[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

mac times ms os

Posted on 2012-03-26
3
Medium Priority
?
366 Views
Last Modified: 2012-03-28
I thought this would be quite easy to identify, but am I correct in thinking that for a file (regardless of file type be that .doc, .txt, .jpeg) on a file share on a windows server, that you cant see who (person) last modified or accessed the file ? I.e. it only goes as far as "the file was accessed dd/mm/yyyy hh:mm", not "the file was accessed dd/mm/yyyy hh:mm by user X"? Is there anyway to identify the user X part? Is the file type irrelevant, or for certain files may the "...by user X" be available?

If its important to see who changed/accessed the file and by default windows cant give you that - what other ways can you do this?
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37766030
This is from an older version of Windows server, but the process hasn't changed much for subsequent versions...

http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308
0
 
LVL 3

Author Comment

by:pma111
ID: 37770250
So the answer by default (i.e. unless you enable auditing) is "no you cant see who last accessed any file?" ?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 2000 total points
ID: 37770769
...am I correct in thinking that for a file ... that you cant see who (person) last modified or accessed the file ?

Correct.  On MS NTFS file systems, you must enable auditing to track read and/or write file access at the per user level.

...windows cant give you that...

Incorrect.  While auditing is not enabled by default, it is available in any version of the Windows OS that supports NTFS.  The link I posted previously contains information on how to enable file level auditing.

Sorry if I was unclear...

...what other ways can you do this?

I believe the best you can do when you decide you want this type of security *after* the fact, is work on circumstantial evidence.  Who has access rights to the file in question?  What are the access vectors (LAN share v. Internet, for example)?  Which of the file trustees were logged on to the system at the time the file was last accessed/modified based on standard properties?  Certainly nothing that could be qualified as solid forensic data.

Hope that helps.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question