Hi all,
Hope that someone can assist me with this query. I have imaged a window 7 computer. The alleged suspect claims that there was more than one remote connection session opened on the computer. Is there any way to establish if there was more than one session opened?
Did you capture memory before shutting the system down?
If not, have you checked the Windows Event Log?
The machine was in the off state when i was handed over to us. Just curious if memory was caputure what would i be looking for and how would i conduct the analysis?
The machine was in the off state when i was handed over to us.
Okay, then I'd check for evidence of logins in the Security Event Log. Also, Win7 has several other Event Logs related to remote sessions and Terminal services, so you may want to check there, as well, and possibly even create a timeline of the events.
Just curious if memory was caputure what would i be looking for and how would i conduct the analysis?
If I were you, and had a memory dump, I'd start by using Volatility to look for network connections.
The machine was in the off state when i was handed over to us.
Okay, then I'd check for evidence of logins in the Security Event Log. Also, Win7 has several other Event Logs related to remote sessions and Terminal services, so you may want to check there, as well, and possibly even create a timeline of the events.
Just curious if memory was caputure what would i be looking for and how would i conduct the analysis?
If I were you, and had a memory dump, I'd start by using Volatility to look for network connections.
i had a look at the security event log for the event ID 4624 with login type 10. is this correct? i have identified one of these session. Are there any other event files that i can look in and what should i be looking for?
Thanks
The machine was in the off state when i was handed over to us.
Okay, then I'd check for evidence of logins in the Security Event Log. Also, Win7 has several other Event Logs related to remote sessions and Terminal services, so you may want to check there, as well, and possibly even create a timeline of the events.
Just curious if memory was caputure what would i be looking for and how would i conduct the analysis?
If I were you, and had a memory dump, I'd start by using Volatility to look for network connections.
i had a look at the security event log for the event ID 4624 with login type 10. is this correct? i have identified one of these session. Are there any other event files that i can look in and what should i be looking for?
Thanks
Sorry, I thought I had addressed that when I had said
Also, Win7 has several other Event Logs related to remote sessions and Terminal services, so you may want to check there, as well, and possibly even create a timeline of the events.
http//