user access and recent activity

pma111
pma111 used Ask the Experts™
on
I need sort of a top level "what a user did" type report or clues on an XP machine. I.e. the last day the user logged on to their PC, what kind of apps they ran, what kind of files they accessed. Would this be acheivable, and if so on an XP machine what areas we would look too.

I also need to know the last time a user logged on to a specific PC with a specific (domain) username, where could/may I find that? Would it be the last modified date on their entry in documents and settings?

Its nothing criminal so no need to worry about absolute procedures. May have guessed another users password and used it to login, and then who knows what theyd do, look at their email, home drive, network drives etc. Any pointers welcome for a map of activity for that day...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
so if at all possible for the day in question:

login time
apps used (times)
files accessed and locations (times)
logout/power off time

If theres any such tool that can do a daily usage report? Or would these be plucked from various locations?

Would be brilliant if any such log may keep these.  on the XP machine itself.
Quick-n-dirty...

Login time:  SECURITY event log

Apps used:  Export the contents of C:\Windows\Prefetch and load that folder into WinPrefetchView, a free app

Files accessed:  A little trickier and I'm on my way ou the door right now. :-|

Logout time:  SECURITY event log

Author

Commented:
Does security event log only audit local logins though, not domain, or domain too? any tips on limiting the security log to just logins? i.e. ID's?

if you could share tips on the files accessed audit when you are next free that would be great...
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
I’d also be VERY interested to see what your overall methodology and thought process would be in such a scenario. I.e. your manager has some suspicion either shared logins are in operation, or someone’s guessed another users password, if your manager says on that PC I think john has logged in as joe, on this date, can you come up with some form of user activity on that PC. Aside from which files were accessed, and which apps were run, what other areas would you look for/at to get a fuller picture of what they may or may not have done?

A bit offtopic but for the various types f case you get in, have you got internal methodologies your guys adhere through to identify evidence? i.e. youve got an inappropriate image/video case, follow this  process to identify evidence...

Author

Commented:
ANy views?

Cheers
btanExec Consultant
Distinguished Expert 2018

Commented:

Author

Commented:
As a general rule have you found managers or hr/personnel sections to be a bit deluded when it comes to what can forensics produce? They seem to forget unless audit logs ie *.evt are enabled then the likelehood of a full picture is far less? I just think some managers seem to have a deluded idea of what forensics can unearth where audit logs aren't enabled.
btanExec Consultant
Distinguished Expert 2018
Commented:
Agreed the setting for turning on these are authroised by security mgmt and push down operationally to execute it correctly. There will be audit checks. All has to work to benefit from it. We can never know or be wary of insider abuse or inadvertent acts due to migration or upgrade done. But having said that, minimally audit log should be enabled where applicable from OS to appl level to ensure comprehensive capture, the traces from forensic is just value act to counter anti-forensic means though the former measures is not totally fullproof as well. It is always working based on best practice, policy enforcement and consistent monitoring to ensure compliance check ....compliance is just a good outcome from security :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial