Microsoft
Software
Hardware
Network
Question : Deleted File? user or system?
I am trying to find out what happened to a directory that has dissappeared from our network. When I checked the security log I see these events. To me it appears that this user viewed the directory and then deleted it and then moved on to another directory. The only thing that puzzles me is that it all happened within a second. Here are the logs events in question.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:15 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Accounting\Job Cost\2010\Report.rpt
New Handle ID: 2672
Operation ID: {2,1928869786}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870967}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
ReadAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
---------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870980}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: DSmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Common
New Handle ID: 2147492020
Operation ID: {2,1928870981}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges SeBackupPrivilege
SeRestorePrivilege
Answer : Deleted File? user or system?
The company providing the co-location is your hosting ISP. Ask them if they do anything to prevent IP address spoofing [of your assigned addresses].
Random Solutions
Windows7 my Documents folder
IIS 6 to IIS7
Coldfusion - SQL syntax
setup Xsan with couple of Apple macs final cut pro
Ex2010 - Move Mailbox Failed - Corrupt Messages
How do I write data to separate excel worksheets in coldfusion?
SPContext.Current is returning null in the "SPItemEventReceiver" event handler.
Using multiple routers - BEFVP41 VPN Router, Netgear WDR3700
Cisco VPN client for Windows, use both RSA SecurID soft token and hard token
In Perl, how do I check if a value already exist in the database
