...how to determine the absolute last user on a PUBLIC use computer...

One of the laptops in our MWR room got the LCD screen punched in, and we're trying to figure out WHO it was that did it.

No one was in the room when the punch-out occurred, and no one is fessing up.

We've looked through the cookies, the usernames that are saved in Yahoo! Messenger, but there's no way to know for sure that I know of) to figure out if there is a timestamp on when and what app was used last.

Best guess is that someone was online to a friend or loved one back home and got some really bad news.

I can't promise any sort of reward, but I would greatly appreciate any help from the more detective-computing-savvy brothers or sisters here...

This is going to be a tough one...

Do users have to login to the computer to access the Internet? or e-Mail?
Some IM clients keep logs per user in a text file. You can use the last modified date to determine who last IM'd someone, but that is not really conclusive enough since it could have been e-mail as well that set someone off.

You could always round up all the people that used it that day and beat them until someone cracks and admits it....

What about the system Event Viewer? I'm not positive, but it may log user log-ons/log-offs. Just a thought.

Users just have to know their own username and password to log in to their IM program of choice (AIM, MSN, Yahoo!, etc)

The computers are turned on and plugged in pretty much 24/7, and there WAS an honor system in place, where you sign in to use the computers, and then log off after 30 minutes if there is someone waiting to get online. If not, you can stay on until someone comes in, and after your 30 minutes, you're the next one out...

I've searched for all files modified bewtween the times the last user remembers being in here (02AM) and the time it was discovered broken (11AM), and I am about to go blind trying to read the code in some of the text file logs... AAARGH!!!

Quote: Originally Posted by GrandpaNoob72 Users just have to know their own username and password to log in to their IM program of choice (AIM, MSN, Yahoo!, etc) The computers are turned on and plugged in pretty much 24/7, and there WAS an honor system in place, where you sign in to use the computers, and then log off after 30 minutes if there is someone waiting to get online. If not, you can stay on until someone comes in, and after your 30 minutes, you're the next one out... I've searched for all files modified bewtween the times the last user remembers being in here (02AM) and the time it was discovered broken (11AM), and I am about to go blind trying to read the code in some of the text file logs... AAARGH!!!

acctinfo.dll, add it to users properties with regsrv.

It will give you last log-on times, this is assuming a domain is being used.

Hope that helps.

"Yes I was in the lab and yes I may have been the last person to use that computer [I'm not sure it was that one they all look alike to me], but that doesn't mean I damaged the LCD. When I left the lab, the LCD was fine and the lab was empty. Perhaps someone came in and did the damage between my leaving and the person who reported the damage. In fact perhaps the person who reported the damage CAUSED the damage. Perhaps you better speak to my lawyer on all this..."

If the perpetrator has any brains, this is the tact they will take. Just cause I steal your car and commit a robbery doesn't mean you should do time cause it's YOUR car.

-MF

What version of Windows? And does each person who uses the computer log on to Windows with their own username/password (i.e. when no one's using the computer, does it sit at a login screen, or ready to go with the desktop/start menu showing)? My guess is no Windows password is needed, or you'd already know whodunnit.

If the computers access the Internet through a proxy or firewall that logs activity, you might be able to track down the activity using that computer's IP.

Or, look around for the guy with cut-up knuckles and a sob story..

All the computers are running Win XP Pro

you can basically come in, sign in, and plop down at whatever computer is available.

There is no per-user account login, if the computer is in screensaver mode, it will simply wake up and go to the desktop, where the program icons are there to launch whatever IM/email/internet program you want to use.

I've done some looking, but I can only find the last modified files, but not the user that those files belong to...

Best we can figure, like I said, it was someone getting a little more than upset at something they either read or saw (pic?), and took it out on the laptop (whether intentionally or not)

MF, that gives us a little direction to start looking, thanks bud... Anyone here feeling guilty? Well, what would you say if we said we could PROVE it was you? Uh, you need to speak to my lawyer...GOTCHA!!!

The next step that I'm going to suggest to the CO is swab the screen and pull DNA results... We all have samples taken for remains identification, so..............

write it off as a lesson learned, even public computers need some degree of authentication, its not that hard to implement and maintain, and virtually eliminates the risk of someone destroying equipment, since their login time will tell all.

not a solution to the immediate problem, but if i were you, id put some sort of authentication method in place immediately, or else this situation will become an example to everyone.

