Solved

System Logs

Posted on 2004-04-22
19
176 Views
Last Modified: 2010-04-13
I have a system that had a secondary drive.  We suspect the drive was stolen.  Does anyone know if the OS logs a system change such as a drive getting remove?  

Thanks
0
Comment
Question by:mchristo63
  • 8
  • 6
  • 4
19 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890237
It certainly should...
Have you checked them?  Should be a red 'error' in the log.
We see this with our raid arrays when we need to replace them...I'll see if I can find the event ID you're seeking.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
ID: 10890245
Hi mchristo63,

I'm affraid not :(
What you might want to try is search the registry for entries that belonged to the old drive (D:\ for instance) to see if there was a D: drive before.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10890255
If this was a Raid array, sirbounty is right and it should get logged in the event logs.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 67

Expert Comment

by:sirbounty
ID: 10890276
Source on ours is Storage Agents...but we've got Compaq equipment
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890296
I suppose it's important to know what your disk configuration is...is it a RAID array, hot pluggable drives?
If the system was shutdown prior to removal, you should certainly be able to find that event logged...
0
 

Author Comment

by:mchristo63
ID: 10890447
It was a workstation with 2 drives C: and E:.  I can't see anything in the event logs that indicate a system change.  I thought maybe the OS would see a system change upon boot after the drive was removed and log that change.  

Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10890490
At least not that I know of :(
0
 

Author Comment

by:mchristo63
ID: 10890509
Ok, well it was a thought.  Thanks
0
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 250 total points
ID: 10890604
Hmm- I'd say only if you had something writing to that disk...
Perhaps an error would be generated writing to it...
Otherwise, I'd say click Start->Run->Devmgmt.msc
Click View/Show hidden
If there's a transparent icon underneath Disk Drives, then there probably 'was' a drive installed at some point, that is no longer...
0
 

Author Comment

by:mchristo63
ID: 10890634
No, we know there was a drive, but now it's gone.  We are trying to determine when it was taken.  This happened during a period the user was on vacation.  When the user returned, they noticed the secondary drive was not displayed on the system anymore.  After further investigation, it was gone.  
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890664
Hmm- If the system was powered down the entire time, then there's no way to do it.
Some systems have an 'intrusion detection' ability if the case has been opened, but you'd have seen that by now, if that was your situation...
Sorry to say it. :(
0
 

Author Comment

by:mchristo63
ID: 10890705
Ok, Thanks
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10893914
mchristo63 - are you all set here?
If so, can you please close this one out?
See: http:help.jsp#hs5
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10921137
mchristo63 -what was the final outcome here?
0
 

Author Comment

by:mchristo63
ID: 10921155
There are no logs that the OS writes when a HD is removed.  It's in the hands of the authorities to figure out how the drive was taken.  Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10921158
That it should have been a split at least... It's still a "No you can't do that" answer... too bad. All possibilities where checked IMO :(
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10922125
I'd be inclined to agree.
mchristo63 - both LucF and I had a hand in directing you to this dead-end :)
Mind if I have this unaccepted so you can split the points between us?
0
 

Author Comment

by:mchristo63
ID: 10922149
That's fine.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Window 2000 server in a SBS2011 domain DNS Errors 4 463
VMware converter for windows 2000 server SP4 4 6,037
Running Baan iV on VMware 3 144
OLD CPUs 12 80
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This problem is more common than not and I will show you some things to check to solve this problem.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question