What did they take?
This question is always a key priority for lawyers. Knowing what data was taken and what it contained helps them decide on the next legal steps to protect the company. Often times, if PII is taken such as Social Security Numbers it will require the company to make notice to the victims that their data was stolen. Finding this answer quickly helps counsel with their legal strategy and helps the company know their next steps.
Fortunately, there are serveral artifacts on Windows systems that we can check to find out if data was taken or accessed. Using the host based exfil guide below allows us to do a quick triage of the systems and get answers fast.
