Recovering All a students files & internet history

[ArchersIT]

I had a child that had been searching for things he shouldn't have been and had to get the information locally. We do have ISA Server 2004 and would love to be able to get the information from there. I have only seen monitoring, is that what I need to use as I don't normally keep that running?

If you have ISA server 2004 you can set ISA to log access. This is done on the logging tab within the monitoring section. Once this is done it will log to text files (by default). The can either be imported into excel (as someone else suggested) or if you know SQL you can use LogParser (free download from Microsoft) to run SQL like queries against those logs to pick out only the information you want.

An example of a LogParser query (this one to retrieve all internet activity for a specific user specified as a parameter to a batch file)

Code:

"C:\Program Files\Log Parser 2.2\logparser.exe" -i:w3c -o:w3c "select * into c:\isalogs\extract_people_all_20090122.txt from 'c:\Program Files\Microsoft ISA Server\ISALogs\ISALOG_20090122_WEB_000.w3c' where to_lowercase(cs-username) = to_lowercase('%SearchNames%') order by cs-username,date,time"

I know that wont help you if you dont have ISA, but the AndyD asked how to do it with ISA.

Cheers

Jonathan

[OutToLunch]

Right a kid at my school's shot someone and the plod want me to get everything he's done at school to scan for evidence.

Seems odd - wouldn't the process of you collecting evidence for them totally taint it, render it inadmissible etc? Not the usual police forensics route!

[glensc]

Seems odd - wouldn't the process of you collecting evidence for them totally taint it, render it inadmissible etc? Not the usual police forensics route!

I agree I'd ask them to come and collect it with your assistance.

This is as if they want to use any of it in court it's quite probably that a defending laywer would try to get the evidence declared inadmisable.

They might just be trying to get something in which to pressurise a confession from the person though.

[somabc]

Seems odd - wouldn't the process of you collecting evidence for them totally taint it, render it inadmissible etc? Not the usual police forensics route!

Exactly FFS! If the police want to collect evidence then they can come and do it themselves. Unfortunately you might find they turn up with a Court Order and seize all the computers he could have used for a few months.

[browolf]

ict classes ought to use seating plans so that the kids sit at the same pcs every lesson. I have log files generated at login so I know where every kid and teacher has sat every lesson for at least 6 months. you can use
http://www.nirsoft.net/utils/ie_cache_viewer.html
to read the contents of the dat file.

[dave20046]

Cheers guys, I've handed over his documents and said if they want anymoe then I'll have to go round his local machines. I'll see what they say.