Microsoft
Software
Hardware
Network
Question : Deleted File? user or system?
I am trying to find out what happened to a directory that has dissappeared from our network. When I checked the security log I see these events. To me it appears that this user viewed the directory and then deleted it and then moved on to another directory. The only thing that puzzles me is that it all happened within a second. Here are the logs events in question.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:15 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Accounting\Job Cost\2010\Report.rpt
New Handle ID: 2672
Operation ID: {2,1928869786}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870967}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
ReadAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
---------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870980}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: DSmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Common
New Handle ID: 2147492020
Operation ID: {2,1928870981}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges SeBackupPrivilege
SeRestorePrivilege
Answer : Deleted File? user or system?
The company providing the co-location is your hosting ISP. Ask them if they do anything to prevent IP address spoofing [of your assigned addresses].
Random Solutions
phpmailer errorInfo
Untangle Ipcop
Unable to create virtual hard disk file on server running Hyper-V
Sharepoint error, event id 6481
Disk Manager doesn't see the ISCSI Virtual Disks but One
MySQL join with Like
groupwise to zimbra migration
How to retreive a file from a full Vista backup
Exporting X509 published certificate information
Google Apps Gmail and legacy MS Exchange (SBS) 2003 Synchronisation
