Question

Charles uses the following command while investigating a Windows workstation used by his organization's vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organization's cleaning staff after-hours. What does he know if the user ID shown is the only user ID able to log into the system, and he is investigating on August 12, 2017? C:\Users\bigfish>wmic netlogin get name,lastlogon,badpasswordcount BadPasswordCount LastLogon Name NT AUTHORITY\SYSTEM 0 20170811203748.000000-240 Finance\bigfish

A. The account has been compromised.
B. No logins have occurred.
C. The last login was during business hours.
D. Charles cannot make any determinations from this information.

Answer 1

aFinal answer:

The last login was outside normal business hours according to the LastLogon timestamp provided, so Charles's suspicion of unauthorized access is potentially valid.

Step-by-step explanation:

The LastLogon timestamp obtained from the Windows Management Instrumentation (WMI) command reveals crucial information about the login activity on the workstation. In this case, the timestamp of 20170811203748.000000-240 decodes to August 11, 2017, at 20:37:48 with a UTC offset of -4 hours (Eastern Daylight Time). Notably, this timestamp places the last login outside of normal business hours, suggesting activity after the typical workday. Charles's suspicion of unauthorized access, particularly by the cleaning staff, gains merit as the login occurred during a timeframe when standard user activity is less expected. Analyzing such timestamps provides valuable insights into potential security breaches or irregularities, aiding in the identification of unauthorized system access and contributing to effective cybersecurity monitoring and response.