Saturday, November 9, 2013

Daily Blog #140: Sunday Funday 11/10/13

Hello Reader,
         We've been talking about timestamp changes and other methods of hiding activity this week, I thought I would add in a challenge that covers a bit more basic anti forensic technique. I hope you like this weeks scenario challenge and prepare yourself for another full image challenge next week.

The Prize:
  • A 4TB External USB3 Seagate Backup Plus Hard Disk

The Rules:
  1. You must post your answer before Monday 11/11/13 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
 You have a forensic image Windows Server 2008 R2 system that the former administrator installed LogMeIn on. You have been told that your client suspects that the former administrator has logged in remotely and shutdown database services preventing the company's webstore from functioning. When you go to review the LogMeIn logs you notice they have been deleted from the system. 

Where can you look on the system, other than the free space of the disk for the logs, to determine when the ex-administrator used LogMeIn to access the system.