0

An ex-girlfriend has demonstrated an ongoing ability to access files stored only on my Windows 10 x64 PCs and Microsoft OneDrive. How can I find or trace the mechanism by which she is doing this? Details:

  1. Months ago, before we broke up, she had both unsupervised physical access to one of the PCs and admin access before I password protected my single user account. (Nobody has since had physical access to the PC when I was logged in.)
  2. I have changed the password to my Microsoft account that includes OneDrive, but she has subsequently demonstrated access to new files. So this is not a simple matter of password compromise.
  3. She is not exceptionally technically savvy, but she knows people who are. Those people have never had physical access to my devices.
  4. I have done a complete physical inspection of the device to which she once had access. There are no evident appendages or modifications to the hardware. (And she is not skilled enough to confidently open computer case, much less place a covert hardware backdoor.)

Given this background, I imagine the most likely vector is an "exploit in-a-box" she was provided and able to install on the PC. However I have assumed that Windows Defender would detect those because they are well known. Is this a bad assumption? What else should I use to scan for known backdoors?

It is possible that she has enlisted a reasonably skilled hacker who is using known exploits to occasionally access either OneDrive or the PC's drive data.

I would prefer to sniff out the intrusion mechanism, or at least some evidence of when and whence intrusions have occurred, before blindly locking down the system.

Lysander
  • 101
  • 3
  • You mention your computer and you mention OneDrive. Are the files she has access to only in the OneDrive folder or does she have access to things outside of the OneDrive folder? – Fire Quacker Apr 17 '20 at 18:11
  • When you sign in to your Microsoft account (account.live.com), and click Security at the top, there should be a page where you can see a list of recent logon activity, which may be helpful. – Fire Quacker Apr 17 '20 at 18:13
  • One other thing to think about is your password. If you changed your password, but it is still predictable, maybe she could have guessed it. Make sure you're using a strong, unique password. – Fire Quacker Apr 17 '20 at 18:14
  • @FireQuacker: Excellent point on the password. (Though in this case I'm confident she has never seen one of my passwords, and I keep them strong.) I keep all of my data (~1TB) on OneDrive, so I'm not going to be able to see if access is through the computer based on what she gets. I wish Microsoft showed more history, because I think the intrusions are very infrequent (just enough for occasional harassment). – Lysander Apr 17 '20 at 19:31

1 Answers1

1

How can I find or trace the mechanism by which she is doing this?

There's hardly a benefit in that. If you find out, what would you do next? If you think she should be penaltized for illegal activities, you should report crime and your computer should undergo a forensics analysis.

Months ago, ...

The later you do that, the less successful it will be.

Windows Defender would detect those because they are well known. Is this a bad assumption?

IHMO that's a bad assumption. I think I can write malicious code in C# which simply runs. I have already implemented a keylogger without any problems. Given enough permissions once, it could run as a service and upload your keystrokes, files etc.

What else should I use to scan for known backdoors?

From the before: maybe it's not a known backdoor, just some legit looking software.

I would prefer to sniff out the intrusion mechanism, or at least some evidence of when and whence intrusions have occurred, before blindly locking down the system.

Your computer is compromised. You should return to a secure state as soon as possible. Create an image of the system (use "dd" on some Linux Live system), remove all personal data and run it in a virtual machine if you want to play with it.

Change all your passwords to different passwords. Use KeePass to create different passwords for each service. Have the paswords generated.

Be aware that she may have access to any data and keystrokes you enter on the VM. You should not log into services for which you have changed passwords.

So, what can you look for:

  • check all running processes including services. Microsoft software should be digitally signed. Process Explorer provides a convenient way for checking Authenticode signatures.
  • check outgoing connections. TCPView may help. Wireshark is even more powerful.
  • check for additional user accounts. Maybe she has created an additional admin account.
  • check the disk for files with a creation date around the time she had physical access. Agent Ransack and Search Everything may help.
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
  • Thanks, there are some good ideas in there. However just (re-)securing my machine doesn't assure me that my data are secure because I also store my data on Microsoft OneDrive (a cloud data service). My machine might be secure. Hence the value in a scenario like this in being able to determine the mechanism of unauthorized data access. – Lysander Apr 20 '20 at 01:29