Can you tell what files are touched during a RDP session on SBS2003?

I have a server that i know was hacked through the rdp. I was able to use network probe to trace the ip traffic to an ip address in south korea. I also know that the session lasted approx 2.5 hours and 390 meg of data was transmitted. My question is - How can i find out WHAT data was taken or copied? I have crawled through all the event logs and they are of no use, i did a search on any files that would have been created or modified during the time period but nothing interesting came up. Any suggestions? Is there a hidden log somewhere that tells when files are copied?
rrcarlisleAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ShareefHuddleConnect With a Mentor Commented:
If auditing was setup but by default no not really.
0
 
rrcarlisleAuthor Commented:
will auditing tell me what files are touched (copied, opened, etc) by what user? How does one activate this feature?
0
All Courses

From novice to tech pro — start learning today.