The thing is, fu3l, I'm a ground-pounder, not a commo geek (wonder if I SHOULD have been...)

The commo guys who set up the computers, router, switch, etc... those guys are not all quite "there"... it seems like they know how to cut and crimp their own CAT-5 cable, plug in and turn on, but not much after that... They do know their way around the radios and the Blue Force Tracker stuff, but not much past their own little laptops (and it seems like I know more about them than they do sometimes).

A couple of them were talking about how to wipe all the computers and get them "baselined", how it took so long and was a PITA to do one by one, and I happened to mention they should try nLite or TinyXP... Their eyes glassed over, and I was like, WTFBBQ???

But the problem with the individual user log-on/off at this site is that there are so many people who come out, stay for a week or two, then go back to the FOB. We don't have the numbers of people on hand to provide a dedicated "Internet Cafe Host/ess" 24/7...

The commander is furious that someone trashed the screen (3/4 of a 15" LCD that does not work, and like 1/16th of THAT area is completely black (where we suspect the punch landed)... He ordered up the "Full CSI: Baghdad Workup" on the machine, since our amateur cyber-sleuths couldn't turn up any conclusive evidence...

I thank you for your help and suggestions, and will make sure to pass them on (though I make NO GUARANTEE that they wll be understood, much less implemented) to the commander...

PEACE!

Check with your medical team where you are it for some hand injuries... Because I'll tell you what, if someone punched the screen and did not hit it just right, they will most likely have a pretty jacked up hand.

I punched an LCD in my early years with my off hand, I dented the plastic screen a small amount, but didn't mess up the display at all. My hand was sore for weeks. I even went to the doctors for some Vicodin and anti-inflamitories. Granted it was an old 17" Samsung that is built like a brick **** house.

Yeah, we got the BN surgeon stationed out here on the compound, and he's already been notified to be on the lookout...

The other thing is that everyone is banned from the MWR room (free internet and VoIP phones) until the culprit either comes forward or is ratted out by his buddies.

If someone had come forward and fessed up, they'd just have to pay for the laptop, get banned from the MWR room, and done deal... Now that we've gone to the trouble of trying to figure it out, whoever it is will not only have to pay for it, they'll probably also get demoted and have some NJP applied, IN ADDITION to getting banned... Sucks to be them...

The only reason I'm not pissed is that I have my own laptop, and I get 12 hours a day of internet at my office. What with no one being able to use the MWR computers, my bandwidth just jumped up to at least 200% faster...

Quote: Originally Posted by GrandpaNoob72 Yeah, we got the BN surgeon stationed out here on the compound, and he's already been notified to be on the lookout... The other thing is that everyone is banned from the MWR room (free internet and VoIP phones) until the culprit either comes forward or is ratted out by his buddies. If someone had come forward and fessed up, they'd just have to pay for the laptop, get banned from the MWR room, and done deal... Now that we've gone to the trouble of trying to figure it out, whoever it is will not only have to pay for it, they'll probably also get demoted and have some NJP applied, IN ADDITION to getting banned... Sucks to be them... The only reason I'm not pissed is that I have my own laptop, and I get 12 hours a day of internet at my office. What with no one being able to use the MWR computers, my bandwidth just jumped up to at least 200% faster...

I imagine you have also become that much more popular too...

Quote: Originally Posted by FeRaL I imagine you have also become that much more popular too...

That's not possible, Feral... you just can't improve perfection.

That's like saying infinity is getting larger, absolute zero is getting colder, or Chuck Norris is becoming stronger.

Jeez - I was thinking this was a college or high school situation. I didn't realize it's was you Grandpa.

Had I realized it was military I would have understood that 'speak to my lawyer' stuff ain't gonna go.

I feel so dumb

Yeah - somebody may have left DNA. Or you may detect traces of helmut. Just out of curiosity, were any of the last modified files at all telling?

-MF

Quote: Originally Posted by GrandpaNoob72 If someone had come forward and fessed up, they'd just have to pay for the laptop, get banned from the MWR room, and done deal... Now that we've gone to the trouble of trying to figure it out, whoever it is will not only have to pay for it, they'll probably also get demoted and have some NJP applied, IN ADDITION to getting banned... Sucks to be them...

