Check log for file transfer\copy

Posted on 2008-11-07
Last Modified: 2013-12-04
I want to see if a departing employee copied\transferred any\all of our company data files off our Windows 2000 server recently.  Is there a log file or profile log that shows each users activity over a given time?
Question by:srohe
    LVL 14

    Expert Comment

    You can check some access to files through the index.dat file under the user temporary internet files folder.. You will need to download index.dat analyzer tool:

    Author Comment

    Doesn't that only reflect downloads from the internet to the users PC?  I was thinking more like user downloads files from the server to a usb flash drive other external media.
    LVL 14

    Accepted Solution

    It also shows access to local files....I use it to track 1000 studentsd when teachers want to know what students are working on.
    LVL 12

    Expert Comment

    There's no log file that will show simple file copies. Forensic tools like backtrack will give you a timeline showing creation, change, or deletion of files, but the only way to track copies of files is to put audit acls on them, which will make entries in the security event log. Of course, this needs to be done before the event, not after.

    If you decide to go this route, I'd also suggest transferring the event logs to a secure log server in realtime so that they can't be easily tampered with.

    Also, keep in mind that there's a performance penalty if you go around putting audit logs on every file. Just do the directories/files that contain sensitive information you want tracked.

    Author Closing Comment

    Thanks!  I didn't have any auditing running but this helped us determine what they were up to!  
    LVL 14

    Expert Comment

    Glad you got what you needed!.....:)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now