Post incident investigation
Posted on 2010-09-20
I would like to investigate files (located on network shares) accessed/copied/modified by a specific user over a specific (recent) time period.
I`ve researched & found scripts that can display the time/date a file was last accessed, but not who the user was that accessed it.
Auditing not enabled
User was using a domained laptop
I appreciate the setup isn`t ideal for a post incident investigation (no auditing etc) but was hoping for any advice as to what can be done...
Thanks in advance,