Saturday, July 13, 2013

Daily Blog #21: Sunday Funday 7/14/2013

Hello Reader,
         It's Sunday! Time for another forensic challenge to get your minds revved up for another week of investigations. This week I have something of a moderate difficulty so I'm hoping a wider range of people will give this a try. As in prior weeks the most complete answer wins, however if two people have the same information and completeness I will declare the one who commented fully first the winner. The prize this week? A Seagate Desktop Plus 4TB external drive with a USB3 dock, as seen here.

    The challenge? It's believed that a user account had an interactive login on a Windows Server 2008 R2 system. The suspect is thought to be a senior IT architect and may have used anti-forensic techniques to hide his activities. Please answer the following:
1. Where by default would you find evidence of an interactive login, please list all locations
2. What would you do to determine if anti-forensic methods were taken
3. What would your next steps be

The rules:
1. The most complete answer wins
2. If you win I need a shipping address and a name sent to me via email
3. You have until midnight PST (GMT -7) on 7/14/13 to answer
4. You are allowed to edit and update your answer
5. If two answers are the same the earlier answer wins

Good luck!