<div>
This is from an older version of Windows server, but the process hasn't changed much for subsequent versions...<br />
<br />
<a href="http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308" rel="ugc">http://www.techrepublic.co<wbr />m/article/<wbr />step-by-st<wbr />ep-how-to-<wbr />audit-file<wbr />-and-folde<wbr />r-access-t<wbr />o-improve-<wbr />windows-20<wbr />00-pro-sec<wbr />urity/5034<wbr />308</a>
</div>


This is from an older version of Windows server, but the process hasn't changed much for subsequent versions...

http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308 [http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308]

<div>
So the answer by default (i.e. unless you enable auditing) is &quot;no you cant see who last accessed any file?&quot; ?
</div>


So the answer by default (i.e. unless you enable auditing) is "no you cant see who last accessed any file?" ?

<div>
<div class="content wysiwyg-content">
I thought this would be quite easy to identify, but am I correct in thinking that for a file (regardless of file type be that .doc, .txt, .jpeg) on a file share on a windows server, that you cant see who (person) last modified or accessed the file ? I.e. it only goes as far as &quot;the file was accessed dd/mm/yyyy hh:mm&quot;, not &quot;the file was accessed dd/mm/yyyy hh:mm by user X&quot;? Is there anyway to identify the user X part? Is the file type irrelevant, or for certain files may the &quot;...by user X&quot; be available? <br />
<br />
If its important to see who changed/accessed the file and by default windows cant give you that - what other ways can you do this?
</div>
</div>


I thought this would be quite easy to identify, but am I correct in thinking that for a file (regardless of file type be that .doc, .txt, .jpeg) on a file share on a windows server, that you cant see who (person) last modified or accessed the file ? I.e. it only goes as far as "the file was accessed dd/mm/yyyy hh:mm", not "the file was accessed dd/mm/yyyy hh:mm by user X"? Is there anyway to identify the user X part? Is the file type irrelevant, or for certain files may the "...by user X" be available? 

If its important to see who changed/accessed the file and by default windows cant give you that - what other ways can you do this?

mac times ms os

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.