Author: jcochran, Posted: Thu Jul 02, 2009 12:24 am Post subject: When was a user last on my network? ---- I'm trying to assist in a current investigation, it goes like this:
User says he was working at "x" time and date.
Manager says he wasn't working at "x" time and date.
I have all of the security event logs for all of my DC's archived and a tool to report on them.
My question is, "what event id's are the best to focus on and how can a paint a user session with this information"?
Author: ryansutton, Location: San Francisco, CaliforniaPosted: Thu Jul 02, 2009 12:41 am Post subject: ---- While not all inclusive logon/logoff events may build evidence to the case, even better are object access events if you have enabled that type of logging.
Author: jcochran, Posted: Thu Jul 02, 2009 1:02 am Post subject: ---- That's kind of what I'm thinking... it would be easier to show that the user accessed a file or was authenticated at a certain time.