This ID was used to explain I had deleted... Expand / Collapse
Author
Message
Posted 4/26/2016 7:15:59 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/26/2016 6:55:40 PM
Posts: 1, Visits: 0
Hi,

Following an investigation this ID has been used and interpreted that a folder was accessed and something has been deleted by myself and this is the only log shown as evidence. I have challenged this interpretation however the response that I got was that the interpretation of the log reports can vary, they also found that there does not appear to be a definitive view on what specific activities these event id's indicate specifically.

yet this ID was only used and told that they do reflect accurately what has been done during the investigation process.

so I'm just after some clarification into this. just to give you what has happened this log has been created because a folder was copied over from external media onto the network.

so could you please help me in identifying the correct interpretation of this log.

Subject:
Security ID:
Account Name:
Account Domain:
Logon ID: 0x74349777

Object:
Object Server: Security
Object Type: File
Object Name:
Handle ID: 0x4134
Resource Attributes: -

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes

Access Reasons: -
Access Mask: 0x17019B
Privileges Used for Access Check: -
Restricted SID Count: 0
Post #5199
Posted 5/31/2016 6:27:56 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
This event means that the permissions in the Accesses field was requested. Look at the event 4663 with the same Logon ID to determine what permissions were actually exercised.
Post #5216
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:23pm