Is it possible to prove that someone copied a file from a network share that does not have auditing enabled?

I am the sole IT Admin for a small construction company.  Investigation around files accessed just before an employee left the company shows that around 7000 files were accessed in a 15 minute period on the network.  Some of the files have limited access due to Group Security, which narrows down the list of people who could have accessed the files.  My question is, is there any way to PROVE that a network user copied files to their PC or an external hard disc, when auditing has not been enabled on the network?
TThornbroughAsked:
Who is Participating?
 
Radhakrishnan RConnect With a Mentor Senior Technical LeadCommented:
You can try this link http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
If a user is doing something that they should not be doing, they are prone to making mistakes, such as copying files and then deleting the files, but neglecting to empty the Recycle Bin. You might want to check that folder.
0
 
NummmnutCommented:
No, if there is nothing watching the files for certain actions, then there is no way to prove this was done.

Some file server audit appliances/software would be needed for monitoring this time of information as "copy" will not reported even with audit turned on.
0
 
Radhakrishnan RSenior Technical LeadCommented:

Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). If you have already enabled audit then try to trace it out from event viewer security audit.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
TThornbroughAuthor Commented:
Would forensics be able to get any closer to proving the files were copied?  Thanks.
-Tim
0
 
NummmnutConnect With a Mentor Commented:
TThornbrough, there are techniques that can hint to that the user may have copied the files in order to leave with them...

However nothing (without special applicances/software watching the files) can tell you he/she copied the files, only that they accessed it, which can be right clicking them, etc.

Since you do not have auditing turned on this can not be assigned to the user SID that did this...

HOWEVER, a clever way to know (not can not stand up in court) if it did happen is to use data recovery software to see what was deleted from the user's work computer... Hopefully they did not copy directly to a USB drive.
0
 
TThornbroughAuthor Commented:
Thank you for your assistance.
0
 
ChopOMaticCommented:
As a full-time digital forensic geek for many years, this is the exact issue that accounts for 75% of all the work we do at our firm. If there's ANY chance this is headed to court, the first thing you want to do is stop accessing the machine in question and get a DF pro involved.

I'm not trying to be secretive or proprietary in any way, but there are a number of variables in play that determine even the proper way to shut down the machine and preserve the most available evidence. There are instances when you would simply pull the plug, times when you would run a normal shutdown, and times when you might even want to leave the machine running until the forensicator can get there.

After that step is handled, a forensic image of the hard drive needs to be captured. After that, the forensic analysis (the fun part:) can begin. And yes, we prove all the time that files were copied by employees on their way out the door.

Hope this helps...

Chop
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.