Indeed ....

Well, first I'd run that machine's IP address out on the server logs and find out where it went over the timeframe in question ... most security-conscious Admins these days track outbound IP requests. I think the chances of getting bad news to cause such an outbreak is higher via e-mail than IM, culturally speaking, since it's easier to write a "Dear John" letter than to say it in person (or via IM). That means someone probably tapped into a webmail system and got the shock they didn't want. Unless you're tracking keystrokes as well, chances are you won't know who logged into that webmail account, either. However, if you find someone logged into a webmail account, you can contact the webmail provider, give them the details of the story, the IP of the machine, and they can probably tell you which userid logged in, and what name is associated with that userid (without giving you access to the e-mails, of course ... but you might even get them to provide that info as well, with the proper verifications -- legal badlands there, however.)

There's another sticky point: you say a lot of folks just show up for a couple of weeks and then leave. Well, what are the odds that Mr. Anger is one of those folks? In two weeks, he's gone and everyone else is paying for his outrage by not getting access.

If you were serious about pulling the DNA off the screen, that would be helpful. However, you might run into legal issues of using the DNA database you have (which is intended for post-mortem identification) to conduct an investigation on a living person.

If you're commander is pissed, that's unfortunate. But you can offer to protect your systems from future aggressions by setting up a simple video-monitoring system. But the best bet, as multiple people here have suggested, is to use individual logins. But that takes a dedicated resource, which you're probably light on right now.

how about IE/FF's history? that might yield some sort of clue as to who used it

sorry if this was suggested before, if it was, and this helps, they deserve credit

Quote: Originally Posted by FeRaL I imagine you have also become that much more popular too...

For the past two days, they've been beating down the door asking me all sorts of weird computer-related stuff... If only I hadn't opened my big mouth and suggested nLite/TinyXP to begin with...

Quote: Originally Posted by Im_gumby That's not possible, Feral... you just can't improve perfection. That's like saying infinity is getting larger, absolute zero is getting colder, or Chuck Norris is becoming stronger.

You bucking to be on my Xmas list this year or something, Gumby??? O/T, you know we had to "re-name" one of our soldiers to "Norris", to keep the locals from knowing that he's of Iraqi descent...

Quote: Originally Posted by Monsignor Funkibut Just out of curiosity, were any of the last modified files at all telling?

I started with the files modifed between the last admitted user and the time of discovery, and moved backwards from discovery. The closest I got was about 30 minutes prior to discovery, a text log file for someone logging on to GheySpace, but I was about to go blind with trying to sift through all the code when the CDR came in and told us they were going to swab the screen, so go ahead and power it down...

I agree, it would be nice to be able to have someone sit in there and do nothing but make sure people play nice with the laptops and whatnot... Not something we have the manpower for, sadly enough... And that's completely aside from the fact that most of the people using the laptops don't do enough personal computing (keeping text documents/pictures/etc) on the laptops to justify (in their minds) using individual logins...

Well, the bottom line is now this:

The CDR has shipped the lappy off to get swabbed, and I no longer have "forensic" access to it... He said that he appreciated my efforts, mainly because they were undertaken AFTER I had just finished a 12-hour "baby-sitting" shift...

As far as credit, everyone here got much their rightly deserved credit... The CDR asked how I had come up with the suggestions and ideas, and I logged on and showed him this thread... I don't take credit for anything but being smart enough to know that I don't know everything there is to know about computers... Just have to have the courage to ask a question...

Dang, I wish I had seen this sooner. All you had to do in the code was find a seven digit number, aka their friend ID, and just paste it at the end of the 'space url.

i learned back at camp shelby to keep quiet about my computer skills, but people knew i was a geek.

when we were out at the RP's, we had a commo guy there for a little bit, but i was mainly the go to guy for computer issues, and i hated it. people would wake me up at 3am because the net was down. this was after my tower or RST shift and 9 times out of 10 it was a setting on thier own damn computer, and wasnt anythign with the net.

we got rid of the MWR computers because they were all POS laptop that the units before us trashed. even when they brought in the spaware comps, we just ran the CAT5 for the wireless with a cloned mac addy to the router. the other comps were for people without laptops, but now adays, that number is pretty small.