Solved

review or track computer activity

Posted on 2013-12-13
6
437 Views
Last Modified: 2013-12-16
How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
Comment
Question by:tomfontanilla
6 Comments
 
LVL 5

Expert Comment

by:tercex11
ID: 39716765
You can keep tabs on which files employees open -- or even failed attempts to access files --by using the audit policy feature that's built into Windows.

Here is a link that may provide some good information for you.

http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
0
 

Author Comment

by:tomfontanilla
ID: 39716826
how about past activities, since the user no longer employed?
0
 
LVL 5

Expert Comment

by:tercex11
ID: 39716862
No, unfortunately auditing will only work for future events.

You could look at things like the last person to view or save a specific file by looking at the details tab of that file under properties, that may give you some of the information you are looking for.

There is not much that can easily be done about past events short of using some type of forensics software, which takes expertise and is expensive.  

You may want to turn on auditing so you can view future events.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 6

Accepted Solution

by:
Biniek earned 500 total points
ID: 39719659
Hi,

This is forensics :)

If You have not enabled auditing, you can search user activities in "Windows forensics artifacts".

Windows Registry is very helpful and store some important information about user activity.

Please start from this document, it is very good"

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf

And next study windows artifacts and search your computer, You should remember that You should use bit-copy of evidence disk - never search data in original disk.

Some introductions to Windows Artifacts:


http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-ii/
....

http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics/
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://windowsir.blogspot.com/2012/09/network-artifacts-found-in-registry.html
0
 
LVL 61

Expert Comment

by:btan
ID: 39719915
Specific to OS or target host environment, the audit trail can be enable in many categories and in the case for Windows, it consist mainly of Account logon events, Account management,Directory service access, Logon events, Object access, Policy change, Privilege use, Process tracking and System events

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html

But note that it can be noisy and not many see that positively. Also the key is what is the actionable intelligence gained from these logs, e.g.
-is it to find out anomalies (known/unknown abuses and threat emergence),
-is it to find out from specific application on the use of it (web apps, db apps, eServices),
-is it part of user monitoring (user acceptance, IP/data leakage)
-is it to churn out audit compliance checks for reporting (FISMA, HIPPA, PCI-DSS etc),
-is it part of log collection to central SIEMS for further correlation of events (incident handling)
-etc ...

e.g. FISMA logging - http://www.infosecisland.com/blogview/12930-Detailed-FISMA-Logging-Guidance.html

There need to be objective what, when and why the audit trail is needed. Only then the whole scheme of discussion will be fruitful. Ask yourself the eventual outcome you wanted to get off those trails and you can be more targeted in your search for further advices..

See this from NIST on audit trails (can be good as start to define your needs and good to have) @ http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Audit trails involve many costs.  First, some system overhead is incurred
recording the audit trail.  Additional system overhead will be incurred
storing and processing the records.  The more detailed the records, the
more overhead is required.  Another cost involves human and machine time
required to do the analysis.  This can be minimized by using tools to
perform most of the analysis.  Many simple analyzers can be constructed
quickly (and cheaply) from system utilities, but they are limited to audit
reduction and identifying particularly sensitive events.  More complex
tools that identify trends or sequences of events are slowly becoming
available as off-the-shelf software.  (If complex tools are not available
for a system, development may be prohibitively expensive.  Some intrusion
detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous
events.  If the system is identifying too many events as suspicious,
administrators may spend undue time reconstructing events and questioning
personnel.
0
 

Author Closing Comment

by:tomfontanilla
ID: 39722024
Great response.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now