GrandpaNoob72

...how to determine the absolute last user on a PUBLIC use computer...

One of the laptops in our MWR room got the LCD screen punched in, and we're trying to figure out WHO it was that did it.

No one was in the room when the punch-out occurred, and no one is fessing up.

We've looked through the cookies, the usernames that are saved in Yahoo! Messenger, but there's no way to know for sure that I know of) to figure out if there is a timestamp on when and what app was used last.

Best guess is that someone was online to a friend or loved one back home and got some really bad news.

I can't promise any sort of reward, but I would greatly appreciate any help from the more detective-computing-savvy brothers or sisters here...

__________________

DickNervous

This is going to be a tough one...

Do users have to login to the computer to access the Internet? or e-Mail?
Some IM clients keep logs per user in a text file. You can use the last modified date to determine who last IM'd someone, but that is not really conclusive enough since it could have been e-mail as well that set someone off.

You could always round up all the people that used it that day and beat them until someone cracks and admits it....

__________________

Jobistober

What about the system Event Viewer? I'm not positive, but it may log user log-ons/log-offs. Just a thought.

__________________

GrandpaNoob72

Users just have to know their own username and password to log in to their IM program of choice (AIM, MSN, Yahoo!, etc)

The computers are turned on and plugged in pretty much 24/7, and there WAS an honor system in place, where you sign in to use the computers, and then log off after 30 minutes if there is someone waiting to get online. If not, you can stay on until someone comes in, and after your 30 minutes, you're the next one out...

I've searched for all files modified bewtween the times the last user remembers being in here (02AM) and the time it was discovered broken (11AM), and I am about to go blind trying to read the code in some of the text file logs... AAARGH!!!

__________________

s1ugh34d

Quote: Originally Posted by GrandpaNoob72 Users just have to know their own username and password to log in to their IM program of choice (AIM, MSN, Yahoo!, etc) The computers are turned on and plugged in pretty much 24/7, and there WAS an honor system in place, where you sign in to use the computers, and then log off after 30 minutes if there is someone waiting to get online. If not, you can stay on until someone comes in, and after your 30 minutes, you're the next one out... I've searched for all files modified bewtween the times the last user remembers being in here (02AM) and the time it was discovered broken (11AM), and I am about to go blind trying to read the code in some of the text file logs... AAARGH!!!

acctinfo.dll, add it to users properties with regsrv.

It will give you last log-on times, this is assuming a domain is being used.

Hope that helps.

__________________

Monsignor Funkibut

"Yes I was in the lab and yes I may have been the last person to use that computer [I'm not sure it was that one they all look alike to me], but that doesn't mean I damaged the LCD. When I left the lab, the LCD was fine and the lab was empty. Perhaps someone came in and did the damage between my leaving and the person who reported the damage. In fact perhaps the person who reported the damage CAUSED the damage. Perhaps you better speak to my lawyer on all this..."

If the perpetrator has any brains, this is the tact they will take. Just cause I steal your car and commit a robbery doesn't mean you should do time cause it's YOUR car.

-MF

__________________

FunkyFresh

What version of Windows? And does each person who uses the computer log on to Windows with their own username/password (i.e. when no one's using the computer, does it sit at a login screen, or ready to go with the desktop/start menu showing)? My guess is no Windows password is needed, or you'd already know whodunnit.

If the computers access the Internet through a proxy or firewall that logs activity, you might be able to track down the activity using that computer's IP.

Or, look around for the guy with cut-up knuckles and a sob story..

GrandpaNoob72

All the computers are running Win XP Pro

you can basically come in, sign in, and plop down at whatever computer is available.

There is no per-user account login, if the computer is in screensaver mode, it will simply wake up and go to the desktop, where the program icons are there to launch whatever IM/email/internet program you want to use.

I've done some looking, but I can only find the last modified files, but not the user that those files belong to...

Best we can figure, like I said, it was someone getting a little more than upset at something they either read or saw (pic?), and took it out on the laptop (whether intentionally or not)

MF, that gives us a little direction to start looking, thanks bud... Anyone here feeling guilty? Well, what would you say if we said we could PROVE it was you? Uh, you need to speak to my lawyer...GOTCHA!!!

The next step that I'm going to suggest to the CO is swab the screen and pull DNA results... We all have samples taken for remains identification, so..............

__________________

Fu3lman

write it off as a lesson learned, even public computers need some degree of authentication, its not that hard to implement and maintain, and virtually eliminates the risk of someone destroying equipment, since their login time will tell all.

not a solution to the immediate problem, but if i were you, id put some sort of authentication method in place immediately, or else this situation will become an example to everyone.

__________________

GrandpaNoob72

The thing is, fu3l, I'm a ground-pounder, not a commo geek (wonder if I SHOULD have been...)

The commo guys who set up the computers, router, switch, etc... those guys are not all quite "there"... it seems like they know how to cut and crimp their own CAT-5 cable, plug in and turn on, but not much after that... They do know their way around the radios and the Blue Force Tracker stuff, but not much past their own little laptops (and it seems like I know more about them than they do sometimes).

A couple of them were talking about how to wipe all the computers and get them "baselined", how it took so long and was a PITA to do one by one, and I happened to mention they should try nLite or TinyXP... Their eyes glassed over, and I was like, WTFBBQ???

But the problem with the individual user log-on/off at this site is that there are so many people who come out, stay for a week or two, then go back to the FOB. We don't have the numbers of people on hand to provide a dedicated "Internet Cafe Host/ess" 24/7...

The commander is furious that someone trashed the screen (3/4 of a 15" LCD that does not work, and like 1/16th of THAT area is completely black (where we suspect the punch landed)... He ordered up the "Full CSI: Baghdad Workup" on the machine, since our amateur cyber-sleuths couldn't turn up any conclusive evidence...

I thank you for your help and suggestions, and will make sure to pass them on (though I make NO GUARANTEE that they wll be understood, much less implemented) to the commander...

PEACE!

__________________

FeRaL

Check with your medical team where you are it for some hand injuries... Because I'll tell you what, if someone punched the screen and did not hit it just right, they will most likely have a pretty jacked up hand.

I punched an LCD in my early years with my off hand, I dented the plastic screen a small amount, but didn't mess up the display at all. My hand was sore for weeks. I even went to the doctors for some Vicodin and anti-inflamitories. Granted it was an old 17" Samsung that is built like a brick **** house.

__________________

GrandpaNoob72

Yeah, we got the BN surgeon stationed out here on the compound, and he's already been notified to be on the lookout...

The other thing is that everyone is banned from the MWR room (free internet and VoIP phones) until the culprit either comes forward or is ratted out by his buddies.

If someone had come forward and fessed up, they'd just have to pay for the laptop, get banned from the MWR room, and done deal... Now that we've gone to the trouble of trying to figure it out, whoever it is will not only have to pay for it, they'll probably also get demoted and have some NJP applied, IN ADDITION to getting banned... Sucks to be them...

The only reason I'm not pissed is that I have my own laptop, and I get 12 hours a day of internet at my office. What with no one being able to use the MWR computers, my bandwidth just jumped up to at least 200% faster...

__________________

FeRaL

Quote: Originally Posted by GrandpaNoob72 Yeah, we got the BN surgeon stationed out here on the compound, and he's already been notified to be on the lookout... The other thing is that everyone is banned from the MWR room (free internet and VoIP phones) until the culprit either comes forward or is ratted out by his buddies. If someone had come forward and fessed up, they'd just have to pay for the laptop, get banned from the MWR room, and done deal... Now that we've gone to the trouble of trying to figure it out, whoever it is will not only have to pay for it, they'll probably also get demoted and have some NJP applied, IN ADDITION to getting banned... Sucks to be them... The only reason I'm not pissed is that I have my own laptop, and I get 12 hours a day of internet at my office. What with no one being able to use the MWR computers, my bandwidth just jumped up to at least 200% faster...

I imagine you have also become that much more popular too...

__________________

Im_gumby

Quote: Originally Posted by FeRaL I imagine you have also become that much more popular too...

That's not possible, Feral... you just can't improve perfection.

That's like saying infinity is getting larger, absolute zero is getting colder, or Chuck Norris is becoming stronger.

__________________

Monsignor Funkibut

Jeez - I was thinking this was a college or high school situation. I didn't realize it's was you Grandpa.

Had I realized it was military I would have understood that 'speak to my lawyer' stuff ain't gonna go.

I feel so dumb

Yeah - somebody may have left DNA. Or you may detect traces of helmut. Just out of curiosity, were any of the last modified files at all telling?

-MF

__________________

godling