Check log for file transfer\copy

I want to see if a departing employee copied\transferred any\all of our company data files off our Windows 2000 server recently.  Is there a log file or profile log that shows each users activity over a given time?
sroheAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KutyiCommented:
You can check some access to files through the index.dat file under the user temporary internet files folder.. You will need to download index.dat analyzer tool:
http://www.download.com/Index-dat-Analyzer/3000-2144_4-10564321.html
0
sroheAuthor Commented:
Doesn't that only reflect downloads from the internet to the users PC?  I was thinking more like user downloads files from the server to a usb flash drive other external media.
0
KutyiCommented:
It also shows access to local files....I use it to track 1000 studentsd when teachers want to know what students are working on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Hugh FraserConsultantCommented:
There's no log file that will show simple file copies. Forensic tools like backtrack will give you a timeline showing creation, change, or deletion of files, but the only way to track copies of files is to put audit acls on them, which will make entries in the security event log. Of course, this needs to be done before the event, not after.

If you decide to go this route, I'd also suggest transferring the event logs to a secure log server in realtime so that they can't be easily tampered with.

Also, keep in mind that there's a performance penalty if you go around putting audit logs on every file. Just do the directories/files that contain sensitive information you want tracked.
0
sroheAuthor Commented:
Thanks!  I didn't have any auditing running but this helped us determine what they were up to!  
0
KutyiCommented:
Glad you got what you needed!.....:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.