We have recently had some problems with our office computers and have discovered someone was able to get into our network from the outside (ex-employee). We have been trying to find some way of proving who it was that was able to get in but the event log on the computer has been wiped. Oddly enough there is no sign of anything on the server however it seems my PC was used to play around with our files. Is there anything in the computer (besides the event log) that may have recorded what was done on a set date that this person may have overlooked (We do not have any extra software that could have clocked it). The fiddling has obviously been malicious and we know who it is, so it would be wonderful to prove it. Can anyone help?

Windows machines don't normally log IP addresses. Is the server running an actual domain or is it just a workstation used to share files? If it's an actual domain, has the former employee's account been disabled? Is the router a wireless router using DHCP?

The server is running a domain and the former employees account has definitely been deleted. The router is not wireless but there are wireless access points attached to it. Perhaps I should have mentioned that there are two other current employees that have a remote access link to the network as well as our computer maintenance company. I don't know if that may have a bearing on this problem. The former employee also had this connection but that was disabled when he left.

The FIRST thing you should do is change all passwords. Also, setup a VPN so that it's required to access your network from outside your Firewall. You may think you know who did this, but you'd need proof in order to prosecute (if you want to go that route.) If you do allow Remote Access, don't you have auditing available so that you can see which users have logged in from outside? Even if the event log was deleted on one particular computer, after it was recreated, the log would show the logoff of the user. "So won’t you give this man his wings What a shame To have to beg you to see We’re not all the same What a shame" - Shinedown

The easiest way into the network is the wireless access point. On my LAN, I use static IP addresses instead of DHCP. That way the router isn't providing IP addresses to anyone who is outside with a laptop. As Jennifer said, change all the passwords and setup auditing. The site below explains how to do it. http://www.windowsecurity.com/artic...