PaulDotCom mailing list archives
Recover deleted Windows "Audit Logs"
From: joel.folkerts at gmail.com (Joel Folkerts)
Date: Thu, 5 Nov 2009 09:24:55 -0600
In some instances, the event log entries are still present in the event logs themselves but aren't displayed in the event log viewer. You may want to take a look at http://www.forensickb.com/2009/01/windows-event-logs.html for more information. -Joel "The path to hell is paved with good intentions." On Wed, Nov 4, 2009 at 11:46 PM, Aa'ed Alqarta <a.qarta at gmail.com> wrote:
No, the administrator had done something using this server as a "hop" to access another critical workstation. After he finished whatever he was planning for, he erased event logs and we only found one audit log saying " *audit log has been* manually cleared by ....". They were Windows event logs, and I'll double check about the file system type. thanks On Tue, Nov 3, 2009 at 5:03 PM, Joel Folkerts <joel.folkerts at gmail.com>wrote:Were the files themselves deleted or the entries within the logs? What kind of logs are you referring to, i.e. Windows event logs, logs stored within a database, text logs. What type of file system are the logs stored on? -Joel "The path to hell is paved with good intentions." On Tue, Nov 3, 2009 at 3:49 AM, Aa'ed Alqarta <a.qarta at gmail.com> wrote:Hello Everyone, I'd like to know is it possible to recover deleted "Audit Logs" after being erased by some administrator? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Best Regards, ---------------------------------------------------------- http://extremesecurity.blogspot.com http://www.linkedin.com/in/aalqarta http://www.experts-exchange.com/M_3011930.html _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091105/7adf25b1/attachment.htm
Current thread:
- Recover deleted Windows "Audit Logs" Aa'ed Alqarta (Nov 03)
- Recover deleted Windows "Audit Logs" Tim Krabec (Nov 03)
- Recover deleted Windows "Audit Logs" Joel Folkerts (Nov 03)
- Recover deleted Windows "Audit Logs" Aa'ed Alqarta (Nov 04)
- Recover deleted Windows "Audit Logs" Joel Folkerts (Nov 05)
- Recover deleted Windows "Audit Logs" Aa'ed Alqarta (Nov 04)
- Recover deleted Windows "Audit Logs" gameman733 (Nov 03)