How Can I Investigate Unauthorized Access and File Transfers by a Former Admin?

Look into your backup systems; they might have logs or records of any access or data restoration that took place. Many admins overlook that. Additionally, reviewing SMB client/server logs could provide insights into which shares were accessed during the timeframe in question.

In terms of lateral movement detection, keep an eye on specific Event IDs that show administrative logins and attempts to access sensitive areas of your network. Also, if you catch any evidence of large data transfers in your firewall logs, that could point towards potential data exfiltration.

For tracking file copying, check any temp files that may have been created by Office applications; those can sometimes offer clues. You might want to pay attention to deletion events as well, since they can indicate when files were accessed and then removed. Don't forget about checking for unusual traffic patterns in firewall logs too, especially if the admin used external storage.

If you didn’t have any logging in place before these incidents, you're likely going to run into difficulties finding solid evidence. Make sure to document everything you've done so far to prevent any claims of evidence tampering later on. And always consider engaging a legal team with IT forensic expertise to guide your investigation.

It’s crucial to treat this investigation seriously due to the legal implications. If you plan to proceed with any legal actions, it’s best to involve a professional forensic investigation firm. They can handle the evidence correctly and provide expert testimony if required, ensuring nothing gets tampered with before you're able to preserve the evidence properly.