Solved

mac times ms os

Posted on 2012-03-26
3
311 Views
Last Modified: 2012-03-28
I thought this would be quite easy to identify, but am I correct in thinking that for a file (regardless of file type be that .doc, .txt, .jpeg) on a file share on a windows server, that you cant see who (person) last modified or accessed the file ? I.e. it only goes as far as "the file was accessed dd/mm/yyyy hh:mm", not "the file was accessed dd/mm/yyyy hh:mm by user X"? Is there anyway to identify the user X part? Is the file type irrelevant, or for certain files may the "...by user X" be available?

If its important to see who changed/accessed the file and by default windows cant give you that - what other ways can you do this?
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37766030
This is from an older version of Windows server, but the process hasn't changed much for subsequent versions...

http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308
0
 
LVL 3

Author Comment

by:pma111
ID: 37770250
So the answer by default (i.e. unless you enable auditing) is "no you cant see who last accessed any file?" ?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37770769
...am I correct in thinking that for a file ... that you cant see who (person) last modified or accessed the file ?

Correct.  On MS NTFS file systems, you must enable auditing to track read and/or write file access at the per user level.

...windows cant give you that...

Incorrect.  While auditing is not enabled by default, it is available in any version of the Windows OS that supports NTFS.  The link I posted previously contains information on how to enable file level auditing.

Sorry if I was unclear...

...what other ways can you do this?

I believe the best you can do when you decide you want this type of security *after* the fact, is work on circumstantial evidence.  Who has access rights to the file in question?  What are the access vectors (LAN share v. Internet, for example)?  Which of the file trustees were logged on to the system at the time the file was last accessed/modified based on standard properties?  Certainly nothing that could be qualified as solid forensic data.

Hope that helps.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now