• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

review or track computer activity

How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
tomfontanilla
Asked:
tomfontanilla
1 Solution
 
tercex11Commented:
You can keep tabs on which files employees open -- or even failed attempts to access files --by using the audit policy feature that's built into Windows.

Here is a link that may provide some good information for you.

http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
0
 
tomfontanillaAuthor Commented:
how about past activities, since the user no longer employed?
0
 
tercex11Commented:
No, unfortunately auditing will only work for future events.

You could look at things like the last person to view or save a specific file by looking at the details tab of that file under properties, that may give you some of the information you are looking for.

There is not much that can easily be done about past events short of using some type of forensics software, which takes expertise and is expensive.  

You may want to turn on auditing so you can view future events.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
BiniekCommented:
Hi,

This is forensics :)

If You have not enabled auditing, you can search user activities in "Windows forensics artifacts".

Windows Registry is very helpful and store some important information about user activity.

Please start from this document, it is very good"

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf

And next study windows artifacts and search your computer, You should remember that You should use bit-copy of evidence disk - never search data in original disk.

Some introductions to Windows Artifacts:


http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-ii/
....

http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics/
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://windowsir.blogspot.com/2012/09/network-artifacts-found-in-registry.html
0
 
btanExec ConsultantCommented:
Specific to OS or target host environment, the audit trail can be enable in many categories and in the case for Windows, it consist mainly of Account logon events, Account management,Directory service access, Logon events, Object access, Policy change, Privilege use, Process tracking and System events

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html

But note that it can be noisy and not many see that positively. Also the key is what is the actionable intelligence gained from these logs, e.g.
-is it to find out anomalies (known/unknown abuses and threat emergence),
-is it to find out from specific application on the use of it (web apps, db apps, eServices),
-is it part of user monitoring (user acceptance, IP/data leakage)
-is it to churn out audit compliance checks for reporting (FISMA, HIPPA, PCI-DSS etc),
-is it part of log collection to central SIEMS for further correlation of events (incident handling)
-etc ...

e.g. FISMA logging - http://www.infosecisland.com/blogview/12930-Detailed-FISMA-Logging-Guidance.html

There need to be objective what, when and why the audit trail is needed. Only then the whole scheme of discussion will be fruitful. Ask yourself the eventual outcome you wanted to get off those trails and you can be more targeted in your search for further advices..

See this from NIST on audit trails (can be good as start to define your needs and good to have) @ http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Audit trails involve many costs.  First, some system overhead is incurred
recording the audit trail.  Additional system overhead will be incurred
storing and processing the records.  The more detailed the records, the
more overhead is required.  Another cost involves human and machine time
required to do the analysis.  This can be minimized by using tools to
perform most of the analysis.  Many simple analyzers can be constructed
quickly (and cheaply) from system utilities, but they are limited to audit
reduction and identifying particularly sensitive events.  More complex
tools that identify trends or sequences of events are slowly becoming
available as off-the-shelf software.  (If complex tools are not available
for a system, development may be prohibitively expensive.  Some intrusion
detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous
events.  If the system is identifying too many events as suspicious,
administrators may spend undue time reconstructing events and questioning
personnel.
0
 
tomfontanillaAuthor Commented:
Great response.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now