Link to home
Start Free TrialLog in
Avatar of rrcarlisle
rrcarlisle

asked on

Can you tell what files are touched during a RDP session on SBS2003?

I have a server that i know was hacked through the rdp. I was able to use network probe to trace the ip traffic to an ip address in south korea. I also know that the session lasted approx 2.5 hours and 390 meg of data was transmitted. My question is - How can i find out WHAT data was taken or copied? I have crawled through all the event logs and they are of no use, i did a search on any files that would have been created or modified during the time period but nothing interesting came up. Any suggestions? Is there a hidden log somewhere that tells when files are copied?
ASKER CERTIFIED SOLUTION
Avatar of ShareefHuddle
ShareefHuddle
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rrcarlisle
rrcarlisle

ASKER

will auditing tell me what files are touched (copied, opened, etc) by what user? How does one activate this feature?