Investigating Users Home Directories

Introduction and Background

As mentioned in the investigating user’s desktops section there are two types of Netware environments, the first environment is the straight Netware without the use of zenworks. In this environment the users are authenticated to the network however the local profiles or the database of users that is on the workstation is totally independent of the Novell server, so the users face two distinct authentication modes and share one single profile with every user on the computer.

(Bellow two login boxes illustrating the Netware login routine without a zenworks profile server)

The second type of environment is Netware with Zenworks (4, 6.5, and 7) built in. This environment is vastly superior especially in the area of windows workstations as it creates a dynamic local user (an account with matching credentials inputted into the windows user database) which the user uses for the duration of there session. When the user logs off the workstation then the profile is removed from the windows database and the profile changes are written to the users home directory, whereas with the non zenworks environment, profile changes (favorites, desktop icons, user settings, my documents folder) are usually either lost or stored on that local computer for the next user that uses that workstation.

These two major differences offer a very different scope as to what a home directory is, the first (being the non zenworks environment) offers users a blank network folder mapped to a network drive in which users store files (pictured bellow), the changes are written to the server automatically and none of the users profile settings are changed on the server

The second version of the Novell home directory (the zenworks variant) is much more in-depth, from the root of the folder it contains a series of profile folders, each with a OS depending on how the Policy is setup with Zenworks, inside the folders it appears exactly as a windows ‘Documents and Settings Profile’ appears on a standard windows workstation or a active directory domain

Locating Home Directories on Novell Netware

Before investigating the home directory we must first learn the location on the network. 70 to 80% of all Novell networks contain more then one server so a simple search of the server is a very inefficient way of locating the items needed, for this task we will use the Administrators program Novell Conosle1, or if you are operating a Netware 3 or 4 server the older NWADMIN32 program will work effectively as well.

Note: It is necessary to complete this task to have admin access or security equal to admin.

• Launch the Console1 Program and locate the user you wish to investigate.

• Double click on the users icon to load there settings page

• On the general tab click the drop down arrow and click the environment link to load the environment page

Note the location of the home directory on the network.

The second piece of information we need to locate is if this user is associated with a zenworks profile policy to do this we will again use the console1 property page.

Note: The workstation you are running console1 from must have Zen works snapin’s installed in order to view Zen works information.

Double click the policy packages as denoted by the following icon in the console1 view

Click the associations tab:

If the user you are investigating is listed in the following page then the user has a zenworks profile.

Investigating non-zenworks directories 

            A Basic rule when dealing with Novell at the admin level especially with non zenworks profiles is “what you see is what you get”. This is true for simple home directories as well, the users files are shown in the folder, and there is no way to hide data from the admin user. Therefore it is a simple matter of applying general forensics to the home directory and investigating the documents.

            Although stated above there is no way to hide information from a admin user there is however ways to hide data from the windows console the admin user is using, be advised of traditional windows explorer style data hiding tactics and if possible use a more direct console interface such as the file browser at the servers GUI or the Novell imanager folder viewer

(Brower based imanager folder viewer)

Investigating Zenworks Home Directories

            As with the non zenworks home directories the same principles about file hiding apply, there is no way to hide files from a admin user, however there are still ways to hide them from the explorer, so therefore it is advisable to do all work from the manager program.

            To investigate the users home directories in this context all that is required is to use the same principles as with a general windows home directory, as zenworks Is really nothing more then windows management features for a Novell environment

(Zenworks Home Directory as shown in imanager)