?
Solved

mac times ms os

Posted on 2012-03-26
3
Medium Priority
?
350 Views
Last Modified: 2012-03-28
I thought this would be quite easy to identify, but am I correct in thinking that for a file (regardless of file type be that .doc, .txt, .jpeg) on a file share on a windows server, that you cant see who (person) last modified or accessed the file ? I.e. it only goes as far as "the file was accessed dd/mm/yyyy hh:mm", not "the file was accessed dd/mm/yyyy hh:mm by user X"? Is there anyway to identify the user X part? Is the file type irrelevant, or for certain files may the "...by user X" be available?

If its important to see who changed/accessed the file and by default windows cant give you that - what other ways can you do this?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37766030
This is from an older version of Windows server, but the process hasn't changed much for subsequent versions...

http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308
0
 
LVL 3

Author Comment

by:pma111
ID: 37770250
So the answer by default (i.e. unless you enable auditing) is "no you cant see who last accessed any file?" ?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 2000 total points
ID: 37770769
...am I correct in thinking that for a file ... that you cant see who (person) last modified or accessed the file ?

Correct.  On MS NTFS file systems, you must enable auditing to track read and/or write file access at the per user level.

...windows cant give you that...

Incorrect.  While auditing is not enabled by default, it is available in any version of the Windows OS that supports NTFS.  The link I posted previously contains information on how to enable file level auditing.

Sorry if I was unclear...

...what other ways can you do this?

I believe the best you can do when you decide you want this type of security *after* the fact, is work on circumstantial evidence.  Who has access rights to the file in question?  What are the access vectors (LAN share v. Internet, for example)?  Which of the file trustees were logged on to the system at the time the file was last accessed/modified based on standard properties?  Certainly nothing that could be qualified as solid forensic data.

Hope that helps.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question