G
Guest
I have a computer on a domain that the system event log is showing some
wierd entries. It skips about 8 months of logging. When you right click
system log under event viewer and select properties it shows the correct
creation date, but the modified and accessed dates are both the same-a
week ago. This is troubeling since the log shows events from the modified
date
up through today. There is just the 8 months of data missing. There is
concern this system has been hacked by an employee known to do this type of
stuff.
All of our users are standard users and they can not install anything.
Domain/group policy removes anyone added to the admin group, and no one is a
power user. Management needs proof it was hacked in order to do anything to
this
individual. We feel he did this to cover his tracks on some other stuff,
since a bunch of other logs are missing data or are gone altogether.
This is an XP Pro box-log file created 5/24/03 and shows events thru
5/14/04. It then jumps to 1/25/05 with NO reference to deletion by admin. The
properties of the file show it was created on 5/24/03 and both modified and
accessed show the same date of 1/21/05. The event log reads as follows:
Information 1/25/2005 12:16:40PM Eventlog None
6009 N/A
Information 5/14/2004 7:08:49PM Application Popup None 26
N/A
This is what caught my eye--the jump in dates--We suspect he deleted the
entries for this timeframe to cover up some things, (illegal software
installation, porn, etc) We are 99.99% sure he changed the local admin
password using a bootable cdrom (after resetting the BIOS password and
allowing the system to boot to a cd-this WAS disabled) and did what he wanted
between the dates missing, but the other log files are either missing
entirely or similar dates are missing from them.
Logging is ok for the way we want to track it and its not an issue of being
overwritten.
Any ideas? I posted most of this before, but didnt really get a response....
Thanks!!
wierd entries. It skips about 8 months of logging. When you right click
system log under event viewer and select properties it shows the correct
creation date, but the modified and accessed dates are both the same-a
week ago. This is troubeling since the log shows events from the modified
date
up through today. There is just the 8 months of data missing. There is
concern this system has been hacked by an employee known to do this type of
stuff.
All of our users are standard users and they can not install anything.
Domain/group policy removes anyone added to the admin group, and no one is a
power user. Management needs proof it was hacked in order to do anything to
this
individual. We feel he did this to cover his tracks on some other stuff,
since a bunch of other logs are missing data or are gone altogether.
This is an XP Pro box-log file created 5/24/03 and shows events thru
5/14/04. It then jumps to 1/25/05 with NO reference to deletion by admin. The
properties of the file show it was created on 5/24/03 and both modified and
accessed show the same date of 1/21/05. The event log reads as follows:
Information 1/25/2005 12:16:40PM Eventlog None
6009 N/A
Information 5/14/2004 7:08:49PM Application Popup None 26
N/A
This is what caught my eye--the jump in dates--We suspect he deleted the
entries for this timeframe to cover up some things, (illegal software
installation, porn, etc) We are 99.99% sure he changed the local admin
password using a bootable cdrom (after resetting the BIOS password and
allowing the system to boot to a cd-this WAS disabled) and did what he wanted
between the dates missing, but the other log files are either missing
entirely or similar dates are missing from them.
Logging is ok for the way we want to track it and its not an issue of being
overwritten.
Any ideas? I posted most of this before, but didnt really get a response....
Thanks!!