. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Time to break out the ol' thumbscrews! Then you'll get some answers :twisted:

    Sorry i have no input for this problem :biggrin
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  9. Luddym

    Luddym Megabyte Poster

    797
    19
    74
    Depending on your office regulations..... any chance of getting management approval to reset the users passwords early morning or late evening (whilst they aren't in), logging in as them and checking.

    I know that in some organisations this is a big no no but others it is acceptable.
     
    Certifications: VCP,A+, N+, MCSA, MCSE
    WIP: Christmas Drunkard
  10. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Put them in a cage and make them fight to the death. :boxing
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    What - on the same workstation? at the same time? That's a neat trick... Surely that can't be possible?
     
    Certifications: A few
    WIP: None - f*** 'em
  12. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    :biggrin no. both on hotmail at the same time.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  13. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    OK - so, as I said, provided your proxy logs contain the workstation IP/DNS name of requesting clients, can you not just cross-reference the times that the requests to hotmail were made with the IP addresses of the workstations, then interrogate the security logs for the workstations to find out which user was using that workstation at the time? I used to do this all the time for internal security investigations at the old bill - or have I misunderstood what you need somewhere along the line?
     
    Certifications: A few
    WIP: None - f*** 'em
  14. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    No, what I meant was that they were using different machines, but both accessing hotmail at the same time. So in the proxy logs, there are a bunch of requests to hotmail at around the time of sending the email, from both parties.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  15. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,721
    549
    364
    Sack both of them.

    ...and lock down hotmail.8)

    Is there any cookies for hotmail that might have the username as the filename?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  16. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    I'm not sure. Could be though, assuming they havent wiped it.

    I'd do just that. And hotmail is locked down on the main network, but these guys are in an office outside the uk. They get some 'special' leniency as to what gets blocked. much like the offshore guys (who can even get to porn if the fancy takes them)
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  17. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,721
    549
    364
    Cool, you could even browse to it through the C$ share so they wouldnt even know.

    Might sound daft but has anyone asked the two users about this yet? I guess you already know who it is but just need proof.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  18. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    If you can't find this info out by proxy logs, stand behind each of them and ask them to browse to hotmail.com. Provided they haven't logged on recently with a different hotmail account, the most recently used username should still be displayed (prompting for password).
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  19. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    unless they clear the cache and temp files etc.:D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  20. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Fergal - am I not making myself clear here? (sorry, that sounds well patronising - its not meant to be!)

    Surely the proxy logs contain the IP address/machine name of both of the workstations that the users were on at the time? If so - check the logs in event viewer from each machine to see who was logged on at the time. You're looking specifically at event id 540 (successful network logon).
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.