Understanding how this program works forensics

[mintra]

I have an issue where someone has taken a load of data then left a company.

They had an imac with a windows 8 machine in parallels.

They connected through a LAN to LAN VPN to an office server running OSX server.

They used freefilesync to copy legitimate work they had been doing to the server

They then used freefilesync and possibly synctoy to copy stuff back to the imac.

They then removed freefilesync from the mac move the files to something else and used some tool too erase the records of the files they had deleted.

Hence we only have logs on the Mac OSX server end.

They have entrys like this, (I have deleted the trailing 0 0 0

Apr 27 11:01:06 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "CreateFile Register.xlsx.ffs_tmp"
Apr 27 11:01:06 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:07 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:07 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:07 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:08 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx"
Apr 27 11:01:08 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:08 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"
Apr 27 11:01:09 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "Delete Register.xlsx"
Apr 27 11:01:09 my.server.com AppleFileServer[28972] <Info>: IP 192.168.9.20 - - "OpenFork Register.xlsx.ffs_tmp"

What is happening here.

Then later a load like this which miss the Delete record.:

May 1 02:21:52 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "CreateDir M02"
May 1 02:21:53 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "CreateFile M02 data R2.docx.ffs_tmp"
May 1 02:21:53 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data R2.docx.ffs_tmp"
May 1 02:21:54 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data R2.docx.ffs_tmp"
May 1 02:21:55 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data R2.docx.ffs_tmp"
May 1 02:21:55 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "CreateFile M02 data.docx.ffs_tmp"
May 1 02:21:56 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data.docx.ffs_tmp"
May 1 02:21:58 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data.docx.ffs_tmp"
May 1 02:21:58 my.server.org AppleFileServer[28972] <Info>: 192.168.9.20 - - "OpenFork M02 data.docx.ffs_tmp"

One has a delete.

I am not sure how to work out the direction of transfer, the only access this user had was through an afs share.

All these were from the /Library/Logs/AppleFileServiceAccess.log

Any help would be most welcome, as we think we have lost a lot of data and we want to be sure of what.

[Zenju]

The ".ffs_tmp" files are naturally created on the target side of a sync job. Other than that, FreeFileSync always writes the last sync operations into "LastSyncs.log" (https://freefilesync.org/manual.php?topic=expert-settings). If you're lucky this file is still there, or can be reconstructed.