Solved

Post incident investigation

Posted on 2010-09-20
10
674 Views
Last Modified: 2012-05-10
Hi,

I would like to investigate files (located on network shares) accessed/copied/modified by a specific user over a specific (recent) time period.

I`ve researched & found scripts that can display the time/date a file was last accessed, but not who the user was that accessed it.

Info:
SBS 2003
Auditing not enabled
User was using a domained laptop

I appreciate the setup isn`t ideal for a post incident investigation (no auditing etc) but was hoping for any advice as to what can be done...

Thanks in advance,
0
Comment
Question by:Roger Adams
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33715248
http://valixsoft.com/?p=product_activesharemonitor

Chec it out, sir. This was deployed on some our clients and received very good feedbacks.
0
 

Author Comment

by:Roger Adams
ID: 33715270
That app seems useful as a future deployment, but it doesn`t seem to offer an 'historic' information on files accessed?
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33715294
No, it logs everything you need to files day by day (of course, start when you deployed it).
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 6

Expert Comment

by:JJClements
ID: 33715402
Unless you had file/folder auditing enabled there isnt going to be much more information available than what you see by checking the properties of the files/folders that you are investigating. As you have already discovered the information here is pretty limited, including a modified/created date and last saved information. Not much good if the user copied the document from a share to somewhere else and opened it there. :-(
0
 
LVL 6

Expert Comment

by:JJClements
ID: 33715422
Obviously enabling file/folder auditing on windows server can carry quite an overhead depending on the number of users and the volume of files being accessed. Certainly worth considering for the future though if you have had problems.

Could be worth a quick look at this (download link at the bottom):

http://technet.microsoft.com/en-gb/library/dd162275.aspx
0
 

Author Comment

by:Roger Adams
ID: 33715895
it would appear that we have a degree of auditing enabled... where would I go to check the entries (if they exist) regarding accessing files etc (event viewer?)
0
 
LVL 6

Expert Comment

by:JJClements
ID: 33716501
If auditing has been enabled you will need to check the Security Log on the server in question. A word of warning though - it can be very hard to actually find the information you want. I would advise exporting the log and then opening it in a text editor to search. Chances are that depending on the maximum size of the log the trail could have already been overwritten though.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33716777
If you need a simple solution, Active Share Monitor do its trick, you can try yourself, and maybe you will see its enough in your case.

And of course if you need a powerful solution, then as JJClements said, enable auditing then use log indexing tool to get what you got, and at this point here go a very excellent splunk ( Open Source Edtion is enough for you with 500MB indexed data/day) www.splunk.com
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 33759407
No harm still trying to sift through the event log but doing is visually can be tedious, can check out some parsing tool below. Probably for more holistic view, network log can be considered as well if the server has other network device in between the client and them. The log can specified source IP sending certain packet request to server, and if DHCP is used, DHCP log should be checked for correlation. But do note of the following:

@ http://www.syslog.org/logged/log-analysis-and-log-correlation-basics/#more-187
Log analysis and correlation engines are not intended to be stand-alone security implements.  They should be viewed as an added layer of defense to existing sound controls.  Trying to implement such a system into an environment that is not in good control will likely result in a failed project, because:

   1. There is too much “noise” for any sort of effective analysis of events.
   2. The frequency of events & false alarms will lead to frustration & abandonment.
   3. The environment does not enable administrators to take effective action (either manually or automatically) based on the output of the engine.

PsLogList show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records.
@ http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

Some options that can be useful are
-a      Dump records timestamped after specified date. (interested period)
-b      Dump records timestamped before specified date. (interested period)
-i      Show only events with the specified ID or IDs (up to 10). Note that Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff. But check out more at http://www.windowsecurity.com/articles/Logon-Types.html
-f      Filter event types with filter string (e.g. "-f w" to filter warnings or specific string that you are suspecting such as userid, admin id, etc).

Next time you can try PsLoggedOn that can check for user logon in the network by just supplying an username (one that you are suspecting as the culprits)
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

Also the below may be useful if you monitoring the live server
Identify unusual processes       pslist, psinfo, psfile
Identify unusual listening ports       netstat, Fport, psservice
Identify unusual open files       psfile, listdlls, Fport
Identify logged in users       psloggedon, nbtstat
0
 
LVL 64

Expert Comment

by:btan
ID: 33759413
You may also consider GFIEventManager, can try the evaluation. Heard that it has 30 day full functional. No harm engaging them to check further
@ http://www.gfi.com/eventsmanager/esmfeatures.htm
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question