700+ Workstations Searched

A confidential document was left in a public area which was sent to the Presidency which some accusations with the document author being an anonymous user.  The objective was to find the workstation it was created on and possibly the user….



The client has requested to be kept confidential as it is sensitive and has extended circumstances.  A short documentary is available for awareness training.

Our Task


  • Identify possible workstation.  Advantage: Document was left at an internet cafe, local workstations were checked for USB thumb drive usage. Serial number obtained.
  • Create ‘Application‘ to perform forensic analysis on each machine
  • Application‘ was distributed to all workstations using SMS logging to a central server
  • Workstation was identified that had the same USB thumb drive used as well as document was found in the %temp% drive
  • Workstation owner acknowledged creating the document.

Skills Involved


  • Low Level Application Development
  • Network Security Analyst
  • First Responder
  • Forensics Analyst
  • Microsoft SMS