Ultimately the client believed that the computer was accessed remotely via normal means of a remote desktop login my goal was to either prove or disprove that was the case.
If you know either the user account used or the timeframe that the login may have occurred, you can user information from the SAM and NTUSER.DAT hives to confirm that the user account was logged in and active at that time. However, without Security Event Logs to show logins, or some other log source, you're likely not going to be able to determine from where the login originated.
Thanks for all the info keydet, I completely agree with you, we have just received logs from the network company, hopefully they were keeping something useful. Thanks again to everyone
An eDiscovery note (as I am up to my neck with them) - since the network vendor is on notice regarding this incident, they are obligated to safe keep the logs as far as I understand.
It is a bad bad thing to wipe logs when notified of a potential legal case that may need those logs…
An eDiscovery note (as I am up to my neck with them) - since the network vendor is on notice regarding this incident, they are obligated to safe keep the logs as far as I understand.
It is a bad bad thing to wipe logs when notified of a potential legal case that may need those logs…
Depends on the stipulation of the preservation hold and whether there was reasonable expectation that the data would be part of discovery. Also, the company's retention policy can trump that as well. Best is always to try to get the preservation request to the necessary parties ASAP and if possible have the legal representatives get involved because some ISPs will not respond unless it is an active and filed case in a court.