<div>
No, if there is nothing watching the files for certain actions, then there is no way to prove this was done.<br />
<br />
Some file server audit appliances/software would be needed for monitoring this time of information as &quot;copy&quot; will not reported even with audit turned on.
</div>


<div>
<br />
Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). If you have already enabled audit then try to trace it out from event viewer security audit.
</div>


<div>
Would forensics be able to get any closer to proving the files were copied? &nbsp;Thanks.<br />
-Tim
</div>


<div>
Thank you for your assistance.
</div>


<div>
As a full-time digital forensic geek for many years, this is the exact issue that accounts for 75% of all the work we do at our firm. If there's ANY chance this is headed to court, the first thing you want to do is stop accessing the machine in question and get a DF pro involved. <br />
<br />
I'm not trying to be secretive or proprietary in any way, but there are a number of variables in play that determine even the proper way to shut down the machine and preserve the most available evidence. There are instances when you would simply pull the plug, times when you would run a normal shutdown, and times when you might even want to leave the machine running until the forensicator can get there. <br />
<br />
After that step is handled, a forensic image of the hard drive needs to be captured. After that, the forensic analysis (the fun part:) can begin. And yes, we prove all the time that files were copied by employees on their way out the door. <br />
<br />
Hope this helps...<br />
<br />
Chop
</div>


<div>
<div class="content wysiwyg-content">
I am the sole IT Admin for a small construction company. &nbsp;Investigation around files accessed just before an employee left the company shows that around 7000 files were accessed in a 15 minute period on the network. &nbsp;Some of the files have limited access due to Group Security, which narrows down the list of people who could have accessed the files. &nbsp;My question is, is there any way to PROVE that a network user copied files to their PC or an external hard disc, when auditing has not been enabled on the network?
</div>
</div>


I am the sole IT Admin for a small construction company.  Investigation around files accessed just before an employee left the company shows that around 7000 files were accessed in a 15 minute period on the network.  Some of the files have limited access due to Group Security, which narrows down the list of people who could have accessed the files.  My question is, is there any way to PROVE that a network user copied files to their PC or an external hard disc, when auditing has not been enabled on the network?

Is it possible to prove that someone copied a file from a network share that does not have auditing enabled?

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Windows Server 2003

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Digital Forensics

The Windows operating systems have distinct methodologies for designing and implementing networks, and have specific systems to accomplish various networking processes, such as Exchange for email, Sharepoint for shared files and programs, and IIS for delivery of web pages. Microsoft also produces server technologies for networked database use, security and virtualization.