Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
· Home
· Content
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sarahhaydock
New Today: 2
New Yesterday: 2
Overall: 29713

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 With the drizzle, a round of crescent
 the sunset kisses the Western Hills
 eSoftTools Excel Password Unlocker
 Ceiling suppliers
 Red Raspberry Extract Wholesale

Computer Forensics World Forums

Pages Served
We received
page views since August 2004

Security Sources

OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Forenic artifacts if someone accessed a remote Win10?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Forenic artifacts if someone accessed a remote Win10?

Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message

Joined: Mar 06, 2018
Posts: 2

PostPosted: Tue Mar 06, 2018 5:43 pm    Post subject: Forenic artifacts if someone accessed a remote Win10? Reply with quote


I have the suspicion that someone, who has admin privileges (sic!), accessed a computer remotely without permission and copied files. The computer in question is a Win10.

The incident occured about 3 month ago.
A forensic image was created and timeline was generated.

So my question: What are the artifacts I can look for?

I analyze the security events (Registry), but I guess a major windows (= bad luck) update just resets the security logs 2 month ago.
I will have a look at the shadow copies, if older security events are available.

Security logs on Domain Controller are only saved for 2 days, so this will not help either. In future they will be backed up.

If the suspect would have logged in with DC admin account or local admin account, his users data in C:/Users must have been updated - if he did't conceal and changed the MAC time.
There should be a list of mounted drives in MountedDevices because somehow he needs to copy the data.

He could have logged in and shared a drive and remotely copy the files. This wouldn't affect the timeline on the Win10 wouldn't it?

Are there any artifacts the accessing would have left? Thanks.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003

Forums ©


TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted (c)2003, and is free under licence agreement. All Rights Are Reserved.