[ale] Help unraveling a "practical joke"?
Greg Freemyer
greg.freemyer at gmail.com
Tue Nov 2 16:58:49 EDT 2010
All,
I've got a situation where two business partners were having issues
with each other.
Based on a brief look at the image of one of their computers:
When partner-A came in to work yesterday and logged into his computer
with his normal login, a new user profile "/documents and
settings/TEMP" was created with basically nothing in it.
I still see "/documents and settings/UserA" but when I login as UserA,
I am presented the desktop from .../TEMP/Desktop.
It feels like a practical joke to me, but I don't know how to make it
happen in the first place, and I don't know how to undo it so that
UserA sees the Desktop for "/documents and settings/UserA/desktop".
Alternatively, it might have been some malware screwing with things.
At this point, I don't think its worth spending a lot of time on, but
I would like to undo the damage.
Thanks
Greg
--
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/
The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
More information about the Ale
mailing list