Daily Blog #21: Sunday Funday 7/14/2013 - Interactive Login Windows Server 2008 R2 System Challenge

Hello Reader,
         It's Sunday! Time for another forensic challenge to get your minds revved up for another week of investigations. This week I have something of a moderate difficulty so I'm hoping a wider range of people will give this a try. As in prior weeks the most complete answer wins, however if two people have the same information and completeness I will declare the one who commented fully first the winner. The prize this week? A Seagate Desktop Plus 4TB external drive with a USB3 dock, as seen here.

The Challenge:

    The challenge? It's believed that a user account had an interactive login on a Windows Server 2008 R2 system. The suspect is thought to be a senior IT architect and may have used anti-forensic techniques to hide his activities. Please answer the following:

1. Where by default would you find evidence of an interactive login, please list all locations.

2. What would you do to determine if anti-forensic methods were taken.

3. What would your next steps be.

The rules:

1. The most complete answer wins.

2. If you win I need a shipping address and a name sent to me via email.

3. You have until midnight PST (GMT -7) on 7/14/13 to answer.

4. You are allowed to edit and update your answer.

5. If two answers are the same the earlier answer wins.

Good luck!

Also Read: Daily Blog #20