Solved

How to determine if a file has been changed or not in windows SBS 2003

Posted on 2008-06-14
4
339 Views
Last Modified: 2013-11-05
Dear all,
I'm asked to assist a lawyer this to check following:
A company, i'll call it the buyer, bought an accounting software 2 years ago.  They claim it never worked as it should have and never payed it. The company that created and sold the software, the seller, décommissioned it and claim that the package needed just some tuning. They had remote console access to the sbs server.

The buyer has found a text file (.txt)  that ought to have contained parameters but contains in fact a very large list of known bugs. They say it was dropped there by the seller but the seller denies it.

This is what is known around this file
1° The creation date and modification date are the same. They match a date of an email, the seller admits to have send, mentioning  a new parameter file that was dropped.
2° the user of the file is the group Administrator, to which the remote login user belongs of the seller and only the main operator of the buyer belong. I don't remember how but in some history it is proven no changes has been made to administrator group since before that event.
3° In the event log we detected that each time someone opens the remote controle an event is created about a printer that can't be connected. On that date of the creation of the file, a remote connection occured twice, one of which is around the date of the creation of the file.

First the seller denied that he created the file, then he admitted he did but said the content of the file was changed, not his.

My questions are :
1) Can we find out in some way, via active directory information or other if the file really was not changed afterward, as modification dates can be manipulated (as far as i know)?
2) the creator of the file is a system user group, is there a way to find out who the effective user was that last changed the file?


The purpose is to know if the content of the file was per accident transmitted by the seller or manipulated by the buyer.

Kind regards,
Henri Biron
0
Comment
Question by:Henri_Biron
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21786679
You can enable detailed auditing but unfortunately not after the fact. The file creation, modified, and last accessed dates are the best you have to go by at this point. Hard to believe someone would place the file and then to bury their track modify the dates, rather than delete it, or is it they that are accusing you of modifying the dates. No chance Volume Shadow Copies is enabled? If so you can right click on the file, choose properties, and the should be a tab "previous copies". This would show multiple copies and the manipulation dates. But this too has to be enabled and configured beforehand.

If interested, the following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
0
 

Author Comment

by:Henri_Biron
ID: 21787076
Thx, for this solution and information. No i myself am not accused of anything, i'm helping the customer of a lawyer that asked me for help. It's the customer of my lawyer who is accused of that. We looked at the property of the file to find the author, creator and all possible information. Didn't find what you called by volume shadow copy though.

Any other help would be welcome if something else exists.

Otherwise i'll close this case in the near future.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 21787085
>>"No i myself am not accused of anything"
Sorry, I did understand the question, and didn't mean to imply that.

No afraid I have no other suggestions. As mentioned there a few things you can turn on for future use but not much you can do about past use. The "Previous Versions" tab would be very obvious if enabled. It seldom is, but a very useful feature for recovering previous copies, not just for forensic purposes.
I usually enable a custom logon script for all remote users. It keeps a log of who logs on, when, to what machine/s, and from what IP. If that is any help for future, let me know and I can post.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21790486
Thanks Henri.
Cheers !
--Rob
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question