ComputerShaman
IS-IT--Management
I just posted this on the forensics forum also:
I have a question pertaining to firewall logs.
Situation: On Monday morning at about 9:30 am I walked by a classroom at the college where I am the network admin and noticed several students had the "Blocked website" message on their screens. The instructor had a URL on the board that we had forbidden. I made a mental note to print the firewall log to present to the Director. It was not a major issue at this time though, the site is not that bad, but we still do not want students accessing it.
On Tuesday morning I went to the log files and noticed they begin at 10:30 am on Monday, precisely the time the class is over for the period. My first reaction was that the instructor went into the firewall, unauthorized, and reset the logs. It is possible he could have had access to the password at some time in the last month, however he was not given the password. The Dean had written it onto a network map that he had access to though.
I checked the server and he did log into the network on a classroom computer at the end of class, but the event log does not show his activity. He logged in, and a minute later he logged off. Just enough time to reset the logs if he wanted to.
With the logs beginning at 10:30, there is nothing about the blocked websites, nor any administrator activity prior to that time. From 10:30 on I just see the basic day-to-day activities that I normally see.
My question is: Is it possible that the SonicWall logs reset by themselves in any way. The allegation is serious (unauthorized activity on the school's firewall) and I want to be sure before I pursue it farther. They are setup to send email every week at midnight Sunday night, and I have never seen them reset at any other time.
On my computer IP addresses do not seem to show up in IE History, so is there a way I can check the computer he logged into and see if he went to the firewall? I checked the computer's event log and it doesn't show anything helpful.
Any help is appreciated.
Thank you!
Computer Shaman
I have a question pertaining to firewall logs.
Situation: On Monday morning at about 9:30 am I walked by a classroom at the college where I am the network admin and noticed several students had the "Blocked website" message on their screens. The instructor had a URL on the board that we had forbidden. I made a mental note to print the firewall log to present to the Director. It was not a major issue at this time though, the site is not that bad, but we still do not want students accessing it.
On Tuesday morning I went to the log files and noticed they begin at 10:30 am on Monday, precisely the time the class is over for the period. My first reaction was that the instructor went into the firewall, unauthorized, and reset the logs. It is possible he could have had access to the password at some time in the last month, however he was not given the password. The Dean had written it onto a network map that he had access to though.
I checked the server and he did log into the network on a classroom computer at the end of class, but the event log does not show his activity. He logged in, and a minute later he logged off. Just enough time to reset the logs if he wanted to.
With the logs beginning at 10:30, there is nothing about the blocked websites, nor any administrator activity prior to that time. From 10:30 on I just see the basic day-to-day activities that I normally see.
My question is: Is it possible that the SonicWall logs reset by themselves in any way. The allegation is serious (unauthorized activity on the school's firewall) and I want to be sure before I pursue it farther. They are setup to send email every week at midnight Sunday night, and I have never seen them reset at any other time.
On my computer IP addresses do not seem to show up in IE History, so is there a way I can check the computer he logged into and see if he went to the firewall? I checked the computer's event log and it doesn't show anything helpful.
Any help is appreciated.
Thank you!
Computer Shaman
