|
There *was* source as the tokenisation process doesn't delete it, so it should be secured somewhere, not least because the coder will need access to it to engineer fixes and updates.
If it isn't available then the person responsible is utterly incompetent at best (good job they're gone) and criminally negligent at worst.
You can use monitoring tools as Jooel suggested to detect activity like registry writes and command execution, but this won't explain branching in the code based on groups or AD information or installed software.
Probably you are just going to have to remove the script, see what breaks and then re-engineer it.
Just make sure that you document the source location for the next poor devil that has to deal with it, as it might be you.
| 
