Question about Event Viewer logs for Server 2k3

M

MasterShredder

2[H]4U
Joined
Jan 3, 2002
Messages
2,998
Okay here's my problem...

We had someone do something to one of the servers at work and when we went in to go look at the Application, Security, and System logs in event viewer, we realized that whoever did the damage, deleted them. Does anyone know if windows caches these logs somewhere else and if there's a utility to retrieve them?

I remember back in the day when we tried to track students' web viewing, they would delete the Internet History, but we just opened up the dat files and found the entire history cached.

Any help would be greatly appreciated! Thanks!
 
once the event logs are wiped you don't get them back. if this was a hack they had full admin access to the machine. the only safe bet (because they could have installed a rootkit) is to wipe the drives, reinstall and restore all data from a clean backup. Change ALL admin / service account passwords.

edit: don't do this if you're persuing the person either criminally or civily - have a some external forensics company go over it first /make images of the drives.
 
well there are a bunch of people who have admin rights. someone deleted one of the main OU's, then deleted the security log and we're trying to find out who it was. :(
 
MasterShredder said:
well there are a bunch of people who have admin rights. someone deleted one of the main OU's, then deleted the security log and we're trying to find out who it was. :(
Click to expand...
have you considered undelete?
 
Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted

:(

Can you check your firewalls for access from the outside into your network ?
 
drizzt81 said:
have you considered undelete?
Click to expand...
undelete is for files - ous are active directory objects. I'm not aware of any AD undelete.

MrGuvernment said:
Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted
Click to expand...
Quoted for truth.
 
MrGuvernment said:
Then manybe it is time to review who has admin right and SHOULD they and if So WHY

i dont see why numerous people should have admin rights to systems - only the IT manager or an individual who maintains the systems

Multiple people = problems - people should have their own logins with everything logged to a domain controller or off system backup where things cant get deleted

:(

Can you check your firewalls for access from the outside into your network ?
Click to expand...


Yeah i totally agree with you.... too many cooks in the kitchen is a bad thing. This is another school district that we work with and we had to come to the rescue. We ran GetDataBack and were able to retrieve the file so now we can see who did it :)
 
You must log in or register to reply here.
Back
Top