Okay here's my problem...

We had someone do something to one of the servers at work and when we went in to go look at the Application, Security, and System logs in event viewer, we realized that whoever did the damage, deleted them. Does anyone know if windows caches these logs somewhere else and if there's a utility to retrieve them?

I remember back in the day when we tried to track students' web viewing, they would delete the Internet History, but we just opened up the dat files and found the entire history cached.

Any help would be greatly appreciated! Thanks!

once the event logs are wiped you don't get them back. if this was a hack they had full admin access to the machine. the only safe bet (because they could have installed a rootkit) is to wipe the drives, reinstall and restore all data from a clean backup. Change ALL admin / service account passwords.

edit: don't do this if you're persuing the person either criminally or civily - have a some external forensics company go over it first /make images of the drives.

well there are a bunch of people who have admin rights. someone deleted one of the main OU's, then deleted the security log and we're trying to find out who it was. :(

well there are a bunch of people who have admin rights. someone deleted one of the main OU's, then deleted the security log and we're trying to find out who it was. :(have you considered undelete?

Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted

:(

Can you check your firewalls for access from the outside into your network ?

have you considered undelete?
undelete is for files - ous are active directory objects. I'm not aware of any AD undelete.

Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted

Quoted for truth.

Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted

:(

Can you check your firewalls for access from the outside into your network ?


Yeah i totally agree with you.... too many cooks in the kitchen is a bad thing. This is another school district that we work with and we had to come to the rescue. We ran GetDataBack and were able to retrieve the file so now we can see who did it :)