Is it possible to prove that someone copied a file from a network share that does not have auditing enabled?

Posted on 2011-10-06
Last Modified: 2012-08-13
I am the sole IT Admin for a small construction company.  Investigation around files accessed just before an employee left the company shows that around 7000 files were accessed in a 15 minute period on the network.  Some of the files have limited access due to Group Security, which narrows down the list of people who could have accessed the files.  My question is, is there any way to PROVE that a network user copied files to their PC or an external hard disc, when auditing has not been enabled on the network?
Question by:TThornbrough
    LVL 6

    Expert Comment

    No, if there is nothing watching the files for certain actions, then there is no way to prove this was done.

    Some file server audit appliances/software would be needed for monitoring this time of information as "copy" will not reported even with audit turned on.
    LVL 20

    Expert Comment

    by:Radhakrishnan Rajayyan

    Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). If you have already enabled audit then try to trace it out from event viewer security audit.

    Author Comment

    Would forensics be able to get any closer to proving the files were copied?  Thanks.
    LVL 20

    Accepted Solution

    You can try this link
    If a user is doing something that they should not be doing, they are prone to making mistakes, such as copying files and then deleting the files, but neglecting to empty the Recycle Bin. You might want to check that folder.
    LVL 6

    Assisted Solution

    TThornbrough, there are techniques that can hint to that the user may have copied the files in order to leave with them...

    However nothing (without special applicances/software watching the files) can tell you he/she copied the files, only that they accessed it, which can be right clicking them, etc.

    Since you do not have auditing turned on this can not be assigned to the user SID that did this...

    HOWEVER, a clever way to know (not can not stand up in court) if it did happen is to use data recovery software to see what was deleted from the user's work computer... Hopefully they did not copy directly to a USB drive.

    Author Closing Comment

    Thank you for your assistance.
    LVL 5

    Expert Comment

    As a full-time digital forensic geek for many years, this is the exact issue that accounts for 75% of all the work we do at our firm. If there's ANY chance this is headed to court, the first thing you want to do is stop accessing the machine in question and get a DF pro involved.

    I'm not trying to be secretive or proprietary in any way, but there are a number of variables in play that determine even the proper way to shut down the machine and preserve the most available evidence. There are instances when you would simply pull the plug, times when you would run a normal shutdown, and times when you might even want to leave the machine running until the forensicator can get there.

    After that step is handled, a forensic image of the hard drive needs to be captured. After that, the forensic analysis (the fun part:) can begin. And yes, we prove all the time that files were copied by employees on their way out the door.

    Hope this helps...


    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now