Hello everybody i have a problem, i have a server which has 2 drives, one has the OS and the other one has some information (from docs to pictures), now the problem is the security was never set and no one was supposed to be able to log in to that server, well someone log on to the server and now we are left out thinking if he stole information from our second drive (the one with the info) or if he did not, not only that since security was not set from the beggining we dont even know if he copied something over a share (ie..\\1.1.1.\c$).
The OS of the server is Windows server 2008 (i know for testing purposes), is there any way to find out if something was copied? I already installed OSforensic but could not locate everything.
Oh and the server has not been restarted and now has the proper security...
Now i have used OSforensic to dig deeper into this and i have found several keys from his registry keys (his account remains open as he did not logged off just disconnected) some of the keys are:
AppEvents
Conolse
Control Panel
Enviroment
EUDC
Keyboard Layou
Network
Printers
Software
System
Those are from his NTUSER.dat registry, does it seems like i can get anything from there, if something was copied etc?
Thanks in advance
The OS of the server is Windows server 2008 (i know for testing purposes), is there any way to find out if something was copied? I already installed OSforensic but could not locate everything.
Oh and the server has not been restarted and now has the proper security...
Now i have used OSforensic to dig deeper into this and i have found several keys from his registry keys (his account remains open as he did not logged off just disconnected) some of the keys are:
AppEvents
Conolse
Control Panel
Enviroment
EUDC
Keyboard Layou
Network
Printers
Software
System
Those are from his NTUSER.dat registry, does it seems like i can get anything from there, if something was copied etc?
Thanks in advance
Comment