Solved

review or track computer activity

Posted on 2013-12-13
6
505 Views
Last Modified: 2013-12-16
How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
Comment
Question by:tomfontanilla
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Expert Comment

by:tercex11
ID: 39716765
You can keep tabs on which files employees open -- or even failed attempts to access files --by using the audit policy feature that's built into Windows.

Here is a link that may provide some good information for you.

http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
0
 

Author Comment

by:tomfontanilla
ID: 39716826
how about past activities, since the user no longer employed?
0
 
LVL 5

Expert Comment

by:tercex11
ID: 39716862
No, unfortunately auditing will only work for future events.

You could look at things like the last person to view or save a specific file by looking at the details tab of that file under properties, that may give you some of the information you are looking for.

There is not much that can easily be done about past events short of using some type of forensics software, which takes expertise and is expensive.  

You may want to turn on auditing so you can view future events.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 6

Accepted Solution

by:
Biniek earned 500 total points
ID: 39719659
Hi,

This is forensics :)

If You have not enabled auditing, you can search user activities in "Windows forensics artifacts".

Windows Registry is very helpful and store some important information about user activity.

Please start from this document, it is very good"

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf

And next study windows artifacts and search your computer, You should remember that You should use bit-copy of evidence disk - never search data in original disk.

Some introductions to Windows Artifacts:


http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-ii/
....

http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics/
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://windowsir.blogspot.com/2012/09/network-artifacts-found-in-registry.html
0
 
LVL 63

Expert Comment

by:btan
ID: 39719915
Specific to OS or target host environment, the audit trail can be enable in many categories and in the case for Windows, it consist mainly of Account logon events, Account management,Directory service access, Logon events, Object access, Policy change, Privilege use, Process tracking and System events

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html

But note that it can be noisy and not many see that positively. Also the key is what is the actionable intelligence gained from these logs, e.g.
-is it to find out anomalies (known/unknown abuses and threat emergence),
-is it to find out from specific application on the use of it (web apps, db apps, eServices),
-is it part of user monitoring (user acceptance, IP/data leakage)
-is it to churn out audit compliance checks for reporting (FISMA, HIPPA, PCI-DSS etc),
-is it part of log collection to central SIEMS for further correlation of events (incident handling)
-etc ...

e.g. FISMA logging - http://www.infosecisland.com/blogview/12930-Detailed-FISMA-Logging-Guidance.html

There need to be objective what, when and why the audit trail is needed. Only then the whole scheme of discussion will be fruitful. Ask yourself the eventual outcome you wanted to get off those trails and you can be more targeted in your search for further advices..

See this from NIST on audit trails (can be good as start to define your needs and good to have) @ http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Audit trails involve many costs.  First, some system overhead is incurred
recording the audit trail.  Additional system overhead will be incurred
storing and processing the records.  The more detailed the records, the
more overhead is required.  Another cost involves human and machine time
required to do the analysis.  This can be minimized by using tools to
perform most of the analysis.  Many simple analyzers can be constructed
quickly (and cheaply) from system utilities, but they are limited to audit
reduction and identifying particularly sensitive events.  More complex
tools that identify trends or sequences of events are slowly becoming
available as off-the-shelf software.  (If complex tools are not available
for a system, development may be prohibitively expensive.  Some intrusion
detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous
events.  If the system is identifying too many events as suspicious,
administrators may spend undue time reconstructing events and questioning
personnel.
0
 

Author Closing Comment

by:tomfontanilla
ID: 39722024
Great response.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question