Inevstigate access to a disk in a server
Hello everybody i have a problem, i have a server which has 2 drives, one has the OS and the other one has some information (from docs to pictures), now the problem is the security was never set and no one was supposed to be able to log in to that server, well someone log on to the server and now we are left out thinking if he stole information from our second drive (the one with the info) or if he did not, not only that since security was not set from the beggining we dont even know if he copied something over a share (ie..\\1.1.1.\c$).
The OS of the server is Windows server 2008 (i know for testing purposes), is there any way to find out if something was copied? I already installed OSforensic but could not locate everything.
Oh and the server has not been reset and now has the proper security…
Thanks in advance!
Well, there are a couple of things you can do…
Let me first suggest that you capture an image of the system NOW. If someone has already monkeyed about with it, and 'set proper security', there's no telling what else they may have done. I've conducted a number of exams that started out with the local admins stating that they "didn't do anything" to the system, only to find out upon examination that they'd logged in, run AV scans (and in some cases, installed additional AV programs and run them), deleted files, etc. So, you need to image the system drive immediately.
From there, create a timeline of system activity, and focus on the Event Logs…you need to determine how the system was accessed. Is the server running a web server that is supported by a database server, or does it have the database server on it? Some thoughts might be SQL injection…I can't even begin to speculate because I know nothing about your infrastructure.
What you might want to look for in the Event Logs is logins…network-based, or console/interactive. Was the access via the console, RDP (are Terminal Services running?), or some other means? Don't guess or speculate…find out.
This is another reason why you need to acquire the system now…the longer you wait, the more the Event Logs are likely to be overwritten via normal system activity.
Now, the hard part of all this is that unless you have packet captures from the time that data was thought to have been copied from the server, you'll never know definitively what might have been copied. However, depending upon the type of access they had to the system, you may be able to develop enough circumstantial evidence to provide a good, educated guess as to what might have been accessed, or at least of interest.
Some additional thoughts…
Again, I know nothing about your infrastructure and where this system sat, but here are some thoughts I have had, based on my experience as an incident responder….
First, closely examine/question the reasons for the exam. What I mean by that is, you said
"…well someone log on to the server and now we are left out thinking if he stole information from our second drive.."
So, how do you know someone logged into the server? What proof (i.e., data) do you have to support or demonstrate this? Then, what makes you think that they stole information at all?
Since you seem to think (and I'm not saying that it isn't true…) that someone logged into the server, you're likely to have some data that supports this…perhaps from a log or something similar. If so, there will likely be information in that log entry regarding how the access was obtained, and also when. This is where a timeline would be extremely useful.
Hi Thanks for your reply.
I will definitly take an image of the system.
And actually i have the server locked so no one can access it but me, i have, however logged in several times looking for things on logs, however i have not been able to find out if something was copied on the event viewer, i do see his account been logged in but i did not have auditoring activated before this incident (or now) and the only thing i see is his logged in event, is there anything particular to look if something was copied using RDP or via share?
This server was supposed to be for testing purposes so an app was installed but outside of that nothing else but that secondary drive with information was there.
Now i have used OSforensic to dig deeper into this and i have found several keys from his registry keys (his account remains open as he did not logged off just disconnected) some of the keys are
Those are from his NTUSER.dat registry, does it seems like i can get anything from there?
Any idea on this?