I am a software developer now being tasked with managing our IT.
My first week at this job we upgraded to Windows 8 and never correctly connected the machines to AD.
The first suspicious thing that happened was that this morning the bosses wifes PC gave her two possible logins instead of the one she is used to. She always locks her PC the same way CTRL+ALT+DEL>Lock. Now all of a sudden when she starts her machine she gets this:
THIS-PC-NAME\hername
DOMAIN\hername
Question 1: Why would this happen? Could this indicate an intrusion?
She logged into the DOMAIN, which is not what she is used to doing and they keyboard was mapped to DVORAK. I use DVORAK exclusively but I did not log into her machine.
When she realized the DVORAK mapping she restarted her machine. Then she was only shown 1 login (DOMAIN), and no more DVORAK mapping.
I can't imagine this happening because of some process on the machine. There are only 3 employees and the building is locked up at night.
I have run a netstat but I am not really sure what I am looking at. The boss is starting to say crazy things like, "We are going to disconnect our network from the internet and only allow one machine to access it".
Question 2: How can I tell if there was some kind of an intrusion? How do I respond?