Saturday, November 2, 2013

Daily Blog #133: Sunday Funday 11/3/13

Hello Reader,
           Another fun week, I got to speak at Bsides DFW yesterday and reach out to our infosec brethren and spread the good DFIR word. I gave a write blocker and a book as a door prize and someone mentioned that a writeblocker would be a very tempting Sunday Funday prize so here we go! This week's challenge focuses on terminal services accesses and their artifacts.

The Prize:

The Rules:
  1. You must post your answer before Monday 11/4/13 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
A shared Windows 2008 R2 terminal server was setup allowing employee's to work from home without requiring VPN access. On that server several files used by a department suddenly got deleted  and no one is taking responsibility. What would you do to determine what user deleted the files with the assumption that they RDP'd in to do so.