If someone RDP to a server and copied files off, is there a way to determine this? In this scenario, you have a full image of the server, but you don’t have an image of the client machine used to connect. Any suggestions or direction would be greatly appreciated.
Have you got access to the server still?
If you do, or a VM, why dont you do a quick test and see what shows up. You'll know what time you would expect to see file interactions and then you can apply what youve learnt to your case.
If someone RDP to a server and copied files off, is there a way to determine this? In this scenario, you have a full image of the server, but you don’t have an image of the client machine used to connect. Any suggestions or direction would be greatly appreciated.
Without the client machine, it's going to be nearly impossible to determine this definitively.
Do you know the version of Windows running on the server? If so, and it's prior to Vista, you may be able to take advantage of the fact that, by default, Windows 2003 and XP still modify that file system last access times on files (when they're accessed).
This, along with Registry analysis of the pertinent user account, might provide you a list of candidate files that may have been copied.
You would need much more informations available for a definitely yes or a no answer. If you got just the server side, there is no way to determine if somebody copied or not your file.
Even if the file access time was modified by opening your file in an RDP session, you can't know if there was a simple "close file" at the end or a "save as…" (or copy the file content to local clipboard) before closing it.
You would need much more informations available for a definitely yes or a no answer. If you got just the server side, there is no way to determine if somebody copied or not your file.
Even if the file access time was modified by opening your file in an RDP session, you can't know if there was a simple "close file" at the end or a "save as…" (or copy the file content to local clipboard) before closing it.
Thinking outside the Windows kernel for a moment, I wonder if this server had some kind of Antivirus On Access Scanner or similar that maybe logged some activity around the files in question at the time? That said, even if there was something in the logs, it might not be enough to overcome whatever burden of proof you are working to, but it might give you another avenue to explore or narrow down further searches (or even show you who went rogue in the organisation?).
If this isn't a purely hypothetical question, and when the dust has settled, please point your client/employer towards Data Loss Prevention providers and Privileged Account Security vendors. If it's this much of a big deal to find out where/if/how/who exfiltrated the data, it's worth putting proper solutions in place to make it much harder for a repeat performance to occur.