Server Logging and Forensics

[Tolken]

Strange one here, some files on our network keep going missing, as well as people seeing documents they shouldn't be(Permissions locked down, user access only being user level). So I'm sure our network has been comprimised.

I was wondering if there was any tools for Server2000/2003 that offered complete logging.

IE,

Says which users are logged in, what files they have opened, a history of files opened, what they have printed, what resources they are connected too etc etc. I know Linux has this at a push off a button, but for microsoft its proving to be a right pain.

Any help would be appreciated

 

[tfg13]

The comment "I know Linux has this at a push of a button" is not exactly correct. The capability of Linux to log is no different than that of Microsoft. I would look at what you are currently logging, and what you want to log. Once you have it logging, know what to look for!

This should give you an idea of the event ID's you'll be looking for:

http://www.ultimatewindowssecurity.com/encyclopedia.html