Ok just to give you some thoughts where to find evidence:
- school server with student records; make a memorydump and forensic image of the server
- firewall and IDS, save your logfiles
- where are your IDS and firewall located (at the internetconnection side or within your lan)?
- send mails: is this done on the same server or another mailserver; if other server memorydump and forensic image
- you're talking about packetcaptures; are the captures running all the time? where on the network are they running?
Just start filling in questions you have. You know when the staff gots the email and probably when the data was changed, thats the starting point, work backwards.
You know (or assume) admin credentials are used by remote login, you can verify that in logfiles. Where did the login come from (inside lan or outside)?
Much, much questions. Gather as much sources of evidence.
↧