Announcement

Collapse
No announcement yet.

Inevstigate access to a disk in a server

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inevstigate access to a disk in a server

    Hello everybody i have a problem, i have a server which has 2 drives, one has the OS and the other one has some information (from docs to pictures), now the problem is the security was never set and no one was supposed to be able to log in to that server, well someone log on to the server and now we are left out thinking if he stole information from our second drive (the one with the info) or if he did not, not only that since security was not set from the beggining we dont even know if he copied something over a share (ie..\\1.1.1.\c$).
    The OS of the server is Windows server 2008 (i know for testing purposes), is there any way to find out if something was copied? I already installed OSforensic but could not locate everything.
    Oh and the server has not been restarted and now has the proper security...

    Now i have used OSforensic to dig deeper into this and i have found several keys from his registry keys (his account remains open as he did not logged off just disconnected) some of the keys are:
    AppEvents
    Conolse
    Control Panel
    Enviroment
    EUDC
    Keyboard Layou
    Network
    Printers
    Software
    System

    Those are from his NTUSER.dat registry, does it seems like i can get anything from there, if something was copied etc?

    Thanks in advance

  • #2
    Are you suspecting physical access to the machine. e.g. copying data to a USB drive?
    Or was it only network access over ethernet?

    Is the server setup to track Last access time as this would be a big help. By default windows doesn't do this however, it needs to be turned on.

    Do you check the Window event log (or the recent activity function in OSF) to check the login times. Knowing how long and often the person had access for might tell you something about what was copied or not.

    You can get list of recently opened files from the recent activity function in OSF. Knowing what files were looked at might give an insight into what was copied.

    In the end however, there is no comprehensive list of copied files kept by a Windows server that I am aware of.

    Comment


    • #3
      No it was not setup to track or log anything... I was hopping i could find something using osforensic, and i have looked at the recent activity function but it will only tell me if the file was opened in the server am i correct? My concern is only in the case something was copied over the netword trough a remote desktop conenction or over a share...

      Thanks for your reply

      Originally posted by David (PassMark) View Post
      Are you suspecting physical access to the machine. e.g. copying data to a USB drive?
      Or was it only network access over ethernet?

      Is the server setup to track Last access time as this would be a big help. By default windows doesn't do this however, it needs to be turned on.

      Do you check the Window event log (or the recent activity function in OSF) to check the login times. Knowing how long and often the person had access for might tell you something about what was copied or not.

      You can get list of recently opened files from the recent activity function in OSF. Knowing what files were looked at might give an insight into what was copied.

      In the end however, there is no comprehensive list of copied files kept by a Windows server that I am aware of.

      Comment


      • #4
        Any idea???

        Originally posted by MIME View Post
        No it was not setup to track or log anything... I was hopping i could find something using osforensic, and i have looked at the recent activity function but it will only tell me if the file was opened in the server am i correct? My concern is only in the case something was copied over the netword trough a remote desktop conenction or over a share...

        Thanks for your reply

        Comment


        • #5
          Only what was already suggested above.

          Comment

          Working...
          X