Hi everyone and thanks in advance for any help I can get.

I have a customers hard drive in here. The customer wants me to look into
it and see if I can find any logs or some type of evidence of a hyperterminal
session or any ports that may have been open from certain times. I am not an
investigator by any means this is just a way for me to help the customer out
by trying to find these logs. She believes her husband was using the
computer to do some things that he won't admit to her and she is... lets face
it... REALLY paranoid about this stuff. The computer itself was hit by a
surge she said and she could not get a chance to prove it to him that she
caught it before the computer failed. So she wants me to get her proof, but
how? Once again I need to figure out if there is ANY way to get logs of
hyperterminal sessions or some sort of telnet sessions or any logs of when
the ports were open and when they were closed. I appreciate any help I can
get.

Kemco

X-Ways Forensics
http://www.sf-soft.de/forensics/index-m.html

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

-------------------------------------------------------------------------------------------

"Kemco" wrote:

| Hi everyone and thanks in advance for any help I can get.
|
| I have a customers hard drive in here. The customer wants me to look into
| it and see if I can find any logs or some type of evidence of a hyperterminal
| session or any ports that may have been open from certain times. I am not an
| investigator by any means this is just a way for me to help the customer out
| by trying to find these logs. She believes her husband was using the
| computer to do some things that he won't admit to her and she is... lets face
| it... REALLY paranoid about this stuff. The computer itself was hit by a
| surge she said and she could not get a chance to prove it to him that she
| caught it before the computer failed. So she wants me to get her proof, but
| how? Once again I need to figure out if there is ANY way to get logs of
| hyperterminal sessions or some sort of telnet sessions or any logs of when
| the ports were open and when they were closed. I appreciate any help I can
| get.
|
| Kemco

=?Utf-8?B?S2VtY28=?= wrote:
>
> by trying to find these logs. She believes her husband was using the
> computer to do some things that he won't admit to her and she is... lets face
> it... REALLY paranoid about this stuff. The computer itself was hit by a
> surge she said and she could not get a chance to prove it to him that she
> caught it before the computer failed. So she wants me to get her proof, but

I'd shy away from doing that. Even if you succeed, the customer will
NEVER call you back for more work.



--
http://www.bootdisk.com/

Why are online connection and surge damage are being
discussed in the same paragraph? Little relationship exists
between the two. A powered off computer can be damaged just
as easily as the computer when powered on. Even worse, if
connected to a power strip protector, then more destructive
paths are provided through that computer - using Hyperterminal
or not.

Kemco wrote:
> Hi everyone and thanks in advance for any help I can get.
>
> I have a customers hard drive in here. The customer wants me to look into
> it and see if I can find any logs or some type of evidence of a hyperterminal
> session or any ports that may have been open from certain times. I am not an
> investigator by any means this is just a way for me to help the customer out
> by trying to find these logs. She believes her husband was using the
> computer to do some things that he won't admit to her and she is... lets face
> it... REALLY paranoid about this stuff. The computer itself was hit by a
> surge she said and she could not get a chance to prove it to him that she
> caught it before the computer failed. So she wants me to get her proof, but
> how? Once again I need to figure out if there is ANY way to get logs of
> hyperterminal sessions or some sort of telnet sessions or any logs of when
> the ports were open and when they were closed. I appreciate any help I can
> get.
>
> Kemco

Hi tom,

I guess you got this confused somehow the surge problem has no relationship
to what I need help with. I just stated that because I don't have the
original computer to work with and she had proof on it but all I have is the
Hard drive not the computer booted from.

"w_tom" wrote:

> Why are online connection and surge damage are being
> discussed in the same paragraph? Little relationship exists
> between the two. A powered off computer can be damaged just
> as easily as the computer when powered on. Even worse, if
> connected to a power strip protector, then more destructive
> paths are provided through that computer - using Hyperterminal
> or not.
>
> Kemco wrote:
> > Hi everyone and thanks in advance for any help I can get.
> >
> > I have a customers hard drive in here. The customer wants me to look into
> > it and see if I can find any logs or some type of evidence of a hyperterminal
> > session or any ports that may have been open from certain times. I am not an
> > investigator by any means this is just a way for me to help the customer out
> > by trying to find these logs. She believes her husband was using the
> > computer to do some things that he won't admit to her and she is... lets face
> > it... REALLY paranoid about this stuff. The computer itself was hit by a
> > surge she said and she could not get a chance to prove it to him that she
> > caught it before the computer failed. So she wants me to get her proof, but
> > how? Once again I need to figure out if there is ANY way to get logs of
> > hyperterminal sessions or some sort of telnet sessions or any logs of when
> > the ports were open and when they were closed. I appreciate any help I can
> > get.
> >
> > Kemco
>

If such information was stored, it may be in system (event)
logs. I believe RAS connections are stored. Don't know about
Hyperterminal sessions.

Transients can find destructive paths to earth via a
computer - powered on or off.

Kemco wrote:
> I guess you got this confused somehow the surge problem has no
> relationship to what I need help with. I just stated that because
> I don't have the original computer to work with and she had proof
> on it but all I have is the Hard drive not the computer booted from.