srohe
asked on
Check log for file transfer\copy
I want to see if a departing employee copied\transferred any\all of our company data files off our Windows 2000 server recently. Is there a log file or profile log that shows each users activity over a given time?
ASKER
Doesn't that only reflect downloads from the internet to the users PC? I was thinking more like user downloads files from the server to a usb flash drive other external media.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There's no log file that will show simple file copies. Forensic tools like backtrack will give you a timeline showing creation, change, or deletion of files, but the only way to track copies of files is to put audit acls on them, which will make entries in the security event log. Of course, this needs to be done before the event, not after.
If you decide to go this route, I'd also suggest transferring the event logs to a secure log server in realtime so that they can't be easily tampered with.
Also, keep in mind that there's a performance penalty if you go around putting audit logs on every file. Just do the directories/files that contain sensitive information you want tracked.
If you decide to go this route, I'd also suggest transferring the event logs to a secure log server in realtime so that they can't be easily tampered with.
Also, keep in mind that there's a performance penalty if you go around putting audit logs on every file. Just do the directories/files that contain sensitive information you want tracked.
ASKER
Thanks! I didn't have any auditing running but this helped us determine what they were up to!
Glad you got what you needed!.....:)
http://www.download.com/Index-dat-Analyzer/3000-2144_4-10564321.html