I have a server that i know was hacked through the rdp. I was able to use network probe to trace the ip traffic to an ip address in south korea. I also know that the session lasted approx 2.5 hours and 390 meg of data was transmitted. My question is - How can i find out WHAT data was taken or copied? I have crawled through all the event logs and they are of no use, i did a search on any files that would have been created or modified during the time period but nothing interesting came up. Any suggestions? Is there a hidden log somewhere that tells when files are copied?