We have an Active Directory domain.
All PCs run Windows (2000/XP/Win7) and are domain members.
I have turned on auditing and can see the account deleting the file but I don't know of any way to get the computer account as well.
Can it be done?
General discussion on the topic of forensics.
Fron the Article:
To recap just for a moment, when Fred logs on at his workstation for the
first time that day, the domain controller that handles that logon will log
event ID 672, closely followed by an event ID 673 where the Service
Name corresponds to the computer name of Fred’s workstation.
JerichoJones wrote:I can the username and ip from the security log but there is no way to tie them together conclusively.
unsupported wrote:nbtstat -a <ip>
BillV wrote:unsupported wrote:nbtstat -a <ip>
JerichoJones wrote:All this would be fine but I am talking about a shared account.
Users browsing this forum: No registered users and 0 guests