Solved

System Logs

Posted on 2004-04-22
19
174 Views
Last Modified: 2010-04-13
I have a system that had a secondary drive.  We suspect the drive was stolen.  Does anyone know if the OS logs a system change such as a drive getting remove?  

Thanks
0
Comment
Question by:mchristo63
  • 8
  • 6
  • 4
19 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890237
It certainly should...
Have you checked them?  Should be a red 'error' in the log.
We see this with our raid arrays when we need to replace them...I'll see if I can find the event ID you're seeking.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
ID: 10890245
Hi mchristo63,

I'm affraid not :(
What you might want to try is search the registry for entries that belonged to the old drive (D:\ for instance) to see if there was a D: drive before.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10890255
If this was a Raid array, sirbounty is right and it should get logged in the event logs.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890276
Source on ours is Storage Agents...but we've got Compaq equipment
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890296
I suppose it's important to know what your disk configuration is...is it a RAID array, hot pluggable drives?
If the system was shutdown prior to removal, you should certainly be able to find that event logged...
0
 

Author Comment

by:mchristo63
ID: 10890447
It was a workstation with 2 drives C: and E:.  I can't see anything in the event logs that indicate a system change.  I thought maybe the OS would see a system change upon boot after the drive was removed and log that change.  

Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10890490
At least not that I know of :(
0
 

Author Comment

by:mchristo63
ID: 10890509
Ok, well it was a thought.  Thanks
0
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 250 total points
ID: 10890604
Hmm- I'd say only if you had something writing to that disk...
Perhaps an error would be generated writing to it...
Otherwise, I'd say click Start->Run->Devmgmt.msc
Click View/Show hidden
If there's a transparent icon underneath Disk Drives, then there probably 'was' a drive installed at some point, that is no longer...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:mchristo63
ID: 10890634
No, we know there was a drive, but now it's gone.  We are trying to determine when it was taken.  This happened during a period the user was on vacation.  When the user returned, they noticed the secondary drive was not displayed on the system anymore.  After further investigation, it was gone.  
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10890664
Hmm- If the system was powered down the entire time, then there's no way to do it.
Some systems have an 'intrusion detection' ability if the case has been opened, but you'd have seen that by now, if that was your situation...
Sorry to say it. :(
0
 

Author Comment

by:mchristo63
ID: 10890705
Ok, Thanks
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10893914
mchristo63 - are you all set here?
If so, can you please close this one out?
See: http:help.jsp#hs5
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10921137
mchristo63 -what was the final outcome here?
0
 

Author Comment

by:mchristo63
ID: 10921155
There are no logs that the OS writes when a HD is removed.  It's in the hands of the authorities to figure out how the drive was taken.  Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10921158
That it should have been a split at least... It's still a "No you can't do that" answer... too bad. All possibilities where checked IMO :(
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10922125
I'd be inclined to agree.
mchristo63 - both LucF and I had a hand in directing you to this dead-end :)
Mind if I have this unaccepted so you can split the points between us?
0
 

Author Comment

by:mchristo63
ID: 10922149
That's fine.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now