Announcement
Collapse
No announcement yet.
Inevstigate access to a disk in a server
Collapse
X
-
Any idea???
Originally posted by MIME View PostNo it was not setup to track or log anything... I was hopping i could find something using osforensic, and i have looked at the recent activity function but it will only tell me if the file was opened in the server am i correct? My concern is only in the case something was copied over the netword trough a remote desktop conenction or over a share...
Thanks for your reply
Leave a comment:
-
No it was not setup to track or log anything... I was hopping i could find something using osforensic, and i have looked at the recent activity function but it will only tell me if the file was opened in the server am i correct? My concern is only in the case something was copied over the netword trough a remote desktop conenction or over a share...
Thanks for your reply
Originally posted by David (PassMark) View PostAre you suspecting physical access to the machine. e.g. copying data to a USB drive?
Or was it only network access over ethernet?
Is the server setup to track Last access time as this would be a big help. By default windows doesn't do this however, it needs to be turned on.
Do you check the Window event log (or the recent activity function in OSF) to check the login times. Knowing how long and often the person had access for might tell you something about what was copied or not.
You can get list of recently opened files from the recent activity function in OSF. Knowing what files were looked at might give an insight into what was copied.
In the end however, there is no comprehensive list of copied files kept by a Windows server that I am aware of.
Leave a comment:
-
Are you suspecting physical access to the machine. e.g. copying data to a USB drive?
Or was it only network access over ethernet?
Is the server setup to track Last access time as this would be a big help. By default windows doesn't do this however, it needs to be turned on.
Do you check the Window event log (or the recent activity function in OSF) to check the login times. Knowing how long and often the person had access for might tell you something about what was copied or not.
You can get list of recently opened files from the recent activity function in OSF. Knowing what files were looked at might give an insight into what was copied.
In the end however, there is no comprehensive list of copied files kept by a Windows server that I am aware of.
Leave a comment:
-
Inevstigate access to a disk in a server
Hello everybody i have a problem, i have a server which has 2 drives, one has the OS and the other one has some information (from docs to pictures), now the problem is the security was never set and no one was supposed to be able to log in to that server, well someone log on to the server and now we are left out thinking if he stole information from our second drive (the one with the info) or if he did not, not only that since security was not set from the beggining we dont even know if he copied something over a share (ie..\\1.1.1.\c$).
The OS of the server is Windows server 2008 (i know for testing purposes), is there any way to find out if something was copied? I already installed OSforensic but could not locate everything.
Oh and the server has not been restarted and now has the proper security...
Now i have used OSforensic to dig deeper into this and i have found several keys from his registry keys (his account remains open as he did not logged off just disconnected) some of the keys are:
AppEvents
Conolse
Control Panel
Enviroment
EUDC
Keyboard Layou
Network
Printers
Software
System
Those are from his NTUSER.dat registry, does it seems like i can get anything from there, if something was copied etc?
Thanks in advanceTags: None
Leave a comment: