I am investigating a case where a system running server 2003 was accessed by another remote system running winxp.
The audit policy is enabled on the server machine i.e. audit logon event, privileges use, object access and other as well. But on the remote machine running xp auditing is not enabled.
In order to verify that the system was accessed from this win xp by using remote desktop, I checked the registry keys:
1.HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
2.HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Server\UsernameHint
Where in the first entry I can see the IP address of the Server machine which is say 192.168.0.5 and some other IPs as well but I am unable to find the time and date of this connection.
In the second key I did not find anything i.e. Server key is not available.
On the server machine however when I analyzed the security log I could not find the event that provide me the details of that machine who accessed this server. I came to know by the Sys Admin that the server machine was rebuild 2 months ago, so I think the event that can provide me the exact time and date is not there (it might be accessed 2 months back before the fresh installation of the OS).
Can anyone help me where I can get information about the exact date and time of the system was accessed along with the IP address that accessed this system? Is there any registry entry which not only keeps the history of the remote desktop connections but also keep the time and date?
I will really appreciate your help and support