Forenic artifacts if someone accessed a remote Win10?


chris-

New Member
Mar 5, 2018
6
Ratings
1
0
#1
Hi,

I have the suspicion that someone, who has admin privileges (sic!), accessed a computer remotely without permission and copied files. The computer in question is a Win10.

The incident occured about 3 month ago.
A forensic image was created and timeline was generated.

So my question: What are the artifacts I can look for?

I analyze the security events (Registry), but I guess a major windows (= bad luck) update just resets the security logs 2 month ago.
I will have a look at the shadow copies, if older security events are available.

Security logs on Domain Controller are only saved for 2 days, so this will not help either. In future they will be backed up.

If the suspect would have logged in with DC admin account or local admin account, his users data in C:/Users must have been updated - if he did't conceal and changed the MAC time.
There should be a list of mounted drives in MountedDevices because somehow he needs to copy the data.

He could have logged in and shared a drive and remotely copy the files. This wouldn't affect the timeline on the Win10 wouldn't it?

Are there any artifacts the accessing would have left? Thanks.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu