Is there a way to check activity logs that have been deleted on a server? Do logs get backed up? I have to find out what this administrator has been doing with this companies network for security reasons. They don't trust him any more and I know he deleted all the logs to erase his trails. My task is to find out what he has been doing and make a report.

Any advice???

<P ID="edit"><FONT class="small">Edited by DavidColon on 06/22/02 02:51.</FONT></P>

If the logs have been deleted then they have gone. Also depends how the administrator has configured the event log, he/she may have set the event to 'overwrite after x days' for example.

As for backups: this depends how your backup regime has been configured. If you have total back ups then check the following path: C:\WINDOWS\System32\config\SecEvent.Evt

Hope this helps...

<font color=green>Paul</font color=green>

Thanks Paul. I will check that path on the backup.
Is there anything else I could check that may give me a clue as to what kind of things this administrator was doing on the network? Something he may have forgotten to erase?

David,

I would look at the Internet Access logs to see what sites he has been accessing. Also check to see what he has been doing from home, that is do you have dial-in facilities via VPN or RAS?

Also check all of the groups in User Manager to see who has access to the domain admins group. Have any new groups been added that know knows what they do?

Why does the company distrust this person? Search around the result of this question. Has he been mailing people confidential information. Check the mail logs on exchange servers (Outlook) or the domino server (Lotus Notes). Check through his inbox/outbox - you might need to get special permission for this (invasion of privacy laws).

If he still works for the company then monitor daily all logs both on the local machine and the server(s). If he has left the company then disable his account straight away, change ALL admin passwords and look at the logs in his local machine. Change the properties for the application, security and system logs so that it is set to 'Do not overwrite events' until you are ahppy there are no consistent 'concerning' events.

Hope you find what you are looking for.

<font color=green>Paul</font color=green>

Thanks again paul for your last response to my questions.. He didn't erase the event logs so I saved them.

I made .evt files out of the logs on that companies server. Is there a way to view those files without importing them into event viewer on my server? Is there some type of .evt viewer that I can download?

Hello David,

What you need is Event Analyst. You can get a 30 trial of this software here: <a target="_blank" href=http://www.doriansoft.com/download/index.htm>Dorian Software Creations</a>

It only last for 30 days before you have to buy it but that should be long enough to examine the logs.

Regards,

<font color=green>Paul</font color=green>

David... I would know what I'm getting myself into before I start in an investigation... Joining alliances is like joining a political party... with more devastating results... Make sure you are covering your own tail... what is being asked of you now, can just as easily be asked about you tomorrow... These type of "work force" scrimmages never end up in a good place... someone always gets the boot... and many times its the accuser, just for starting a discord... many scenarios come to mind as to why you are involved... be careful your not the pawn in a game that's just going to get you dismissed... Everyone wants to get to the top… Know the price you may pay, and the burden of the task…