When was a user last on my network?

Networking/Security Forums -> Computer Forensics and Incident Response

Author: jcochran PostPosted: Thu Jul 02, 2009 12:24 am    Post subject: When was a user last on my network?
    ----
I'm trying to assist in a current investigation, it goes like this:

User says he was working at "x" time and date.
Manager says he wasn't working at "x" time and date.

I have all of the security event logs for all of my DC's archived and a tool to report on them.

My question is, "what event id's are the best to focus on and how can a paint a user session with this information"?

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Jul 02, 2009 12:41 am    Post subject:
    ----
While not all inclusive logon/logoff events may build evidence to the case, even better are object access events if you have enabled that type of logging.

Author: jcochran PostPosted: Thu Jul 02, 2009 1:02 am    Post subject:
    ----
That's kind of what I'm thinking... it would be easier to show that the user accessed a file or was authenticated at a certain time.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group