Solved

review or track computer activity

Posted on 2013-12-13
6
467 Views
Last Modified: 2013-12-16
How Do I see who has accessed a computer system and what operations he or she has performed during a given period of time? Is  Audit trails an option to show all record changes,modifications,deletions,creation,with time/date and person who made changes stored as part of their desktop daily activities (From past to Present discovery). Can anyone direct me to case studies or solution of such regarding audit trails?
0
Comment
Question by:tomfontanilla
6 Comments
 
LVL 5

Expert Comment

by:tercex11
ID: 39716765
You can keep tabs on which files employees open -- or even failed attempts to access files --by using the audit policy feature that's built into Windows.

Here is a link that may provide some good information for you.

http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/
0
 

Author Comment

by:tomfontanilla
ID: 39716826
how about past activities, since the user no longer employed?
0
 
LVL 5

Expert Comment

by:tercex11
ID: 39716862
No, unfortunately auditing will only work for future events.

You could look at things like the last person to view or save a specific file by looking at the details tab of that file under properties, that may give you some of the information you are looking for.

There is not much that can easily be done about past events short of using some type of forensics software, which takes expertise and is expensive.  

You may want to turn on auditing so you can view future events.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 6

Accepted Solution

by:
Biniek earned 500 total points
ID: 39719659
Hi,

This is forensics :)

If You have not enabled auditing, you can search user activities in "Windows forensics artifacts".

Windows Registry is very helpful and store some important information about user activity.

Please start from this document, it is very good"

https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf

And next study windows artifacts and search your computer, You should remember that You should use bit-copy of evidence disk - never search data in original disk.

Some introductions to Windows Artifacts:


http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry

http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-registry/
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-ii/
....

http://computer-forensics.sans.org/blog/2009/10/27/windows-7-computer-forensics/
http://computer-forensics.sans.org/blog/2011/07/05/shellbags
http://windowsir.blogspot.com/2012/09/network-artifacts-found-in-registry.html
0
 
LVL 62

Expert Comment

by:btan
ID: 39719915
Specific to OS or target host environment, the audit trail can be enable in many categories and in the case for Windows, it consist mainly of Account logon events, Account management,Directory service access, Logon events, Object access, Policy change, Privilege use, Process tracking and System events

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Understanding_Windows_Logging.html

But note that it can be noisy and not many see that positively. Also the key is what is the actionable intelligence gained from these logs, e.g.
-is it to find out anomalies (known/unknown abuses and threat emergence),
-is it to find out from specific application on the use of it (web apps, db apps, eServices),
-is it part of user monitoring (user acceptance, IP/data leakage)
-is it to churn out audit compliance checks for reporting (FISMA, HIPPA, PCI-DSS etc),
-is it part of log collection to central SIEMS for further correlation of events (incident handling)
-etc ...

e.g. FISMA logging - http://www.infosecisland.com/blogview/12930-Detailed-FISMA-Logging-Guidance.html

There need to be objective what, when and why the audit trail is needed. Only then the whole scheme of discussion will be fruitful. Ask yourself the eventual outcome you wanted to get off those trails and you can be more targeted in your search for further advices..

See this from NIST on audit trails (can be good as start to define your needs and good to have) @ http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Audit trails involve many costs.  First, some system overhead is incurred
recording the audit trail.  Additional system overhead will be incurred
storing and processing the records.  The more detailed the records, the
more overhead is required.  Another cost involves human and machine time
required to do the analysis.  This can be minimized by using tools to
perform most of the analysis.  Many simple analyzers can be constructed
quickly (and cheaply) from system utilities, but they are limited to audit
reduction and identifying particularly sensitive events.  More complex
tools that identify trends or sequences of events are slowly becoming
available as off-the-shelf software.  (If complex tools are not available
for a system, development may be prohibitively expensive.  Some intrusion
detection systems, for example, have taken years to develop.)

The final cost of audit trails is the cost of investigating anomalous
events.  If the system is identifying too many events as suspicious,
administrators may spend undue time reconstructing events and questioning
personnel.
0
 

Author Closing Comment

by:tomfontanilla
ID: 39722024
Great response.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question