Possible to detect use of password-cracker on Word documents?

[Philip Herlihy]

A friend suspects a colleague has hacked into sensitive information in
Word documents using a password-cracking program. Is there any forensic
trail left (anywhere) which might show that this has happened? (Windows
2000 servers, Citrix clients, and Word 2000.)

Of course the files may have been copied elsewhere first, but if there's
anywhere worth looking, we'd love to know about it!

 

[Steven L Umbach]

A friend suspects a colleague has hacked into sensitive information in
Word documents using a password-cracking program. Is there any forensic
trail left (anywhere) which might show that this has happened? (Windows
2000 servers, Citrix clients, and Word 2000.)

Of course the files may have been copied elsewhere first, but if there's
anywhere worth looking, we'd love to know about it!

 

[Steven L Umbach]

Unless object access had been enabled and then auditing set on those files, I know of
no way you could determine if indeed it did happen. Auditing of logon events would
also help determine when a particular account logged onto a computer locally or
accessed shared resources on it remotely. You may want to look into using EFS
encryption in the future to further protect sensitive information, but only after
thoroughly understanding how it works and the risks involved including the concept of
the recovery agent, private key access and storage, and backing up your private
eys. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp

 

[Philip Herlihy]

Thanks, Steve,

My own assessment was that the chances of finding any trace were probably
negligable, but I'm not a security expert and I thought it worth asking,
just in case. Thanks for taking the trouble to reply - I'd thought of EFS
and had already started to wonder what the attendant risks might be.
Thorough process testing required, as ever!