[Last Call] Learn how to a build a cloud-first strategyRegister Now


Is it possible to prove that someone copied a file from a network share that does not have auditing enabled?

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-08-13
I am the sole IT Admin for a small construction company.  Investigation around files accessed just before an employee left the company shows that around 7000 files were accessed in a 15 minute period on the network.  Some of the files have limited access due to Group Security, which narrows down the list of people who could have accessed the files.  My question is, is there any way to PROVE that a network user copied files to their PC or an external hard disc, when auditing has not been enabled on the network?
Question by:TThornbrough
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 36928733
No, if there is nothing watching the files for certain actions, then there is no way to prove this was done.

Some file server audit appliances/software would be needed for monitoring this time of information as "copy" will not reported even with audit turned on.
LVL 24

Expert Comment

by:Radhakrishnan R
ID: 36928750

Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). If you have already enabled audit then try to trace it out from event viewer security audit.

Author Comment

ID: 36928780
Would forensics be able to get any closer to proving the files were copied?  Thanks.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 24

Accepted Solution

Radhakrishnan R earned 1000 total points
ID: 36928820
You can try this link http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
If a user is doing something that they should not be doing, they are prone to making mistakes, such as copying files and then deleting the files, but neglecting to empty the Recycle Bin. You might want to check that folder.

Assisted Solution

Nummmnut earned 1000 total points
ID: 36928824
TThornbrough, there are techniques that can hint to that the user may have copied the files in order to leave with them...

However nothing (without special applicances/software watching the files) can tell you he/she copied the files, only that they accessed it, which can be right clicking them, etc.

Since you do not have auditing turned on this can not be assigned to the user SID that did this...

HOWEVER, a clever way to know (not can not stand up in court) if it did happen is to use data recovery software to see what was deleted from the user's work computer... Hopefully they did not copy directly to a USB drive.

Author Closing Comment

ID: 36928890
Thank you for your assistance.

Expert Comment

ID: 36928900
As a full-time digital forensic geek for many years, this is the exact issue that accounts for 75% of all the work we do at our firm. If there's ANY chance this is headed to court, the first thing you want to do is stop accessing the machine in question and get a DF pro involved.

I'm not trying to be secretive or proprietary in any way, but there are a number of variables in play that determine even the proper way to shut down the machine and preserve the most available evidence. There are instances when you would simply pull the plug, times when you would run a normal shutdown, and times when you might even want to leave the machine running until the forensicator can get there.

After that step is handled, a forensic image of the hard drive needs to be captured. After that, the forensic analysis (the fun part:) can begin. And yes, we prove all the time that files were copied by employees on their way out the door.

Hope this helps...


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question