Solved

Forensic audit of SBS 2008

Posted on 2016-09-15
3
102 Views
Last Modified: 2016-09-16
I am being asked to look at a Windows SBS 2008 server which has been decommissioned for some time.  I am being asked to see if anyone has accessed the server / files since it has been decommissioned.

It was shutdown and put into storage.  No one should have had reason to access it but a question about client contacts stored in exchange has come up.

Looking for recommendations.

Thank you
0
Comment
Question by:Sean Meyer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Assisted Solution

by:akb
akb earned 250 total points
ID: 41800679
If you really need a "Forensic audit" of the server then you will need to clone the HDD before you do anything to preserve the original disk/s.
You should then use the cloned disk and put away the original for safe keeping.
Boot the system and have a look at event viewer to see if the server has been booted since it was decommissioned.
It is also possible that someone has put the HDD into another PC and retrieved the data that way.
You may be able to look at the date the files were last accessed for evidence.
If the drives were cloned or read with a read only utility then it may not be possible to prove they were accessed.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41800756
If the HDD wss taken out and store separately without any form of encryption, it is susceptible to what you meant on possible Unauthorised access. Howvever of it is encrypted then possibly is to see any log access based on the encryption software used. May want to check the physical surveillance capture to the physical location of the HDD.

Probably the last access to HDD can be check via going through Window's event log to find the last successful start-up event. Can see through event viewer too. E.g Filter the System Event Log for Event ID 6009.

The default locations of the logs are:

%SystemRoot%\System32\Config\SysEvent.Evt (System Log)
%SystemRoot%\System32\Config\AppEvent.Evt (Application log)
%SystemRoot%\System32\Config\SecEvent.Evt (Security Log)

Also Windows keeps track of your total up-time and the last time your computer booted. E g. open your task manager in performance tab under System find your "UpTime" or via the command "net stats srv" (e.g. the line that start with "Statistics since …" provides the time that the server was up from)
https://support.microsoft.com/en-sg/kb/555737

A summary of the option are  - https://www.petri.com/check-uptime-in-server-2008
Method #1: By using the Task Manager
Method #2: By Using the System Information Utility
Method #3: By Using the Uptime Utility
Method #4: By Using the NET STATISTICS Utility

Can also check timestamp of files that are of concern. Looking out also for the use of external device such as USB (esp if there are those are used beyond its decom state) e.g. Use PowerShell to Find the History of USB Flash Drive Usage - https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/18/use-powershell-to-find-the-history-of-usb-flash-drive-usage/
0
 
LVL 9

Author Closing Comment

by:Sean Meyer
ID: 41801899
Perfect!  

Exactly the data for which I was looking.

Life is good!
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 GUEST Account 10 78
PEN and Issuance policy for 2 tier Windows 2012 PKI 3 85
endpoint protection and patch status - SCCM 3 73
Frequency of Windows Server updates 27 136
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question