Posted: Tue Mar 06, 2018 5:43 pm Post subject: Forenic artifacts if someone accessed a remote Win10?
I have the suspicion that someone, who has admin privileges (sic!), accessed a computer remotely without permission and copied files. The computer in question is a Win10.
The incident occured about 3 month ago.
A forensic image was created and timeline was generated.
So my question: What are the artifacts I can look for?
I analyze the security events (Registry), but I guess a major windows (= bad luck) update just resets the security logs 2 month ago.
I will have a look at the shadow copies, if older security events are available.
Security logs on Domain Controller are only saved for 2 days, so this will not help either. In future they will be backed up.
If the suspect would have logged in with DC admin account or local admin account, his users data in C:/Users must have been updated - if he did't conceal and changed the MAC time.
There should be a list of mounted drives in MountedDevices because somehow he needs to copy the data.
He could have logged in and shared a drive and remotely copy the files. This wouldn't affect the timeline on the Win10 wouldn't it?
Are there any artifacts the accessing would have left? Thanks.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum