Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Forensic:How to get the history log of RDP (Time and Date)


  • Please log in to reply

#1
Mobi

Mobi

    Member

  • Member
  • PipPip
  • 52 posts
Hi guyz,



I am investigating a case where a system running server 2003 was accessed by another remote system running winxp.



The audit policy is enabled on the server machine i.e. audit logon event, privileges use, object access and other as well. But on the remote machine running xp auditing is not enabled.



In order to verify that the system was accessed from this win xp by using remote desktop, I checked the registry keys:



1.HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default

2.HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Server\UsernameHint



Where in the first entry I can see the IP address of the Server machine which is say 192.168.0.5 and some other IPs as well but I am unable to find the time and date of this connection.



In the second key I did not find anything i.e. Server key is not available.



On the server machine however when I analyzed the security log I could not find the event that provide me the details of that machine who accessed this server. I came to know by the Sys Admin that the server machine was rebuild 2 months ago, so I think the event that can provide me the exact time and date is not there (it might be accessed 2 months back before the fresh installation of the OS).



Can anyone help me where I can get information about the exact date and time of the system was accessed along with the IP address that accessed this system? Is there any registry entry which not only keeps the history of the remote desktop connections but also keep the time and date?



I will really appreciate your help and support
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP