Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

System Logs

Posted on 2004-04-22
19
Medium Priority
?
181 Views
Last Modified: 2010-04-13
I have a system that had a secondary drive.  We suspect the drive was stolen.  Does anyone know if the OS logs a system change such as a drive getting remove?  

Thanks
0
Comment
Question by:mchristo63
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
19 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890237
It certainly should...
Have you checked them?  Should be a red 'error' in the log.
We see this with our raid arrays when we need to replace them...I'll see if I can find the event ID you're seeking.
0
 
LVL 32

Accepted Solution

by:
LucF earned 750 total points
ID: 10890245
Hi mchristo63,

I'm affraid not :(
What you might want to try is search the registry for entries that belonged to the old drive (D:\ for instance) to see if there was a D: drive before.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 10890255
If this was a Raid array, sirbounty is right and it should get logged in the event logs.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 67

Expert Comment

by:sirbounty
ID: 10890276
Source on ours is Storage Agents...but we've got Compaq equipment
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890296
I suppose it's important to know what your disk configuration is...is it a RAID array, hot pluggable drives?
If the system was shutdown prior to removal, you should certainly be able to find that event logged...
0
 

Author Comment

by:mchristo63
ID: 10890447
It was a workstation with 2 drives C: and E:.  I can't see anything in the event logs that indicate a system change.  I thought maybe the OS would see a system change upon boot after the drive was removed and log that change.  

Thanks
0
 
LVL 32

Expert Comment

by:LucF
ID: 10890490
At least not that I know of :(
0
 

Author Comment

by:mchristo63
ID: 10890509
Ok, well it was a thought.  Thanks
0
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 750 total points
ID: 10890604
Hmm- I'd say only if you had something writing to that disk...
Perhaps an error would be generated writing to it...
Otherwise, I'd say click Start->Run->Devmgmt.msc
Click View/Show hidden
If there's a transparent icon underneath Disk Drives, then there probably 'was' a drive installed at some point, that is no longer...
0
 

Author Comment

by:mchristo63
ID: 10890634
No, we know there was a drive, but now it's gone.  We are trying to determine when it was taken.  This happened during a period the user was on vacation.  When the user returned, they noticed the secondary drive was not displayed on the system anymore.  After further investigation, it was gone.  
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890664
Hmm- If the system was powered down the entire time, then there's no way to do it.
Some systems have an 'intrusion detection' ability if the case has been opened, but you'd have seen that by now, if that was your situation...
Sorry to say it. :(
0
 

Author Comment

by:mchristo63
ID: 10890705
Ok, Thanks
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10893914
mchristo63 - are you all set here?
If so, can you please close this one out?
See: http:help.jsp#hs5
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10921137
mchristo63 -what was the final outcome here?
0
 

Author Comment

by:mchristo63
ID: 10921155
There are no logs that the OS writes when a HD is removed.  It's in the hands of the authorities to figure out how the drive was taken.  Thanks
0
 
LVL 32

Expert Comment

by:LucF
ID: 10921158
That it should have been a split at least... It's still a "No you can't do that" answer... too bad. All possibilities where checked IMO :(
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10922125
I'd be inclined to agree.
mchristo63 - both LucF and I had a hand in directing you to this dead-end :)
Mind if I have this unaccepted so you can split the points between us?
0
 

Author Comment

by:mchristo63
ID: 10922149
That's fine.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question