Solved

review or track computer activity

Posted on 2013-12-13
6
480 Views
Last Modified: 2013-12-16
How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
Comment
Question by:tomfontanilla
6 Comments
 
LVL 5

Expert Comment

by:tercex11
ID: 39716765
You can keep tabs on which files employees open -- or even failed attempts to access files --by using the audit policy feature that's built into Windows.

Here is a link that may provide some good information for you.

http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
0
 

Author Comment

by:tomfontanilla
ID: 39716826
how about past activities, since the user no longer employed?
0
 
LVL 5

Expert Comment

by:tercex11
ID: 39716862
No, unfortunately auditing will only work for future events.

You could look at things like the last person to view or save a specific file by looking at the details tab of that file under properties, that may give you some of the information you are looking for.

There is not much that can easily be done about past events short of using some type of forensics software, which takes expertise and is expensive.  

You may want to turn on auditing so you can view future events.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 6

Accepted Solution

by:
Biniek earned 500 total points
ID: 39719659
Hi,

This is forensics :)

If You have not enabled auditing, you can search user activities in "Windows forensics artifacts".

Windows Registry is very helpful and store some important information about user activity.

Please start from this document, it is very good"

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf

And next study windows artifacts and search your computer, You should remember that You should use bit-copy of evidence disk - never search data in original disk.

Some introductions to Windows Artifacts:


http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-ii/
....

http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics/
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://windowsir.blogspot.com/2012/09/network-artifacts-found-in-registry.html
0
 
LVL 63

Expert Comment

by:btan
ID: 39719915
Specific to OS or target host environment, the audit trail can be enable in many categories and in the case for Windows, it consist mainly of Account logon events, Account management,Directory service access, Logon events, Object access, Policy change, Privilege use, Process tracking and System events

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html

But note that it can be noisy and not many see that positively. Also the key is what is the actionable intelligence gained from these logs, e.g.
-is it to find out anomalies (known/unknown abuses and threat emergence),
-is it to find out from specific application on the use of it (web apps, db apps, eServices),
-is it part of user monitoring (user acceptance, IP/data leakage)
-is it to churn out audit compliance checks for reporting (FISMA, HIPPA, PCI-DSS etc),
-is it part of log collection to central SIEMS for further correlation of events (incident handling)
-etc ...

e.g. FISMA logging - http://www.infosecisland.com/blogview/12930-Detailed-FISMA-Logging-Guidance.html

There need to be objective what, when and why the audit trail is needed. Only then the whole scheme of discussion will be fruitful. Ask yourself the eventual outcome you wanted to get off those trails and you can be more targeted in your search for further advices..

See this from NIST on audit trails (can be good as start to define your needs and good to have) @ http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Audit trails involve many costs.  First, some system overhead is incurred
recording the audit trail.  Additional system overhead will be incurred
storing and processing the records.  The more detailed the records, the
more overhead is required.  Another cost involves human and machine time
required to do the analysis.  This can be minimized by using tools to
perform most of the analysis.  Many simple analyzers can be constructed
quickly (and cheaply) from system utilities, but they are limited to audit
reduction and identifying particularly sensitive events.  More complex
tools that identify trends or sequences of events are slowly becoming
available as off-the-shelf software.  (If complex tools are not available
for a system, development may be prohibitively expensive.  Some intrusion
detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous
events.  If the system is identifying too many events as suspicious,
administrators may spend undue time reconstructing events and questioning
personnel.
0
 

Author Closing Comment

by:tomfontanilla
ID: 39722024
Great response.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Review of a VPN cert policy 4 43
google exe file 5 68
Your Connection is Not Private When Accessing Gmail 4 41
Need a modeling tool 2 18
OnPage: Incident management and secure messaging on your smartphone
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question